Solved: Help please: Adware.Virtumonde and PrivacyRemover.M64 malware

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

redsfan2008

Thread Starter
Joined
Sep 18, 2008
Messages
10

Hello,

A few days ago, my background image got changed to a fake one containing a warning about Adware.Virtumonde and PrivacyRemover.M64. Also, I got a fake popup asking me to install something like "Windows XP Anti-Virus 2008" (I did not of course).

I ran
Norton Internet Security 2008 virus and security scans, but they showed up nothing. I ran Ad-Aware SE Personal, and it detected spyware. I clicked "fix" and after a reboot ran Ad-Aware again and it did not report any issues. Also, the background image is gone, and the fake popup is gone.

However, if I try to access anti-malware sites such as Trend Micro, etc I cannot - the browser returns an error page. Also, if I search for anything in Google, when I click the links provided, they redirect me to other commercial sites instead, using the go.google redirect. This happens with both Explorer and Firefox.

I have a Dell Dimension 2400 running Windows XP Home SP3, also running Norton Internet Security 2008.

I ran
HijackThis and have attached the logfile.

Can you help?
Thanks!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:07:44, on 15/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\program files\silver crest memory adapter tools2.93\scma.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\camtool\VideoMonitor\CamTool.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [SCM] c:\program files\silver crest memory adapter tools2.93\scma.exe sys_auto_run C:\Program Files\Silver Crest Memory Adapter Tools2.93
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: camtool.lnk = C:\Program Files\camtool\VideoMonitor\CamTool.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
O16 - DPF: KCrypto for Applets - https://www.ros.ie/applets/kcrypto.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120253110609
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (Yahoo! MailTo) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.tagged.com/online/online2/bejeweled2/popcaploader_v6.cab
O21 - SSODL: System - {323C3B3A-F0F8-48D4-A6DD-E1FF4C71175E} - C:\WINDOWS\system32\system32.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 12815 bytes
 
Joined
Aug 9, 2007
Messages
686
Hello and welcome to Tech Support Guy.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.


I will be back as soon as possible with your first instructions!
 
Joined
Aug 9, 2007
Messages
686
Step # 1: Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.



Step # 2: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to save ComboFix.exe to your Desktop

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleaning the system:

Uninstall List
C:\ComboFix.txt
New HijackThis log.


Use multiple posts if you can't fit everything into one post.
 

redsfan2008

Thread Starter
Joined
Sep 18, 2008
Messages
10
Hello km2357,

Thank you for your prompt reply - appreciated!

I followed your instructions. I have attached the following:

1. Uninstall List
2. C:\ComboFix.txt
3. New HijackThis log

I was prompted to download a new version of ComboFix, so I clicked yes, hope this was ok?

redsfan2008

=====================================
1. Uninstall List
=====================================

