Solved: Backdoor.Graybird trojan

[murtazaKara]

Hi,

I use XP SP2 with Norton 2004. Norton found this trojan, but couldn't get rid of it. Then following some of the posts here, I did a Panda Online scan, which disinfected another trojan called "downloader.coy", but couldn't find the graybird. Then used DrWeb-cureit, same result. Then used AVG Anti-spyware, which supposedly got rid of it. But then I did another Norton scan, and graybird is still here! I need expert help!

Here is my newest Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:37:14 AM, on 7/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\WinEdt Team\WinEdt\WinEdt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webpine.washington.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 4.79.245.93:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SnapDetect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su-newocx/ocx/15014/CTSUEng.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://www.econ.washington.edu/ts/msrdp.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AC81071-4B2C-48DF-A245-C131DD64B7D2} (MachineCheck Class) - https://www.washington.edu/computing/security/unblock/machinecheck.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0007.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su-newocx/ocx/15014/CTPID.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://player.radyotvonline.com/ampx_en_dl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks everyone!

 

[khazars]

Download AVG Anti-Spyware

http://www.ewido.net/en/


* Once you have downloaded AVG Anti-spyware, locate the icon on the desktop
and double-click it to launch the set up program.
* Once the setup is complete you will need run AVG and update the definition
files.
* On the main screen select the icon "Update" then select the "Update now"
link.
* Next select the "Start Update" button, the update will start and a
progress bar will show the updates being installed.
* Once the update has completed select the "Scanner" icon at the top of the
screen, then select the "Settings" tab.
* Once in the Settings screen click on "Recommended actions" and then select
"Delete"
* Under "Reports"
* Select "Automatically generate report after every scan"
* Un-Select "Only if threats were found"


Close AVG Anti-Spyware. Anti-spyware, Do NOT run a scan yet. We will do that
later in safe mode.






* Click here to download ATF Cleaner by Atribune and save it to your
desktop.

http://majorgeeks.com/ATF_Cleaner_d4949.html


* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
o If you use Firefox:
+ Click Firefox at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords,
please click No at the prompt.
o If you use Opera:
+ Click Opera at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords,
please click No at the prompt.
* Click Exit on the Main menu to close the program.


* Click here for info on how to boot to safe mode if you don't already know
how.

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam



* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in
safe mode:



have hijack this fix these entries. close all browsers and programmes before
clicking FIX.


O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0007.exe
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://player.radyotvonline.com/ampx_en_dl.cab





Run AVG Anti-Spyware!

# IMPORTANT: Do not open any other windows or programs while AVG is scanning
as it may interfere with the scanning process:
# Launch AVG Anti-spyware by double-clicking the icon on your desktop.
# Select the "Scanner" icon at the top and then the "Scan" tab then click on
"Complete System Scan".
# AVG will now begin the scanning process. Be patient this may take a little
time.
Once the scan is complete do the following:
# If you have any infections you will prompted, then select "Apply all
actions"
# Next select the "Reports" icon at the top.
# Select the "Save report as" button in the lower left hand of the screen
and save it to a text file on your system (make sure to remember where you
saved that file, this is important).
# Close AVG and reboot your system back into Normal Mode.


Note: this is a stand alone, it doesn't install to start/programmes.

Download Mwav,

http://www.spywareinfo.dk/download/mwav.exe


double click on it and it will extract to C:\kaspersky. Click
on the kaspersky folder and click on Kavupd, a black dos window will open
and it will update the programme for you, be patient it will take 5-10
minutes to download the new definitions. Once it's updated, click on
mwavscan
to launch the programme.

Use the defaults of:

Memory
startup folders
Registry
system folders
services

Choose drive , all drives and, click scan all files
and then click scan/clean. After it finishes scanning and cleaning post
the log here with a new hijack this log.

Note: this is a very thorough scanner, it might take anything up to an hour
or more, depending on how many drives you have and how badly infected your
pc is.



Highlight the portion of the scan that lists infected items and hold
CTRL + C to Copy then paste it here. The whole log with be extremely
big so there is no way to copy the whole thing. I just need the
infected items list.



Post a new hijack this, the Mwav scan log and the AVg antispware log!

 

[murtazaKara]

Thanks for your help, khazars. Here are the logs.

