1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

trojan waverenue help!

Discussion in 'Virus & Other Malware Removal' started by littletikes3, Jul 1, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. littletikes3

    littletikes3 Thread Starter

    Joined:
    Jul 1, 2007
    Messages:
    79
    iam so annoyed iam in need of help my spysweeper program finds a trogran-downloader-waverenue and virtumonde it will quanitine them but not remove! they keep popping up everytime i run the scan it will display nuissnace pop-ups like plypoker.com/casino poker/empirepoker.com/bestdietforyou.com can you please help in this matter asap!
    thank you
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Click here to download HJTsetup.exe:

    http://www.thespykiller.co.uk/index.php?action=tpmod;dl=item5

    Scroll down to the download section where the download button is

    Save HJTsetup.exe to your desktop.

    Double click on the HJTsetup.exe icon on your desktop.
    By default it will install to C:\Program Files\Hijack This.
    Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    Put a check by Create a desktop icon then click Next again.
    Continue to follow the rest of the prompts from there.
    At the final dialogue box click Finish and it will launch Hijack This.
    Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    Click Save to save the log file and then the log will open in notepad.
    Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    Come back here to this thread and Paste the log in your next reply.
    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  3. littletikes3

    littletikes3 Thread Starter

    Joined:
    Jul 1, 2007
    Messages:
    79
    Logfile of HijackThis v1.99.1
    Scan saved at 4:08:06 PM, on 7/1/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\LTMSG.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\WINDOWS\svhost.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\retadpu77.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [HPHUPD05] "c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NAV CfgWiz] "c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe" /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [Sunkist2k] "C:\Program Files\Multimedia Card Reader\shwicon2k.exe"
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
     
  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    NOTE: If you have downloaded ComboFix previously please delete that version and download it again!

    Download this file :

    http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
    or
    http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

    Double click combofix.exe & follow the prompts.
    When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

    Note:
    Do not mouseclick combofix's window while its running. That may cause it to stall

    ==================

    Download Superantispyware (SAS) free home version

    http://www.superantispyware.com/superantispywarefreevspro.html

    Install it and double-click the icon on your desktop to run it.
    · It will ask if you want to update the program definitions, click Yes.
    · Under Configuration and Preferences, click the Preferences button.
    · Click the Scanning Control tab.
    · Under Scanner Options make sure the following are checked:
    o Close browsers before scanning
    o Scan for tracking cookies
    o Terminate memory threats before quarantining.
    o Please leave the others unchecked.
    o Click the Close button to leave the control center screen.
    · On the main screen, under Scan for Harmful Software click Scan your computer.
    · On the left check C:\Fixed Drive.
    · On the right, under Complete Scan, choose Perform Complete Scan.
    · Click Next to start the scan. Please be patient while it scans your computer.
    · After the scan is complete a summary box will appear. Click OK.
    · Make sure everything in the white box has a check next to it, then click Next.
    · It will quarantine what it found and if it asks if you want to reboot, click Yes.
    · To retrieve the removal information for me please do the following:
    o After reboot, double-click the SUPERAntispyware icon on your desktop.
    o Click Preferences. Click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o It will open in your default text editor (such as Notepad/Wordpad).
    o Please highlight everything in the notepad, then right-click and choose copy.
    · Click close and close again to exit the program.
    · Please paste that information here for me with a new HijackThis log.

    This will take some time!!!!!!!!
     
  5. littletikes3

    littletikes3 Thread Starter

    Joined:
    Jul 1, 2007
    Messages:
    79
    heres the hijack logfile
    Logfile of HijackThis v1.99.1
    Scan saved at 7:44:39 PM, on 7/1/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\LTMSG.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [HPHUPD05] "c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NAV CfgWiz] "c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe" /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
    O4 - HKLM\..\Run: [Sunkist2k] "C:\Program Files\Multimedia Card Reader\shwicon2k.exe"
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
    O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    heres the combo logfile
    ComboFix 07-06-18.2 - C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    "Owner" - 2007-07-01 17:43:06 - Service Pack 1 NTFS