3D Home Designer Deluxe Edition
Ad-Aware SE Personal
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Photoshop 7.0
Adobe Reader 7.1.0
Adobe Shockwave Player
AppCore
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoImpression 4
Barbie(tm) as Island Princess 1 Screen Saver
Barbie(tm) as Island Princess 2 Screen Saver
BCWipe 3.0
Bonus
Broadcom Management Programs
Camtasia Studio 4
camtool
CC_ccProxyExt
ccCommon
ccCommon
ccPxyCore
CheckIt Diagnostics
CIB
Clifford Thinking Adventures
Component Framework
Conexant SmartHSFi V92 56K DF PCI Modem
Connection Keep Alive
DAO
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Digital Line Detect
Directory Snoop 5.02 (Trial Version)
DisneyLand15 Screen Saver
Disney's Winnie the Pooh Toddler
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DVDSentry
Easy CD Creator 5 Basic
FinePixViewer Ver.4.2
FLV Player 2.0, build 24
FUJIFILM DS SERIAL TWAIN
FUJIFILM EZtouch Ver.3.3
FUJIFILM PICTURE SHUTTLE Ver.3.3
FUJIFILM USB Driver
Google Earth
Google Talk (remove only)
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Heretic II
HijackThis 2.0.2
Hollywood FX 5.5 Additional Effects
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Image Grabber 3.0.1
ImageMixer VCD2 for FinePix
Intel(R) Extreme Graphics Driver
InterActual Player
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Kremlin
Kubex Software 3D Home Designer
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
MasterSplitter Program
Maxtor Backup
Maxtor Encryption
Maxtor OneTouch III
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 97, Professional Edition
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
MicroStaff WINASPI
Modem Helper
Mozilla Firefox (2.0.0.16)
MSRedist
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MyDsc2
MyDVD
Neat Image v5 Demo
NetWaiting
Norton Add-on Pack (Symantec Corporation)
Norton AntiSpam
Norton AntiVirus
Norton AntiVirus Help
Norton AntiVirus Help
Norton Cleanup
Norton Confidential Core
Norton GoBack 4.1
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
Norton Protection Center
Norton SystemWorks
Norton SystemWorks 2006 Basic Edition
Norton SystemWorks 2006 Basic Edition (Symantec Corporation)
Norton Utilities
NSW_DRM_COLLECTION
Operation Pridelands
Paint Shop Pro 7
Parental Control
Persistent_Wheels_Music ScreenSaver
Picasa 2
Pinnacle Hollywood FX for Studio
PowerDVD
proDAD Heroglyph 1.0
proDAD Heroglyph 2.0
Quake III Team Arena
Quake 3 Arena Demo
Quake 4(TM) Demo
Quake II
Quake III Arena
QuickTime
RAW FILE CONVERTER LE
RealPlayer
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Silver Crest Memory Adapter 2.93
Skype™ Beta 0.96
SmartSound Quicktracks Plugin
SPBBC 32bit
Spectra
Studio 9
Studio 9 Content CD/DVD
Team Arena Demo
TextBridge Classic 2.0
Tweak UI
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
USB PC Cam Zoom
Windows Genuine Advantage v1.3.0254.0
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Yahoo! ¤u¨ã¦C
Yahoo! Browser Services
Yahoo! Browser Services
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
Yahoo! Search Protection


=====================================
2. C:\ComboFix.txt
=====================================