NEW Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:38:02 PM, on 7/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webpine.washington.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 4.79.245.93:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SnapDetect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su-newocx/ocx/15014/CTSUEng.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://www.econ.washington.edu/ts/msrdp.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {9AC81071-4B2C-48DF-A245-C131DD64B7D2} (MachineCheck Class) - https://www.washington.edu/computing/security/unblock/machinecheck.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su-newocx/ocx/15014/CTPID.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--------------------------------------------------------------------------------------------------------

Mwav log:

File C:\Documents and Settings\burcu\Favorites\Afete Hazirlik Egitim Programi.url infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\burcu\Favorites\MP3Lerim.Com Sorunsuz Bedava MP3 Yükle MP3 Indir Türkçe Mp3 Türk Mp3 Video Klip Türkçe Müzik Music Download Mp3ler Mp3 Yabanci.url infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\murat\Application Data\Microsoft\Office\Recent\KURALLAR VE EKSTRA ISTEKLER 2007.LNK infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\murat\Favorites\portakal agaci pastalar arsivleri.url infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\murat\Favorites\Türkiye'de Merkez Bankaciligi.url infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\murat\My Documents\My Music\Nazan Öncel\Demir Leblebi\04 Asiklar Parki.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\murat\My Documents\My Music\Nazan Öncel\Demir Leblebi\06 Hizli Yasarken.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\murat\My Documents\My Music\Nazan Öncel\Demir Leblebi\07 Hep Yalniz.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\murat\My Documents\My Music\Nazan Öncel\Demir Leblebi\09 Kiz Bebek.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\murat\My Documents\My Music\Nazan Öncel\Demir Leblebi\10 Sokarim Politikana.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\murat\My Documents\My Music\zen\tanbul\01 ariza oyun havasi.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\murat\My Documents\My Music\zen\tanbul\05 agir hasta.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\murat\My Documents\My Music\zen\tanbul\09 islak kanatlar.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\murat\My Documents\My Music\zen\tanbul\11 yavastan gel.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\1A46579C.class infected by "Trojan.Java.ClassLoader.z" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\219A6806.wm infected by "Exploit.Win32.IMG-WMF" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\28707333.class infected by "Trojan-Downloader.Java.OpenStream.w" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\287A7128.class infected by "Trojan-Downloader.Java.OpenStream.t" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\28FA569C.class infected by "Exploit.Java.ByteVerify" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\28FD0099.class infected by "Trojan.Java.ClassLoader.Dummy.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\29035492.class infected by "Exploit.Java.ByteVerify" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\29214E71.class infected by "Exploit.Java.ByteVerify" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\37C42B60.class infected by "Trojan-Downloader.Java.OpenConnection.v" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\486D75CA.zip infected by "Exploit.Java.ByteVerify" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\520A011C.class infected by "Trojan.Java.ClassLoader.ak" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\5EDB6581 infected by "Trojan-Downloader.Win32.INService.bl" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\6CBF70D0.class infected by "Exploit.Java.ByteVerify" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\7CBB27AB.class infected by "Trojan-Downloader.Java.OpenStream.w" Virus. Action Taken: File Deleted.
------------------------------------------------------------------------------------------------------


AVG antispyware log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:31:10 AM 7/2/2007

+ Scan result:



C:\Documents and Settings\murat\DoctorWeb\Quarantine\cpbrkpie.ocx -> Adware.Coupons : No action taken.
C:\Documents and Settings\murat\Application Data\Sun\Java\Deployment\cache\6.0\22\42815ed6-632303dd/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : No action taken.
:mozilla.51:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.12:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.14:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.16:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.17:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.18:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.19:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.121:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Clickagents : No action taken.
:mozilla.50:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Cnn : No action taken.
:mozilla.178:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.15:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Coremetrics : No action taken.
:mozilla.20:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.334:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.335:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.336:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.339:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Estat : No action taken.
:mozilla.250:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.62:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.63:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.94:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Linksynergy : No action taken.
:mozilla.95:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Linksynergy : No action taken.
:mozilla.765:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Live : No action taken.
:mozilla.766:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Live : No action taken.
:mozilla.767:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Live : No action taken.
:mozilla.770:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.54:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.873:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Paypal : No action taken.
:mozilla.82:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.83:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.84:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.85:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.52:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.53:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.103:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.308:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.309:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.310:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.311:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.312:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.313:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.715:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Sitestat : No action taken.
:mozilla.716:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Sitestat : No action taken.
:mozilla.229:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.7:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.255:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Webtrends : No action taken.
:mozilla.73:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Webtrendslive : No action taken.
:mozilla.10:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.9:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.124:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Zedo : No action taken.


::Report end

 

[khazars]

you need to run avg again, make sure to read the instructions properly in setting up AVg as it should clean/or quarantine what it finds!


Also run these scnas when your finished with Avg .


post another log, the avg and the super logs!

 

[murtazaKara]

Well, I was sure that I followed the instructions, but I guess I saved that report before AVG deleted those items. Here is the new AVG scan and it shows that the system is clean:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:47:33 PM 7/4/2007

+ Scan result:



Nothing found.