    (((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\cfhkj.bak1
    C:\WINDOWS\system32\cfhkj.bak2
    C:\WINDOWS\system32\cfhkj.ini
    C:\WINDOWS\system32\cfhkj.bak1
    C:\WINDOWS\system32\cfhkj.bak2
    C:\WINDOWS\system32\cfhkj.ini
    C:\WINDOWS\system32\jkhfc.dll
    C:\WINDOWS\system32\qomlmml.dll


    * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\DOCUME~1\ALLUSE~1\APPLIC~1.\WinAntiSpyware 2007
    C:\DOCUME~1\ALLUSE~1\APPLIC~1.\WinAntiSpyware 2007\Data\Abbr
    C:\DOCUME~1\ALLUSE~1\APPLIC~1.\WinAntiSpyware 2007\Data\ProductCode
    C:\Program Files\Common Files\{34CED~1
    C:\Program Files\Common Files\{64CED~1
    C:\Program Files\Common Files\download
    C:\Program Files\Common Files\Uninstall Information
    C:\Program Files\Common Files\WinAntiSpyware 2007
    C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
    C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
    C:\Program Files\cowabanga
    C:\Program Files\dobe~1
    C:\Program Files\pedevice
    C:\Program Files\pedevice\communication.xml
    C:\Program Files\pedevice\Domain.Watchlist.txt
    C:\Program Files\pedevice\pae-options.xml
    C:\Program Files\pedevice\search.watchlist.txt
    C:\Program Files\pedevice\statistic.xml
    C:\Program Files\pedevice\tmp\tmp.html
    C:\Program Files\pedevice\watchlist.xml
    C:\Temp\0b9
    C:\Temp\0b9\tmpTF.log
    C:\Temp\tn3
    C:\WINDOWS\retadpu77.exe
    C:\WINDOWS\svhost.exe
    C:\WINDOWS\wr.txt


    ((((((((((((((((((((((((( Files Created from 2007-06-01 to 2007-07-01 )))))))))))))))))))))))))))))))


    2007-07-01 17:30 49,152 --a------ C:\WINDOWS\nircmd.exe
    2007-07-01 09:18 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
    2007-07-01 09:05 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
    2007-07-01 09:05 33,624 --a------ C:\WINDOWS\system32\wups.dll
    2007-07-01 09:05 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
    2007-07-01 09:05 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
    2007-07-01 09:05 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
    2007-07-01 09:05 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
    2007-06-29 15:22 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
    2007-06-29 15:21 79,872 --a------ C:\WINDOWS\system32\drivers\FOPN.sys
    2007-06-29 15:17 <DIR> d-------- C:\WINDOWS\system32\o09PrEz
    2007-06-29 15:17 <DIR> d-------- C:\Program Files\svhost
    2007-06-29 15:16 <DIR> d-------- C:\Program Files\poolsv
    2007-06-24 08:52 24,960 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
    2007-06-24 08:51 14,208 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
    2007-06-24 08:50 28,160 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
    2007-06-23 11:34 <DIR> dr-hs---- C:\cmdcons
    2007-06-23 11:33 <DIR> d-------- C:\WINDOWS\setupupd
    2007-06-23 09:47 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
    2007-06-23 09:47 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
    2007-06-23 09:47 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
    2007-06-23 09:47 160,056 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
    2007-06-23 09:47 1,520,952 --a------ C:\WINDOWS\WRSetup.dll
    2007-06-23 09:47 <DIR> d-------- C:\Program Files\Webroot
    2007-06-23 09:47 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
    2007-06-23 09:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
    2007-06-23 09:13 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Webroot
    2007-06-23 02:06 185,624 --a------ C:\WINDOWS\system32\iuengine.dll
    2007-06-23 01:50 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys
    2007-06-23 01:50 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys
    2007-06-23 01:48 51,072 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
    2007-06-23 01:48 23,424 --a------ C:\WINDOWS\system32\drivers\kbdclass.sys
    2007-06-23 01:40 56,832 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
    2007-06-23 01:40 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
    2007-06-23 01:40 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
    2007-06-23 01:40 2,816 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
    2007-06-22 23:49 <DIR> dr-hsc--- C:\WINDOWS\system32\dllcache
    2007-06-22 11:57 <DIR> d-------- C:\temp\iee
    2007-06-21 15:45 <DIR> d-------- C:\Program Files\AIM
    2007-06-15 16:37 <DIR> d-------- C:\WINDOWS\LastGood
    2007-06-14 16:04 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
    2007-06-09 09:37 <DIR> d-------- C:\Program Files\Imikimi