ComboFix 08-09-19.04 - Quake2 2008-09-19 22:59:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.422 [GMT 1:00]
Running from: C:\Documents and Settings\Quake2\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Quake2\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
ADS - system32: deleted 99885 bytes in 1 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Theresa\Cookies\[email protected][1].txt
C:\Documents and Settings\Theresa\Cookies\[email protected][2].txt
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system.exe
C:\WINDOWS\system32\dao350.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdsslog.dll
C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdssservers.dat
.
((((((((((((((((((((((((( Files Created from 2008-08-19 to 2008-09-19 )))))))))))))))))))))))))))))))
.
2008-09-15 23:06 . 2008-09-15 23:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-15 02:50 . 2008-09-15 02:50 <DIR> d-------- C:\Documents and Settings\Quake2\Application Data\Lavasoft
2008-09-01 22:04 . 2008-09-01 22:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-09-01 22:04 . 2008-09-01 22:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-09-01 22:04 . 2008-09-01 22:04 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-26 00:26 . 2008-04-14 01:12 276,992 --------- C:\WINDOWS\SYSTEM32\wmphoto.dll
2008-08-26 00:26 . 2008-04-14 01:12 69,120 --------- C:\WINDOWS\SYSTEM32\wlanapi.dll
2008-08-26 00:24 . 2008-04-14 01:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\msxml6.dll
2008-08-26 00:24 . 2008-04-14 01:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msxml6.dll
2008-08-26 00:24 . 2008-04-14 01:12 412,160 --------- C:\WINDOWS\SYSTEM32\photometadatahandler.dll
2008-08-26 00:24 . 2008-04-14 01:12 193,024 --------- C:\WINDOWS\SYSTEM32\napmontr.dll
2008-08-26 00:24 . 2008-04-14 01:12 176,640 --------- C:\WINDOWS\SYSTEM32\napstat.exe
2008-08-26 00:24 . 2008-04-14 01:12 155,136 --------- C:\WINDOWS\SYSTEM32\mssha.dll
2008-08-26 00:24 . 2008-04-14 01:12 144,384 --------- C:\WINDOWS\SYSTEM32\onex.dll
2008-08-26 00:24 . 2008-04-13 18:27 79,872 --------- C:\WINDOWS\SYSTEM32\msxml6r.dll
2008-08-26 00:24 . 2008-04-13 18:27 79,872 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msxml6r.dll
2008-08-26 00:24 . 2008-04-13 19:14 76,800 --------- C:\WINDOWS\SYSTEM32\msshavmsg.dll
2008-08-26 00:24 . 2008-04-14 01:12 30,208 --------- C:\WINDOWS\SYSTEM32\napipsec.dll
2008-08-26 00:22 . 2008-04-14 01:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-08-25 22:41 . 2008-05-01 15:33 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
2008-08-25 22:40 . 2008-04-11 20:04 691,712 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-19 21:55 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-19 20:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-16 22:24 --------- d-----w C:\Documents and Settings\Quake\Application Data\Symantec
2008-09-03 20:28 --------- d-----w C:\Program Files\MSN Messenger
2008-07-30 16:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 16:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 16:28 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-07-21 22:01 --------- d-----w C:\Program Files\Valve
2008-07-20 21:13 --------- d-----w C:\Program Files\id Software
2008-07-20 21:10 --------- d-----w C:\Program Files\Free Christmas Tree 3D Screensaver
2008-07-20 21:09 --------- d-----w C:\Program Files\Night Before Christmas 3D Screensaver
2008-07-20 21:07 --------- d-----w C:\Program Files\Java
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
2008-06-28 19:50 22,328 ----a-w C:\Documents and Settings\Quake2\Application Data\PnkBstrK.sys
2008-06-28 19:50 103,736 ----a-w C:\WINDOWS\SYSTEM32\PnkBstrB.exe
2008-06-28 19:49 66,872 ----a-w C:\WINDOWS\SYSTEM32\PnkBstrA.exe
2008-06-24 17:12 295,936 ------w C:\WINDOWS\SYSTEM32\wmpeffects.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll
2008-06-24 09:57 3,592,192 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-06-23 09:20 70,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-06-23 09:20 625,664 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 11:51 361,600 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2002-07-26 16:02 153,088 ----a-w C:\Program Files\UNWISE.EXE
2006-03-26 06:50 8,192 --sha-w C:\WINDOWS\o2cLicStore.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-17 68856]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 126976]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 28672]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 286720]
"BCWipeTM Startup"="C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" [2004-05-05 294912]
"SCM"="c:\program files\silver crest memory adapter tools2.93\scma.exe" [2004-08-20 426089]
"InstantAccess"="C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE" [1998-07-07 37376]
"RegisterDropHandler"="C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-07-07 22528]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 51048]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 406016]
"USB2Check"="C:\WINDOWS\system32\PCLECoInst.dll" [2004-04-06 61440]
"USBToolTip"="C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2004-04-23 192512]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2005-01-14 339968]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"MaxtorOneTouch"="C:\Program Files\Maxtor\ManagerApp\Onetouch.exe" [2006-08-11 712704]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2006-08-11 81920]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 224248]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 714608]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RegisterDropHandler"="C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-07-07 22528]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-10-03 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
camtool.lnk - C:\Program Files\camtool\VideoMonitor\CamTool.exe [2006-10-19 94208]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-10-26 24576]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-08-01 111376]
Norton GoBack.lnk - C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe [2005-11-14 861872]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-08-01 51984]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"System"= {323C3B3A-F0F8-48D4-A6DD-E1FF4C71175E} - C:\WINDOWS\system32\system32.dll [2004-06-30 0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"MSVideo"= CSvidcap.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=
"C:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=
"C:\\Q3Ademo\\quake3.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
R1 EPPSCSIx;EPPSCSIx;C:\WINDOWS\system32\drivers\EPPSCSI.SYS [1999-03-17 47148]
R1 prcmondrv;prcmondrv;C:\WINDOWS\system32\drivers\prcmondrv1041.sys [2006-11-22 18432]
R2 BCMNTIO;BCMNTIO;C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 3744]
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-31 149864]
R2 MAPMEM;MAPMEM;C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 3904]
R3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 USTOR;Silver Crest Memory Adapter;C:\WINDOWS\system32\DRIVERS\UStork.sys [2004-08-17 20218]
S3 gAGP440p;gAGP440p;C:\DOCUME~1\Quake\LOCALS~1\Temp\gAGP440p.sys [ ]
S4 BCSWAP;BCSWAP;C:\WINDOWS\system32\drivers\BCSWAP.sys [2002-09-11 83456]
*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-09-01 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Quake.job
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 02:19]
2008-09-19 C:\WINDOWS\Tasks\User_Feed_Synchronization-{FAF27F77-9F80-4682-BE21-89BC94D91C8E}.job
- C:\WINDOWS\system32\msfeedssync.exe [2006-10-17 12:58]
.
- - - - ORPHANS REMOVED - - - -
Notify-WgaLogon - (no file)