::Report end
---------------------------------------------------------------------

So I didn't bother doing other scans one more time. Is there anything I should be doing now, khazars? I will do one more Norton scan, that has been the only one catching the graybird so far.

Thanks again...

 

[murtazaKara]

Actually, here is the newest Hijackthis log, just in case:


Logfile of HijackThis v1.99.1
Scan saved at 1:26:05 PM, on 7/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webpine.washington.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 4.79.245.93:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SnapDetect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su-newocx/ocx/15014/CTSUEng.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://www.econ.washington.edu/ts/msrdp.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {9AC81071-4B2C-48DF-A245-C131DD64B7D2} (MachineCheck Class) - https://www.washington.edu/computing/security/unblock/machinecheck.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su-newocx/ocx/15014/CTPID.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

 

[khazars]

go here and empty out this folder!


C:\Program Files\Norton AntiVirus\Quarantine\



Go here and downlaod the latest version of java, once
downloaded, go to add/remove and uninstall all previous versions of java
from add/remove and then instlall the latest version you just downloaded!


http://java.com/en/download/manual.jsp


you don't appear to have a firewall, even if you have a router you still
need
a software frewall, downlaod the one from the link below!



Comodo firewall. Sign up it's free!

http://www.personalfirewall.trustix.com/


Threads on comodo!

http://www.wilderssecurity.com/forumdisplay.php?f=31




go to this site and download these tools and once you get both
adaware Se 1.6 and spybot, update both of them.

Set adaware to do a full system scan and deselect, "search for neglible risk
entries". Click next to start the scan. Delete everything adaware finds.

reboot and now run spybot

Spybot: Search and destroy.

Delete what spybot finds marked in red. After updating spybot hit the
immunize button.




Download Superantispyware (SAS):

http://www.superantispyware.com/supe....html?rid=3132


Once downloaded and installed update the defintions
and then run a full system scan quarantine what it finds!


* Double-click SUPERAntiSypware.exe and use the default settings for
installation.
* An icon will be created on your desktop. Double-click that icon to launch
the program.
* If asked to update the program definitions, click "Yes". If not, update
the definitions before scanning by selecting "Check for Updates". (If you
encounter any problems while downloading the updates, manually download and
unzip them from here.)

http://www.superantispyware.com/definitions.html

* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all
others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your
computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your
computer.
* After the scan is complete, a Scan Summary box will appear with
potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete".
Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware
again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.


All tools can be downloaded at the link below and found on that page!

. SUPERAntiSpyware
. SpyBot search and destroy
. AdAware SE personal



http://www.majorgeeks.com/downloads31.html


post another log annd the super log!

 

[murtazaKara]

Hello again khazars,

I did all of the things you said. As a result SuperAntiSpyware couldn't find a thing on the computer. But I also did a Norton scan in the end, and our beloved friend Backdoor.Graybird is still here! I am pissed off and one step away from reformatting the drive, please help me get rid of this thing...

Here are the logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/04/2007 at 06:27 PM

Application Version : 3.9.1008

Core Rules Database Version : 3265
Trace Rules Database Version: 1276

Scan type : Complete Scan
Total Scan Time : 01:05:53

Memory items scanned : 450
Memory threats detected : 0
Registry items scanned : 5884
Registry threats detected : 0
File items scanned : 40544
File threats detected : 0



------------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 1:11:57 PM, on 7/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\WinEdt Team\WinEdt\WinEdt.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webpine.washington.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 4.79.245.93:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SnapDetect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su-newocx/ocx/15014/CTSUEng.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://www.econ.washington.edu/ts/msrdp.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {9AC81071-4B2C-48DF-A245-C131DD64B7D2} (MachineCheck Class) - https://www.washington.edu/computing/security/unblock/machinecheck.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su-newocx/ocx/15014/CTPID.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

 

[khazars]

where does norton say the file is, post it's name and the full location?

 

[murtazaKara]

Well it always catches it at a different location, one before the last was at Temp folder, I emptied it using ATF. I don't remember the last one though. Does Norton keep a log of these scans?

 

[khazars]

yes open up Norton and navigate to the quarantine folder!

It could be a false posiitve and if it's in the temp folder it cna be easily emptied!

 

[khazars]

Fix this with hijack this!

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\


How old is your version of Norton?

Norton is a reosurce hog and is not that very good, there are many good free versions available!

 

[khazars]

Ok, I see Norton is 2004, you should uninstlal Norton and downlaod Anti vir, instlal and update Anti vir and do a full system scan with it and post it's log here!




Norton uninstallation guidelines!


Because of the problems encountered by many posters to this and many
other forums I have decided to write a thread on how to remove Norton
anti virus!