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-07-01 20:48:39 164 ----a-w C:\install.dat
    2007-07-01 13:13:41 -------- d--h--w C:\Program Files\WindowsUpdate
    2007-06-26 14:59:43 -------- d-----w C:\Program Files\Google
    2007-06-23 16:40:03 -------- d-----w C:\Program Files\Norton AntiVirus
    2007-06-23 15:44:18 -------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-06-23 15:37:13 4,117 -c--a-w C:\WINDOWS\viassary-hp.reg
    2007-06-23 15:36:32 -------- d-----w C:\Program Files\Easy Internet signup
    2007-06-23 04:12:26 -------- d-----w C:\Program Files\Windows NT
    2007-06-23 04:12:20 -------- d-----w C:\Program Files\Movie Maker
    2007-06-23 04:12:19 -------- d-----w C:\Program Files\Messenger
    2007-06-22 23:14:53 -------- d-----w C:\Program Files\QuickTime
    2007-06-14 19:20:08 -------- d-----w C:\Program Files\Yahoo!
    2007-06-06 18:21:46 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
    2007-05-22 14:17:42 -------- d-----w C:\Program Files\Aurora Digital Imaging
    2007-05-15 20:28:18 -------- d-----w C:\Program Files\Windows Media Connect 2
    2007-05-15 17:13:44 -------- d-----w C:\Program Files\Broderbund
    2007-05-15 16:34:49 -------- d-----w C:\Program Files\Common Files\AOL
    2007-05-06 00:44:26 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Yahoo!
    2007-05-05 22:09:09 -------- d-----w C:\Program Files\MSXML 4.0
    2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
    2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
    1989-12-12 18:10:10 280,000 --sh--r C:\WINDOWS\upaowtb.exe


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {02478D38-C3F9-4efb-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll [2003-02-06 14:45]
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 11:47]
    {BDF3E430-B101-42AD-A544-FADC6B084872}=c:\Program Files\Norton AntiVirus\NavShExt.dll []

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
    "HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 07:23]
    "KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 23:02]
    "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 12:01]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-01-26 08:29]
    "VTTimer"="VTTimer.exe" []
    "ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-08-15 04:59]
    "NAV CfgWiz"="c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe" [2003-08-15 22:24]
    "LTMSG"="LTMSG.exe" [2003-07-14 21:52 C:\WINDOWS\ltmsg.exe]
    "Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-10-29 11:17]
    "AlcxMonitor"="ALCXMNTR.EXE" [2003-04-04 00:35 C:\WINDOWS\ALCXMNTR.EXE]
    "mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-12-11 05:40]
    "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-06-21 18:57]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
    backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
    backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
    path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
    backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!]


    *Newly Created Service* - ALG
    *Newly Created Service* - IPNAT
    *Newly Created Service* - SHAREDACCESS

    Contents of the 'Scheduled Tasks' folder
    2007-06-23 15:36:31 C:\WINDOWS\tasks\Easy Internet Sign-up.job
    2004-01-27 10:22:58 C:\WINDOWS\tasks\Symantec NetDetect.job
    2007-06-30 01:28:04 C:\WINDOWS\tasks\WebReg 20041103212832.job
    2007-07-01 14:37:04 C:\WINDOWS\tasks\WebReg 20060127103759.job

    **************************************************************************

    catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-01 17:56:39
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-07-01 18:01:16 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-07-01 18:01

    --- E O F ---

    heres the antispyware
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/01/2007 at 07:21 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3263
    Trace Rules Database Version: 1274