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Quake2\Application Data\Mozilla\Firefox\Profiles\ac5g0js1.default\
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-19 23:04:33
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...

**************************************************************************
.
Completion time: 2008-09-19 23:08:52
ComboFix-quarantined-files.txt 2008-09-19 22:07:48
Pre-Run: 22,471,032,832 bytes free
Post-Run: 25,354,948,608 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
211 --- E O F --- 2008-09-10 01:03:08


========================================================
 

redsfan2008

Thread Starter
Joined
Sep 18, 2008
Messages
10
=====================================
3. New HijackThis log
=====================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:15:34, on 19/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\program files\silver crest memory adapter tools2.93\scma.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\camtool\VideoMonitor\CamTool.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [SCM] c:\program files\silver crest memory adapter tools2.93\scma.exe sys_auto_run C:\Program Files\Silver Crest Memory Adapter Tools2.93
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: camtool.lnk = C:\Program Files\camtool\VideoMonitor\CamTool.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
O16 - DPF: KCrypto for Applets - https://www.ros.ie/applets/kcrypto.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120253110609
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (Yahoo! MailTo) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O21 - SSODL: System - {323C3B3A-F0F8-48D4-A6DD-E1FF4C71175E} - C:\WINDOWS\system32\system32.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 11900 bytes

=======================================================
 
Joined
Aug 9, 2007
Messages
686
I was prompted to download a new version of ComboFix, so I clicked yes, hope this was ok?
That's fine. :)


Step # 1: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Step # 2 Remove old versions of Java

While you have the latest version of Java installed, older Java versions have vulnerabilities and need to be removed.

Go to Start-Settings-Control Panel, click on Add Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.

J2SE Runtime Environment 5.0 Update 9

J2SE Runtime Environment 5.0 Update 10

J2SE Runtime Environment 5.0 Update 11

Java(TM) SE Runtime Environment 6 Update 1

Java(TM) 6 Update 2

Java(TM) 6 Update 3

Java(TM) 6 Update 5


Reboot your Computer.


Step # 3 Download and Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
  • Next click the Scanner tab and select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:
  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.


In your next post/reply, I need to see the following:

1. MalwareBytes' Log
2. A fresh HiJackThis Log
 

redsfan2008

Thread Starter
Joined
Sep 18, 2008
Messages
10
Hello again. I followed your instructions. Attached are the following:

1. Malwarebytes Log
2. New HijackThis log

Thanks again for all your help!