This guideline can also be used for the removal of McAfee or any other
anti virus program!


open Norton anti virus, click about, and obtain the version of Norton
anti virus you have, should be a year like 2002 etc!


You will need this to determine what version you have if you need to
use the Norton uninstallers!



Please download these uninstallers for whatever version of Norton
below and have them ready if needed!


Download them to somewhere you can find them like your desktop!




Uninstall Norton Anti virus. USe Norton's knowledge base.


This link below for Norton 2003-2007


http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039



This link below is for Norton 2000-2002

http://service1.symantec.com/SUPPORT/nsw.nsf/docid/2001101612274407




Before uninstalling Norton do these instructions first!



go to start/run/type msconfig/click ok/tick the radial dial selective
startup/click the startup tab/ uncheck any boxes to do with Symantec,
Norton and live update!

then click ok and then exit!



Also do this and disable any running Norton/Symantec services!



Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Winlogon Notify: Automatic LiveUpdate Scheduler
Right click and choose "Properties". On the "General" tab under "Service
Status" click the "Stop" button to stop the service. Beside "Startup Type"
in the dropdown menu select "Disabled". Click Apply then OK. Exit the
Services utility.


Note: You may get an error here when trying to access the properties of
the service. If you do get an error, just select the service and look
there in the top left of the main service window and click "Stop" to
stop the service. If that gives an error or it is already stopped, just
skip this step and proceed with the rest.



Then disable all of these services by repeating the above!



These are optional, there maybe others not mentioned here, disable
whatever Norton/Symantec you find!


Note: you will alos do this if uninstalling McAfee or any other anti
virus!


Automatic LiveUpdate Scheduler
Symantec Event Manager (ccEvtMgr) Symantec Settings Manager (ccSetMgr)
Symantec Lic NetConnect service (CLTNetCnService) IS Password Validation
(ISPwdSvc) LiveUpdate
Norton UnErase Protection (NProtectService) -
Speed Disk service - Symantec Corporation -
Symantec AppCore Service (SymAppCore)



Then go to add/remove in control panel and click to remove Norton!


If this fails, then run the uninstaller for the version you have!

 

[murtazaKara]

I finally tracked down the virus by scanning folder by folder and deleted that file myself (didn't let Norton do it). The norton scan after that came out clean. But nevertheless, I know that Norton isn't very effective, I am using Avast on my desktop for example. So I'll get rid of it.

But one question: You say "install antivirus instead of Norton" but don't mention which one. Is it AVG?

Thanks for your help again...

 

[khazars]

Anti-vir

http://www.free-av.com/




You should now turn off system restore to flush out the bad restore points
and
then re-enable it and make a new clean restore point.


How to turn off system restore

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam


http://support.microsoft.com/default.aspx?scid=kb;[LN];310405




Here's some free tools to keep you from getting infected in the future.


To stop reinfection get spywareblaster from


http://www.javacoolsoftware.com/downloads.html


get the hosts file from here.Unzip it to a folder!



http://www.mvps.org/winhelp2002/hosts.htm


put it into : or click the mvps bat and it should do it for you!


Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME = C:\WINDOWS



ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

when you visit innocent-looking sites that aren't actually innocent at all.


http://www.spywarewarrior.com/uiuc/resource.htm


BoClean. Anti trojan and much more, Free from Comodo!

http://www.comodo.com/boclean/boclean.html


Spyware Terminator

http://www.spywareterminator.com/dnl/landing.aspx


In spyware terminator, click real time protection and tick the box to use
real time protection and tick all the boxes except file exceptions shield.
If your confident in using its advanced feature, click advanced and tick
the HIPS box.

If you want to install and uninstall programs it is best to
temporarily disable Spyware terminator and then re-enable it after you
have installed or uninstalled a program as it will create a lot of pop ups
asking you do you wish this to happen!

Right click spyware terminator on the bottom right of your status bar and
choose exit.Then tick the box and that is spyware terminator disabled!




Use spybot's immunize button and use spywareblaster' enable
protection once you update it. you can put spybot's hosts file into
your own and lock it.



I would also suggest switching to Mozilla's firefox browser, it's safer, has
a built in pop up blocker, blocks cookies and adds. Mozilla Thunderbird is
also a good
e-mail client.

http://www.mozilla.org/


Another good and free browser is Opera!

http://www.opera.com/


Read here to see how to tighten your security:

http://forums.techguy.org/t208517.html


A good overall guide for firewalls, anti-virus, and anti-trojans as well as
regular spyware cleaners.

http://www.firewallguide.com/anti-trojan.htm



you can mark your own thread solved through thread tools at the top of
the page.