    Scan type : Complete Scan
    Total Scan Time : 00:56:07

    Memory items scanned : 329
    Memory threats detected : 0
    Registry items scanned : 5267
    Registry threats detected : 0
    File items scanned : 59115
    File threats detected : 126

    Adware.Tracking Cookie
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][5].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][3].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][3].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][3].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][3].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][3].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][4].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][4].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator.YOUR-XB2X7J77GN\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator.YOUR-XB2X7J77GN\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator.YOUR-XB2X7J77GN\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator.YOUR-XB2X7J77GN\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator.YOUR-XB2X7J77GN\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator.YOUR-XB2X7J77GN\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator.YOUR-XB2X7J77GN\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator.YOUR-XB2X7J77GN\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator.YOUR-XB2X7J77GN\Cookies\[email protected][1].txt
    C:\Documents and Settings\Default User\Cookies\[email protected][2].txt
    C:\Documents and Settings\Default User\Cookies\[email protected][1].txt
    C:\Documents and Settings\Default User\Cookies\[email protected][1].txt
    C:\Documents and Settings\Default User\Cookies\[email protected][1].txt
    C:\Documents and Settings\Default User\Cookies\[email protected][1].txt
    C:\Documents and Settings\Default User\Cookies\[email protected][1].txt
    C:\Documents and Settings\Default User\Cookies\[email protected][1].txt
    C:\Documents and Settings\Default User\Cookies\[email protected][2].txt
    C:\Documents and Settings\Default User\Cookies\[email protected][1].txt
    C:\Documents and Settings\Default User\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][3].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][3].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][2].txt
    C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][1].txt
    C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][1].txt
    C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][1].txt
    C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][1].txt
    C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][1].txt
    C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][1].txt
    C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][2].txt
    C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][1].txt
    C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][1].txt

    Trojan.WinAntiSpyware/WinAntiVirus 2006/2007
    C:\WINDOWS\system32\drivers\FOPN.sys

    Adware.MyWay
    C:\Program Files\MyWay

    Trojan.Downloader-Gen/SVHost
    C:\PROGRAM FILES\POOLSV\SVHOST.EXE

    Trojan.ZQuest
    C:\PROGRAM FILES\WINDOWS NT\MEVOJULI43855.DLL
    C:\PROGRAM FILES\WINDOWS NT\MEVOJULI83122.DLL

    Trojan.Downloader-Gen/Blah
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\QOMLMML.DLL.VIR

    Trojan.Downloader-Gen/BundleBase
    C:\WINDOWS\SYSTEM32\O09PREZ\O09PREZ1099.EXE
     
  6. littletikes3

    littletikes3 Thread Starter

    Joined:
    Jul 1, 2007
    Messages:
    79
    still have the trojans and all please help! my comp is sicky
     
  7. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    If you have vundofix, remove it and get the current version

    Please download http://www.atribune.org/ccount/click.php?id=4 to C:\
    Double-click VundoFix.exe to run it.
    click the Scan for Vundo button.
    Once it's done scanning, click the Remove Vundo button.
    You will receive a prompt asking if you want to remove the files, click YES.
    Once you click yes, your desktop will go blank as it starts removing Vundo.
    When completed, it will prompt that it will shutdown your computer, click OK.
    Turn your computer back on.
    Please post the contents of C:\vundofix.txt
    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

    Please let Vundo finish its thing, sometimes it can take multiple passes

    ================
    DownLoad Killbox from one of these links

    http://www.downloads.subratam.org/KillBox.zip or
    http://www.thespykiller.co.uk/files/killbox.exe

    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\Program Files\svhost
    C:\Program Files\poolsv

    Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

    START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

    Not all temp files will delete and that is normal
    Empty the recycle bin
    Boot and post a new hijack log from normal NOT safe mode

    Please give feedback on what worked/didn’t work and the current status of your system
     
  8. littletikes3

    littletikes3 Thread Starter

    Joined:
    Jul 1, 2007
    Messages:
    79
    HI i ran th vundo 5 times it says it didnt find anything killbox.exe didnt do anythin i assume its contected to what vundo finds. here is my lastest hijackthis log i ran my spysweeper program and it still finds trojans .. Ugg

    Logfile of HijackThis v1.99.1
    Scan saved at 8:43:47 PM, on 7/3/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\LTMSG.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [HPHUPD05] "c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NAV CfgWiz] "c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe" /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
    O4 - HKLM\..\Run: [Sunkist2k] "C:\Program Files\Multimedia Card Reader\shwicon2k.exe"
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    heres Vundos log
    VundoFix V6.5.4

    Checking Java version...