Redsfan2008


Malwarebytes' Anti-Malware 1.28
Database version: 1182
Windows 5.1.2600 Service Pack 3
20/09/2008 22:33:53
mbam-log-2008-09-20 (22-33-53).txt
Scan type: Quick Scan
Objects scanned: 61093
Time elapsed: 16 minute(s), 49 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 79
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\mso213.doc (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\image-happy_bunny_cowgirl.jpg (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\b8bb_appcompat.txt (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\scanresults.txt (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\SND532unin.txt (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\amex.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\applejacks4.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\apprentice.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\arizonajeans2.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\avp.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\badtzmaru.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\billionaire.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\buildabear3.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\butterfinger.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\campbells2.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\caprisun.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\chrysler.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\cleanandclear.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\cleanandclear2.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\cobalt.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\colgate.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\cottonelle2.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\crazygood.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\dakota.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\dat.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\dentyne.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\digordis.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\dreamworks.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\everyoneshero.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\fifamatchcast.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\garnier.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\gatoradefierce.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\gmc2.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\h2g2.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\harrypotter3.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\holidaygame.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\hondafit.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\hoobastank.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\incredibles.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\invigor8.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\irobot.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\kingArthur.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\kleenex.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\kraft2004.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\kyocera.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\loreal.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\mazing.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\navy.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\nba.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\neopets.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\newlyweds.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\nike.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\nokia.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\oldnavy.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\openseason.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\ortho.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\oxy.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\pd2.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\pepsiringtones.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\personals2.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\polarexpress.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\ptchocolate.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\re2.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\saturn.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\scarymovie3.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\shockwave.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\sims2.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\skycaptain.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\spongebob.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\summer.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\suspectzero.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\teamamerica.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\troy.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\walmart.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\winterfresh2.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\wotw.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\wrigley5.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Desktop\NEWsquad_1024.jpg (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:36:33, on 20/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\program files\silver crest memory adapter tools2.93\scma.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\camtool\VideoMonitor\CamTool.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [SCM] c:\program files\silver crest memory adapter tools2.93\scma.exe sys_auto_run C:\Program Files\Silver Crest Memory Adapter Tools2.93
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: camtool.lnk = C:\Program Files\camtool\VideoMonitor\CamTool.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
O16 - DPF: KCrypto for Applets - https://www.ros.ie/applets/kcrypto.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120253110609
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (Yahoo! MailTo) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.nationalirishbank.ie/html/activex/e-Safekey/NIB/e-Safekey.cab
O21 - SSODL: System - {323C3B3A-F0F8-48D4-A6DD-E1FF4C71175E} - C:\WINDOWS\system32\system32.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 12046 bytes
 
Joined
Aug 9, 2007
Messages
686
Step # 1 Update Adobe Acrobat Reader

There is a newer version of Adobe Acrobat Reader available. (See Note below)

  • First, go to Add/Remove Programs and uninstall all previous versions.
  • Please go to this link Adobe Acrobat Reader Download Link
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts

Note: Adobe 9 is a large program and if you prefer a smaller program you can get Foxit 2.3 instead from http://www.foxitsoftware.com/pdf/rd_intro.php



Step # 2: Remove Hijackthis Entries

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):


    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.


Step # 3: Run Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.


In your next post/reply, I need to see the following:

1. Kaspersky Log
2. A fresh HiJackThis Log
3. How is your computer doing, any problems?
 

redsfan2008

Thread Starter
Joined
Sep 18, 2008
Messages
10
Hello again,

I updated Adobe as requested. Then I ran HijackThis and removed the entry requested. I downloaded Kaspersky, and started the scan. It took 13 minutes to hit 2% (8,200 files) so I will run this Monday evening, overnight, and post the logs.

Overall, the machine is running well, no sign of the original symptoms.
I did have some problems this evening connecting to my broadband connection, but that might be something else.....

redsfan2008
 

redsfan2008

Thread Starter
Joined
Sep 18, 2008
Messages
10
Hello again,

I ran Kaspersky tonight, also HijackThis, logs attached.

PC appears to be running fine so far.

Thanks
redsfan2008


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, September 22, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, September 22, 2008 19:45:04
Records in database: 1250911
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
Scan statistics:
Files scanned: 115723
Threat name: 24
Infected objects: 157
Suspicious objects: 19
Duration of the scan: 02:08:02

File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\00AB2613.tmp Infected: Backdoor.Win32.SubSeven.22 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\01E96938.wmf Infected: Exploit.Win32.IMG-WMF.c 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\034A5092.htm Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\052C3DD6.htm Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\072158CD.exe Infected: Backdoor.Win32.HacDef.dx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\07426F1D.wmf Infected: Exploit.Win32.IMG-WMF.c 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0933391C.htm Infected: Trojan-Downloader.JS.Weis.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\09982679.htm Infected: Trojan-Downloader.JS.Small.bq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0D237882.htm Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0DD83E8C.jar Infected: Exploit.Java.ByteVerify 2
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0DD83E8C.jar Infected: Trojan-Downloader.Java.OpenConnection.aa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0E4A2983.exe Infected: Backdoor.Win32.Brabot.c 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0E614F69.tmp Infected: Exploit.VBS.Phel.i 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0F991FCC.htm Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1062233B.htm Infected: Trojan-Downloader.JS.Small.bq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\10A33840.js Infected: Trojan-Downloader.JS.Small.ag 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\115C52A2.htm Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\117B2832.cla Infected: Exploit.Java.ByteVerify 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\118908C0.htm Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\11CD259C.htm Infected: Exploit.VBS.Phel.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\12DB3848.htm Infected: Trojan-Downloader.JS.Small.bq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\13F30D03.htm Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\13F636FF.htm Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\13FD0AF8.htm Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\152C4BAA.htm Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\15EF0B41.htm Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\16BC5067.htm Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\16FD17F6.htm Infected: Trojan-Downloader.JS.Small.bq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\170B0DD8.htm Suspicious: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\171F09C2.cla Infected: Exploit.Java.ByteVerify 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\17255DBB.cla Infected: Trojan.Java.ClassLoader.Dummy.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\172907B7.cla Infected: Exploit.Java.ByteVerify 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\17DD7F12.cla Infected: Exploit.Java.ByteVerify 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\17E0290F.cla Infected: Trojan.Java.ClassLoader.Dummy.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\17E0290F.htm Suspicious: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\17E3530B.cla Infected: Exploit.Java.ByteVerify 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\19F93C73.htm Infected: Trojan-Downloader.JS.Small.bq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1AF55D5E.htm Infected: Trojan-Downloader.JS.Small.bq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1B085949.htm Suspicious: Exploit.VBS.Phel 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1BD05A6D.htm Infected: Trojan-Downloader.JS.Small.bq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1BD95863.htm Infected: Trojan-Downloader.JS.Small.bq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1CBD14B8.htm Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1CCB3CAA.jar Infected: Exploit.Java.ByteVerify 2
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1CCB3CAA.jar Infected: Trojan-Downloader.Java.OpenConnection.aa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D353731.htm Infected: Trojan-Clicker.JS.Linker.k 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D3F3526.htm Infected: Trojan-Downloader.JS.Weis.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D590509.jar Infected: Virus.Win32.Bube.k 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D590509.jar Infected: Trojan.Java.Femad 4
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1EDE2F19.htm Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1EE031CE.gif Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1FB41C5F.htm Infected: Trojan-Downloader.JS.Small.bq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\204C124A.htm Suspicious: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2182055F.htm Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\26126EFD.htm Infected: Exploit.VBS.Phel.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\26DA4495.htm Suspicious: Exploit.VBS.Phel 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\27C9580D.htm Suspicious: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\281E1BB0.htm Suspicious: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\292E3677.htm Suspicious: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\29623B3C.htm Infected: Exploit.VBS.Phel.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\29797C24.cla Infected: Exploit.Java.ByteVerify 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\298A4E12.cla Infected: Trojan.Java.ClassLoader.Dummy.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\29A173F9.cla Infected: Exploit.Java.ByteVerify 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2DF55B27.htm Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2E2226F5.htm Infected: Exploit.VBS.Phel.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2E32572B.htm Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\30042559.htm Infected: Exploit.VBS.Phel.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\300C7AC8.htm Infected: Exploit.VBS.Phel.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\302C3B9B.htm Infected: Trojan-Clicker.JS.Linker.k 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\303C7D94.htm Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\306A5957.htm Infected: Trojan-Downloader.JS.Weis.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\310A62A7.jar Infected: Virus.Win32.Bube.k 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\310A62A7.jar Infected: Trojan.Java.Femad 4
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\311E4B1F.htm Suspicious: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\313B5871.htm Infected: Virus.Win32.Bube.k 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\36124F78.htm Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\364D3F87.gif Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\364D3F87.htm Infected: Trojan-Downloader.JS.Weis.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\36516D34.jar Infected: Exploit.Java.ByteVerify 2