    Java version is 1.4.2.3
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.10

    Scan started at 7:56:50 PM 7/3/2007

    Listing files found while scanning....

    No infected files were found.


    Beginning removal...

    VundoFix V6.5.4

    Checking Java version...

    Java version is 1.4.2.3
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.10

    Scan started at 8:20:14 PM 7/3/2007

    Listing files found while scanning....

    No infected files were found.


    VundoFix V6.5.4

    Checking Java version...

    Java version is 1.4.2.3
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.10

    Scan started at 8:30:07 PM 7/3/2007

    Listing files found while scanning....

    No infected files were found.


    VundoFix V6.5.4

    Checking Java version...

    Java version is 1.4.2.3
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.10

    Scan started at 8:37:32 PM 7/3/2007

    Listing files found while scanning....

    No infected files were found.
     
  9. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Fix this with HiJackThis – mark it close IE, click fix checked

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file


    You are not providing any details as to what spysweeper is finding but I suspect they are cookies


    IE - Block Third party cookies
    1. Click on the Tools button on the Internet Explorer tool bar.
    2. Highlight and click on Internet options at the bottom of the Tools menu.
    3. Select the Privacy Tab of the Internet Options menu.
    4. Select the Advanced... button at the bottom of the screen.
    5. Select override automatic cookie handling button.
    6. To block third party cookies select block under "Third-party cookies".
    7. Select "always allow session cookies".
    8. Click on the OK button at the bottom of the screen.


    Clean [​IMG]
    If you feel its is fixed mark it solved via Thread Tools above

    Turn off restore points, boot, turn them back on – here’s how

    http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

    This clears infected restore points and sets a new, clean one.
     
  10. littletikes3

    littletikes3 Thread Starter

    Joined:
    Jul 1, 2007
    Messages:
    79
    i decided to rerun vundo since that darn winanti was loading itself onto my comp i ran the vundo it found a few things nothing was able to do anything in the kill.exe box heres the vundo log as far as what the spysweeper is detecting is pretty much same as the super antispyware trojan downloader/gen trojan winantispyware adware myway trojan downloader-gen/svhost i do notice that vundo says java is old could be exploitable should b removed. is this something i shoudl take action to? would this cause any of these problems?
    Scan started at 10:05:40 AM 7/4/2007

    Listing files found while scanning....

    C:\windows\system32\ddayy.dll
    C:\windows\system32\ljjkijk.dll
    C:\windows\system32\xxyvvuu.dll
    C:\windows\system32\yyadd.bak1
    C:\windows\system32\yyadd.ini

    Beginning removal...

    Attempting to delete C:\windows\system32\ddayy.dll
    C:\windows\system32\ddayy.dll Could not be deleted.

    Attempting to delete C:\windows\system32\ljjkijk.dll
    C:\windows\system32\ljjkijk.dll Has been deleted!

    Attempting to delete C:\windows\system32\xxyvvuu.dll
    C:\windows\system32\xxyvvuu.dll Has been deleted!

    Attempting to delete C:\windows\system32\yyadd.bak1
    C:\windows\system32\yyadd.bak1 Has been deleted!

    Attempting to delete C:\windows\system32\yyadd.ini
    C:\windows\system32\yyadd.ini Has been deleted!

    Performing Repairs to the registry.
    Done!

    VundoFix V6.5.4

    Checking Java version...

    Java version is 1.4.2.3
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.10

    Scan started at 10:53:01 AM 7/4/2007

    Listing files found while scanning....

    No infected files were found.