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\36516D34.jar Infected: Trojan-Downloader.Java.OpenConnection.aa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\36F161D6.wmf Infected: Exploit.Win32.IMG-WMF.c 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3A171C54.htm Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3A211A49.htm Infected: Exploit.VBS.Phel.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3A2E1B43.htm Infected: Trojan-Downloader.JS.Weis.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3A346F3B.gif Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\40B511F0.htm Infected: Exploit.VBS.Phel.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\427D305B.htm Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\42805A57.htm Infected: Exploit.VBS.Phel.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\460E7869.htm Suspicious: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\46140627.htm Suspicious: Exploit.VBS.Phel 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\47191102.htm Infected: Exploit.VBS.Phel.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\48684EC5.gif Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\48684EC5.htm Infected: Trojan-Downloader.JS.Weis.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\48D3384F.gif Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\48D3384F.htm Infected: Trojan-Downloader.JS.Weis.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4A7B7BFA.exe Infected: Backdoor.Win32.HacDef.dx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4AF41BD5.htm Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4D010082.htm Suspicious: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4D017DE4.htm Suspicious: Exploit.VBS.Phel 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4FD17CE2.cla Infected: Exploit.Java.ByteVerify 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4FD750DB.htm Suspicious: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4FDB7AD7.cla Infected: Trojan.Java.ClassLoader.Dummy.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\51407BA2.htm Infected: Trojan-Dropper.VBS.Inor.cz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\515B666C.wmf Infected: Exploit.Win32.IMG-WMF.c 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\541E6279.htm Infected: Trojan-Dropper.VBS.Inor.cz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\56120773.htm Suspicious: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\57837A9E.htm Suspicious: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5792374E.htm Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\57A95D35.cla Infected: Exploit.Java.ByteVerify 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\57B60527.cla Infected: Trojan.Java.ClassLoader.Dummy.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\58CB0B8A.htm Suspicious: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\59D77E63.htm Infected: Trojan-Clicker.JS.Linker.k 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\59ED244A.cla Infected: Exploit.Java.ByteVerify 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5A224410.cla Infected: Trojan.Java.ClassLoader.Dummy.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5A5339DA.cla Infected: Exploit.Java.ByteVerify 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5ABE2364.htm Infected: Trojan-Downloader.JS.Weis.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5B934C7A.jar Infected: Virus.Win32.Bube.k 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5B934C7A.jar Infected: Trojan.Java.Femad 4
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5BB37056.htm Infected: Virus.Win32.Bube.k 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5D4A2E37.htm Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5DDF51F3.htm Infected: Trojan-Clicker.JS.Linker.k 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5E543972.htm Infected: Trojan-Downloader.JS.Weis.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5E95012A.htm Infected: Virus.Win32.Bube.k 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5EC676F4.jar Infected: Virus.Win32.Bube.k 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5EC676F4.jar Infected: Trojan.Java.Femad 4
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\682064F6.htm Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\68592039.wmf Infected: Exploit.Win32.IMG-WMF.c 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6A2C055B.htm Infected: Exploit.VBS.Phel.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6DCB195E.gif Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\702E6979.cla Infected: Exploit.Java.ByteVerify 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7318573C.htm Infected: Trojan-Downloader.JS.Small.bq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\75025E98.wmf Infected: Exploit.Win32.IMG-WMF.c 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\75296057.tmp Infected: Backdoor.Win32.Optix.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\75346336.cla Infected: Exploit.Java.ByteVerify 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\753E612B.cla Infected: Trojan.Java.ClassLoader.Dummy.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\75453524.cla Infected: Exploit.Java.ByteVerify 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\758E2949.exe Infected: Trojan-Downloader.Win32.Tibs.ir 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\75A02B44.htm Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\78DF22E0.htm Infected: Trojan-Downloader.JS.Small.bq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\78F41B16.cla Infected: Exploit.Java.ByteVerify 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\78FB6F0F.cla Infected: Trojan.Java.ClassLoader.Dummy.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79056D04.cla Infected: Exploit.Java.ByteVerify 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\795802A2.htm Suspicious: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\799B6000.htm Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7A326B5A.jar Infected: Exploit.Java.ByteVerify 2
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7A326B5A.jar Infected: Trojan-Downloader.Java.OpenConnection.aa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7CE66022.htm Infected: Trojan-Downloader.JS.Weis.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7D3779C8.gif Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7D6155DC.htm Suspicious: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7E2E5D09.htm Infected: Trojan-Downloader.JS.Small.bq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7E7020E5.htm Infected: Trojan-Downloader.JS.Weis.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7EBB6692.gif Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7FA4231D.gif Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7FA4231D.htm Infected: Trojan-Downloader.JS.Weis.b 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\svchost.exe.vir Infected: Trojan-Downloader.Win32.Small.adfx 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tdsslog.dll.vir Infected: Backdoor.Win32.Agent.rfv 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tdssmain.dll.vir Infected: Backdoor.Win32.Agent.rfw 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP11\A0004399.DLL Infected: not-a-virus:Downloader.Win32.PopCap.a 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000003.exe Infected: Trojan-Downloader.Win32.Small.adfx 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000006.dll Infected: Backdoor.Win32.Agent.rfw 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000007.dll Infected: Backdoor.Win32.Agent.rfv 1
The selected area was scanned.
 

redsfan2008

Thread Starter
Joined
Sep 18, 2008
Messages
10
Latest HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:30:48, on 22/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\program files\silver crest memory adapter tools2.93\scma.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Quake2\Local Settings\Temp\jkos-Quake2\binaries\ScanningProcess.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [SCM] c:\program files\silver crest memory adapter tools2.93\scma.exe sys_auto_run C:\Program Files\Silver Crest Memory Adapter Tools2.93
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: camtool.lnk = C:\Program Files\camtool\VideoMonitor\CamTool.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
O16 - DPF: KCrypto for Applets - https://www.ros.ie/applets/kcrypto.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120253110609
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (Yahoo! MailTo) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.nationalirishbank.ie/html/activex/e-Safekey/NIB/e-Safekey.cab
O21 - SSODL: System - {323C3B3A-F0F8-48D4-A6DD-E1FF4C71175E} - C:\WINDOWS\system32\system32.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 11940 bytes
 
Joined
Aug 9, 2007
Messages
686
Kaspersky found some infected System Restore points. They are harmless where they are. I'll show you how to remove them and set a new, clean one within in the next few posts. Kaspersky also found some files in the Qoobox folder. That folder is where ComboFix keeps its quarantined files. I'll show you how to remove that folder and ComboFix shortly.


Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:

  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon.
  • Select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and shutdown My Computer.
  • Now your computer is configured to show all hidden files.


Using Windows Explorer, delete the contents of the following folder, do not delete the folder itself:

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine

Let me know if you have any problems.
 

redsfan2008

Thread Starter
Joined
Sep 18, 2008
Messages
10
Hello,

I did as you requested and deleted the Norton AntiVirus\Quarantine contents.

Regards,
redsfan2008
 
Joined
Aug 9, 2007
Messages
686
Then if there are no more problems, then you are good to go. :)

To remove ComboFix, do the following:

Go to Start > Run - type in ComboFix /u & click OK

Please take the time to read my All Clean Post.

Please follow these simple steps in order to keep your computer clean and secure:

This is a good time to clear your existing system restore points and establish a new clean restore point

  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
  • This will remove all restore points except the new one you just created.
.

Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.


Make your Internet Explorer more secure This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it asks you if you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
  • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
  • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
  • If unchecked please checkHide protected operating system files (Recommended)
  • If necessary check "Display content of system folders"
  • If necessary Uncheck Hide file extensions for known file types.
  • Click OK
  • Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
  • Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line Anti Malware
  • Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    • Click the start button on the task bar at the bottom of your screen
    • Click run
    • In the dialog box, type services.msc
    • hit enter, then locate dns client
    • Highlight it, then doubleclick it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click ok..
  • Use an alternative instant messenger program.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • Please read Tony Klein's excellent article: How I got Infected in the First Place
  • Please read Understanding Spyware, Browser Hijackers, and Dialers
  • Please read Simple and easy ways to keep your computer safe and secure on the Internet
  • If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox or
    Opera.
    If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
  • Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  • If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.
Follow these steps and your potential for being infected again will reduce dramatically.

Here's a good website to read about Malware prevention:

http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

If your computer is running slow, click here for instructions on how to help speed up your computer.

Good luck!


Please reply one last time so that I know you have read my post.
 

redsfan2008

Thread Starter
Joined
Sep 18, 2008
Messages
10
Hello again. Well, everything seems to be working ok now. I am working through the advice and suggested changes you sent me in you last post.

Thanks again for your excellent support and timely responses - appreciated!

redsfan2008
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top