    Beginning removal...


    thank you
     
  11. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Run it again
     
  12. littletikes3

    littletikes3 Thread Starter

    Joined:
    Jul 1, 2007
    Messages:
    79
    i ran vundo again it didnt find anything i ran my spysweeper and the super antiapysware to find out what exactly is running here is the running
    spysweeper Trojan horse found: trojan-downloader-waverevenue
    adware found: purity scan
    adware found : system doctor 2006

    Antispyware found
    trojan.winfixer
    adware.vundo.variant
    adware.clickspring/outerinfo network
    trojan.downloader-gen/retad

    i increased the internet explorer privacy as you suggested as well.. thank you on that.
     
  13. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Delete your version of combofix

    NOTE: If you have downloaded ComboFix previously please delete that version and download it again!

    Download this file :

    http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
    or
    http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

    Double click combofix.exe & follow the prompts.
    When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

    Note:
    Do not mouseclick combofix's window while its running. That may cause it to stall
     
  14. littletikes3

    littletikes3 Thread Starter

    Joined:
    Jul 1, 2007
    Messages:
    79
    "Owner" - 2007-07-05 8:44:16 - ComboFix 07-07-04.4 - Service Pack 1


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
    C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
    C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
    C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
    C:\Program Files\Common Files\winantispyware 2007
    C:\Program Files\Common Files\winantispyware 2007\err.log
    C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
    C:\Program Files\poolsv
    C:\Program Files\poolsv\k11u72.exe
    C:\Program Files\svhost
    C:\temp\iee
    C:\temp\iee\tmpZTF.log
    C:\WINDOWS\system32\o02PrEz
    C:\WINDOWS\system32\o09PrEz
    C:\WINDOWS\wr.txt


    ((((((((((((((((((((((((( Files Created from 2007-06-05 to 2007-07-05 )))))))))))))))))))))))))))))))


    2007-07-03 20:27 <DIR> d-------- C:\!KillBox
    2007-07-03 19:56 <DIR> d-------- C:\VundoFix Backups
    2007-07-02 07:50 <DIR> d-------- C:\WINDOWS\system32\bits
    2007-07-02 07:47 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
    2007-07-02 07:47 <DIR> d-------- C:\WINDOWS\system32\PreInstall
    2007-07-01 19:45 170 --a------ C:\combo.vbs
    2007-07-01 18:17 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2007-07-01 18:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-07-01 18:17 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
    2007-07-01 18:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
    2007-07-01 17:30 51,200 --a------ C:\WINDOWS\nircmd.exe
    2007-07-01 17:11 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
    2007-07-01 17:11 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
    2007-07-01 17:11 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
    2007-07-01 17:11 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
    2007-07-01 17:11 158,720 --------- C:\WINDOWS\system32\xpob2res.dll
    2007-07-01 09:18 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
    2007-07-01 09:05 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
    2007-07-01 09:05 33,624 --a------ C:\WINDOWS\system32\wups.dll
    2007-07-01 09:05 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
    2007-07-01 09:05 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
    2007-07-01 09:05 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
    2007-07-01 09:05 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
    2007-06-24 08:52 24,960 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
    2007-06-24 08:51 14,208 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
    2007-06-24 08:50 28,160 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
    2007-06-23 11:34 <DIR> dr-hs---- C:\cmdcons
    2007-06-23 11:33 <DIR> d-------- C:\WINDOWS\setupupd
    2007-06-23 09:47 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
    2007-06-23 09:47 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
    2007-06-23 09:47 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
    2007-06-23 09:47 160,056 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
    2007-06-23 09:47 1,520,952 --a------ C:\WINDOWS\WRSetup.dll
    2007-06-23 09:47 <DIR> d-------- C:\Program Files\Webroot
    2007-06-23 09:47 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
    2007-06-23 09:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
    2007-06-23 09:13 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Webroot
    2007-06-23 02:06 185,624 --a------ C:\WINDOWS\system32\iuengine.dll
    2007-06-23 01:50 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys
    2007-06-23 01:50 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys
    2007-06-23 01:48 51,072 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
    2007-06-23 01:48 23,424 --a------ C:\WINDOWS\system32\drivers\kbdclass.sys
    2007-06-23 01:40 56,832 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
    2007-06-23 01:40 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
    2007-06-23 01:40 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
    2007-06-23 01:40 2,816 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
    2007-06-22 23:49 <DIR> dr-hsc--- C:\WINDOWS\system32\dllcache
    2007-06-21 15:45 <DIR> d-------- C:\Program Files\AIM
    2007-06-15 16:37 <DIR> d-------- C:\WINDOWS\LastGood
    2007-06-14 16:04 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
    2007-06-09 09:37 <DIR> d-------- C:\Program Files\Imikimi


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-07-03 18:04:52 -------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-07-01 23:25:23 -------- d-----w C:\Program Files\Windows NT
    2007-07-01 20:48:39 164 ----a-w C:\install.dat
    2007-07-01 13:13:41 -------- d--h--w C:\Program Files\WindowsUpdate
    2007-06-26 14:59:43 -------- d-----w C:\Program Files\Google
    2007-06-23 16:40:03 -------- d-----w C:\Program Files\Norton AntiVirus
    2007-06-23 15:44:18 -------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-06-23 15:37:13 4,117 -c--a-w C:\WINDOWS\viassary-hp.reg
    2007-06-23 15:36:32 -------- d-----w C:\Program Files\Easy Internet signup
    2007-06-23 04:12:20 -------- d-----w C:\Program Files\Movie Maker
    2007-06-23 04:12:19 -------- d-----w C:\Program Files\Messenger
    2007-06-22 23:14:53 -------- d-----w C:\Program Files\QuickTime
    2007-06-14 19:20:08 -------- d-----w C:\Program Files\Yahoo!
    2007-06-06 18:21:46 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
    2007-05-22 14:17:42 -------- d-----w C:\Program Files\Aurora Digital Imaging
    2007-05-15 20:28:18 -------- d-----w C:\Program Files\Windows Media Connect 2
    2007-05-15 17:13:44 -------- d-----w C:\Program Files\Broderbund
    2007-05-15 16:34:49 -------- d-----w C:\Program Files\Common Files\AOL
    2007-05-06 00:44:26 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Yahoo!
    2007-05-05 22:09:09 -------- d-----w C:\Program Files\MSXML 4.0
    2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
    2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
    1989-12-12 18:10:10 280,000 --sh--r C:\WINDOWS\upaowtb.exe


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
    "HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 07:23]
    "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 12:01]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-01-26 08:29]
    "VTTimer"="VTTimer.exe" []
    "ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-08-15 04:59]
    "NAV CfgWiz"="c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe" [2003-08-15 22:24]
    "LTMSG"="LTMSG.exe" [2003-07-14 21:52 C:\WINDOWS\ltmsg.exe]
    "Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-10-29 11:17]
    "mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-12-11 05:40]
    "KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 23:02]
    "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-06-21 18:57]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
    backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
    backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
    path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
    backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
    ALCXMNTR.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"


    Contents of the 'Scheduled Tasks' folder
    2007-06-23 15:36:31 C:\WINDOWS\tasks\Easy Internet Sign-up.job
    2004-01-27 10:22:58 C:\WINDOWS\tasks\Symantec NetDetect.job
    2007-07-05 01:28:00 C:\WINDOWS\tasks\WebReg 20041103212832.job
    2007-07-04 14:37:13 C:\WINDOWS\tasks\WebReg 20060127103759.job

    **************************************************************************

    catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-05 08:53:27
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-07-05 8:54:47
    C:\ComboFix-quarantined-files.txt ... 2007-07-05 08:54
    C:\ComboFix2.txt ... 2007-07-01 18:01

    --- E O F ---


    Logfile of HijackThis v1.99.1
    Scan saved at 9:00:06 AM, on 7/5/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\LTMSG.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\WINDOWS\explorer.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [HPHUPD05] "c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NAV CfgWiz] "c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe" /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
    O4 - HKLM\..\Run: [Sunkist2k] "C:\Program Files\Multimedia Card Reader\shwicon2k.exe"
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
     
  15. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/590564

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice