Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware or virus issue

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Malware or virus issue

Unread postby Gozza » September 10th, 2007, 4:33 pm

Hi I am having a nightmare with this sony laptop that my fiance uses for her work. IE keeps crashing, she is getting pop-ups and google search links are sending her to random websites and not the destination of the links. She is now getting frustrated and spending more time re-opening crashed webpages or closing pop-ups then doing her work. Help would be much appreciated as the recovery disks are in Italy and we are in the UK, otherwise I would have re-formatted the thing and started fresh. I have tried spybot and adaware scans as well as virus scans to no avail.

Here is the HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 22:29:11, on 10/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programmi\Apoint\Apoint.exe
C:\Programmi\sony\vaio power management\SPMgr.exe
C:\Programmi\QuickTime\qttask.exe
C:\PROGRA~1\NORTON~2\NORTON~2\GHOSTS~2.EXE
C:\Programmi\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Programmi\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\Programmi\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programmi\SMART Technologies Inc\SMART Board Software\SMARTBoardTools.exe
C:\Programmi\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
C:\Programmi\SMART Technologies Inc\SMART Board Software\WebServer.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
C:\Programmi\SMART Technologies Inc\SMART Board Software\Aware.exe
C:\Programmi\SMART Technologies Inc\SMART Board Software\Marker.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\MSN Messenger\livecall.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Programmi\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.vaio-link.com/vu.asp?l=it&u=a&h=0410
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Programmi\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Programmi\SMART Technologies Inc\Notebook Software\NotebookPlugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: HttpGuard - {98B822AD-6BE7-49BC-B773-97240B774080} - C:\WINDOWS\system32\AClient.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Programmi\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\WINDOWS\system32\WSBar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programmi\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Programmi\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Programmi\sony\vaio power management\SPMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eBayToolbar] C:\Programmi\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [ccApp] C:\Programmi\File comuni\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programmi\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Programmi\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: SMART Board Tools.lnk = C:\Programmi\SMART Technologies Inc\SMART Board Software\SMARTBoardTools.exe
O8 - Extra context menu item: &Cerca con Google - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &eBay Search - res://C:\Programmi\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Traduci parola in italiano - res://c:\programmi\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Link a ritroso - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Search with Wanadoo - res://C:\WINDOWS\system32\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {0CFA086E-6336-4D95-B6AA-90F564E99631} (TNSClicker.Clicker) - http://www.shopandscan.com/TNSClicker.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://wanadoouk.oberon-media.com/onlin ... der_v5.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Programmi\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programmi\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: siregsrv - Symantec, Peter Norton Group - C:\PROGRA~1\NORTON~2\SPEEDD~1\SIREGSRV.EXE
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Programmi\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
O23 - Service: SMART Web Server - Unknown owner - C:\Programmi\SMART Technologies Inc\SMART Board Software\WebServer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Programmi\File comuni\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
Gozza
Active Member
 
Posts: 12
Joined: September 7th, 2007, 2:17 pm
Advertisement
Register to Remove

Unread postby Katana » September 16th, 2007, 8:07 pm

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

I apologize for the delay in responding, but as you can probably see the forums are quite busy
and sometimes a post manages to slip by us.
Unfortunately there are far more people needing help than there are helpers.

If you still require help please post a fresh Hijack This log to this thread.
I will be notified and I will get back to you ASAP.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby Gozza » September 17th, 2007, 5:12 pm

Hi Katana, thank you very much for the reply, I have seen that the forum has been very busy. I will post a fresh HijackThis log tomorrow afternoon when I get back from work.
Gozza
Active Member
 
Posts: 12
Joined: September 7th, 2007, 2:17 pm

Unread postby Gozza » September 18th, 2007, 3:29 pm

Hi Katana here is the latest HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 21:28:41, on 18/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programmi\Apoint\Apoint.exe
C:\Programmi\sony\vaio power management\SPMgr.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Programmi\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\PROGRA~1\NORTON~2\NORTON~2\GHOSTS~2.EXE
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmi\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programmi\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Programmi\SMART Technologies Inc\SMART Board Software\SMARTBoardTools.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
C:\Programmi\SMART Technologies Inc\SMART Board Software\WebServer.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
C:\Programmi\SMART Technologies Inc\SMART Board Software\Aware.exe
C:\Programmi\SMART Technologies Inc\SMART Board Software\Marker.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Programmi\Microsoft Office\OFFICE11\POWERPNT.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.vaio-link.com/vu.asp?l=it&u=a&h=0410
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Programmi\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Programmi\SMART Technologies Inc\Notebook Software\NotebookPlugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Programmi\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\WINDOWS\system32\WSBar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programmi\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Programmi\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Programmi\sony\vaio power management\SPMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eBayToolbar] C:\Programmi\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [ccApp] C:\Programmi\File comuni\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programmi\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Programmi\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: SMART Board Tools.lnk = C:\Programmi\SMART Technologies Inc\SMART Board Software\SMARTBoardTools.exe
O8 - Extra context menu item: &Cerca con Google - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &eBay Search - res://C:\Programmi\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Traduci parola in italiano - res://c:\programmi\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Link a ritroso - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Search with Wanadoo - res://C:\WINDOWS\system32\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {0CFA086E-6336-4D95-B6AA-90F564E99631} (TNSClicker.Clicker) - http://www.shopandscan.com/TNSClicker.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://wanadoouk.oberon-media.com/onlin ... der_v5.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Programmi\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programmi\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: siregsrv - Symantec, Peter Norton Group - C:\PROGRA~1\NORTON~2\SPEEDD~1\SIREGSRV.EXE
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Programmi\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
O23 - Service: SMART Web Server - Unknown owner - C:\Programmi\SMART Technologies Inc\SMART Board Software\WebServer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Programmi\File comuni\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
Gozza
Active Member
 
Posts: 12
Joined: September 7th, 2007, 2:17 pm

Unread postby Katana » September 18th, 2007, 4:15 pm

Hi Gozza,
Your HJT log looks fairly clean, are you still having the popup problems ?

Update AVG Anti-Spyware
  • Launch AVG Anti-Spyware
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.


Run AVG Anti-Spyware
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Do not automatically generate reports
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Kaspersky Online Scanner .

Go Here http://www.kaspersky.com/virusscanner

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • AVG Log
  • Kaspersky Log
  • What problems are you having now ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby Gozza » September 20th, 2007, 2:28 am

I have been told that the computer has been behaving better. My fiance, who is a teacher, found a trojan on some files in her memory stick that she had been using for sharing teaching resources :roll: . These files have been removed but I will continue this process. Thanks again for your help.
Here are the logs as requested.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 22:49:02 19/09/2007

+ Scan result:



C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP644\A0133952.DLL -> Not-A-Virus.Downloader.Win32.PopCap.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP679\A0145893.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\Documents and Settings\Kite\Cookies\kite@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\Kite\Cookies\kite@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Kite\Cookies\kite@media.adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Kite\Cookies\kite@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Kite\Cookies\kite@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Kite\Cookies\kite@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Kite\Cookies\kite@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Kite\Cookies\kite@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Kite\Cookies\kite@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Kite\Cookies\kite@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Kite\Cookies\kite@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\Kite\Cookies\kite@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Kite\Cookies\kite@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, September 20, 2007 8:24:16 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 20/09/2007
Kaspersky Anti-Virus database records: 420884
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 105573
Number of viruses found: 5
Number of infected objects: 11
Number of suspicious objects: 80
Duration of the scan process: 02:30:10

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows Defender\Support\MPLog-02122007-103419.log Object is locked skipped
C:\Documents and Settings\Kite\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kite\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kite\Impostazioni locali\Cronologia\History.IE5\MSHist012007091820070919\index.dat Object is locked skipped
C:\Documents and Settings\Kite\Impostazioni locali\Cronologia\History.IE5\MSHist012007091920070920\index.dat Object is locked skipped
C:\Documents and Settings\Kite\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\moodia@msn.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Kite\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\moodia@msn.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Kite\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\moodia@msn.com\SharingMetadata\Working\database_C20_F954_20F9_456C\dfsr.db Object is locked skipped
C:\Documents and Settings\Kite\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\moodia@msn.com\SharingMetadata\Working\database_C20_F954_20F9_456C\fsr.log Object is locked skipped
C:\Documents and Settings\Kite\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\moodia@msn.com\SharingMetadata\Working\database_C20_F954_20F9_456C\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Kite\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\moodia@msn.com\SharingMetadata\Working\database_C20_F954_20F9_456C\tmp.edb Object is locked skipped
C:\Documents and Settings\Kite\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kite\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kite\Impostazioni locali\Dati applicazioni\Microsoft\Windows Defender\FileTracker\{F7B43EDC-1CEF-4B30-BCE2-1542FE0626DA} Object is locked skipped
C:\Documents and Settings\Kite\Impostazioni locali\Dati applicazioni\Microsoft\Windows Live Contacts\moodia@msn.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Kite\Impostazioni locali\Dati applicazioni\Microsoft\Windows Live Contacts\moodia@msn.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Kite\Impostazioni locali\Temp\~DF32E8.tmp Object is locked skipped
C:\Documents and Settings\Kite\Impostazioni locali\Temp\~DF3312.tmp Object is locked skipped
C:\Documents and Settings\Kite\Impostazioni locali\Temp\~DFEC73.tmp Object is locked skipped
C:\Documents and Settings\Kite\Impostazioni locali\Temp\~DFECB5.tmp Object is locked skipped
C:\Documents and Settings\Kite\Impostazioni locali\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Kite\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kite\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Kite\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Programmi\Norton SystemWorks\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Programmi\Norton SystemWorks\Norton AntiVirus\AVError.log Object is locked skipped
C:\Programmi\Norton SystemWorks\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Programmi\Norton SystemWorks\Norton AntiVirus\Quarantine\5D3A2D0A.zip/MagicApplet.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped
C:\Programmi\Norton SystemWorks\Norton AntiVirus\Quarantine\5D3A2D0A.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped
C:\Programmi\Norton SystemWorks\Norton AntiVirus\Quarantine\5D3A2D0A.zip ZIP: infected - 2 skipped
C:\Programmi\Norton SystemWorks\Norton AntiVirus\Quarantine\5D3A2D0A.zip CryptFF: infected - 2 skipped
C:\Programmi\Norton SystemWorks\Norton AntiVirus\Quarantine\60990D05 Infected: Trojan.Win32.Tiny.e skipped
C:\Programmi\Norton SystemWorks\Norton AntiVirus\Quarantine\609D3701 Infected: Trojan.Win32.Tiny.e skipped
C:\Programmi\SMART Board Software\SMARTBoardService.log Object is locked skipped
C:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145020.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145021.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145022.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145023.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145024.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145025.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145026.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145027.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145028.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145055.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145056.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145057.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145058.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145059.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145060.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145061.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145062.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145063.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145064.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145065.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145066.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145067.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145068.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145069.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145070.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145071.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145072.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145073.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145074.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145075.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145076.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145077.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145078.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145079.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145080.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145081.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP673\A0145110.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP674\A0145118.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP674\A0145200.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP674\A0145201.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP674\A0145202.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP674\A0145307.exe Infected: Packed.Win32.PolyCrypt.b skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP674\A0145309.exe Infected: Packed.Win32.PolyCrypt.b skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP674\A0145313.exe Infected: Packed.Win32.PolyCrypt.d skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP674\A0145317.exe Infected: Packed.Win32.PolyCrypt.b skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP674\A0145319.exe Infected: Packed.Win32.PolyCrypt.d skipped
C:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP687\change.log Object is locked skipped
C:\WINDOWS\1388146.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\166769.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\17402964.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\18607596.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\19812538.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\21013916.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\22225288.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\23430621.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\25854937.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\2595472.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\27059779.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\28262509.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\29464798.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\30666796.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\31867673.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\33070312.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\34272441.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\35473898.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\36679231.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\37882271.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\3797069.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\39084160.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\40287730.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\41490390.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\42693099.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\43894446.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\45096855.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\46300907.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\47503205.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\48704132.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\49907833.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\5000940.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\51111314.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\52312000.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\53513418.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\54718280.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\55927219.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\57127845.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{69554235-B929-4E64-B2FD-655D4F1C92F3}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\AClient.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\TMP000000169188488A7578FFC5 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{04D559E1-C423-42FB-ACD6-9622DB80FC5D}\RP687\change.log Object is locked skipped

Scan process completed.
Gozza
Active Member
 
Posts: 12
Joined: September 7th, 2007, 2:17 pm

Unread postby Katana » September 20th, 2007, 5:31 am

Hi Gozza,
It looks like there are still a few nasties there.

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti

Please visit Jotti
Copy/paste the the following file path into the window
C:\WINDOWS\system32\AClient.dll
Click Submit/Send File
Please post back, to let me know the results.

Please do the same for the following file
C:\WINDOWS\22225288.exe
C\WINDOWS\23430621.exe


If Jotti is too busy please try Virustotal


Download and Run ComboFix
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • Jotti/Virus Total Results
  • ComboFix Log
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby Gozza » September 20th, 2007, 3:41 pm

Hi Katana, I wanted to let you know that I have my future in-laws visiting so I won't be able to carry out your latest instructions until Sunday. I will post these logs on Sunday or Monday evening, just so you don't think I have abandoned the thread!
Gozza
Active Member
 
Posts: 12
Joined: September 7th, 2007, 2:17 pm

Unread postby Katana » September 20th, 2007, 3:49 pm

Gozza wrote:Hi Katana, I wanted to let you know that I have my future in-laws visiting so I won't be able to carry out your latest instructions until Sunday. I will post these logs on Sunday or Monday evening, just so you don't think I have abandoned the thread!

That is not a problem, thank you for letting me know.

Good luck with the "trial of the in-laws" :lol:
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby Katana » September 25th, 2007, 11:42 am

Everything OK ??
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby Gozza » September 25th, 2007, 5:23 pm

Hi Katana I have downloaded the combofix app and used Jotti on two of the three files before it became busy and Virustotal was taking forever to upload the third. Unfotunately it is late for me now and the last couple of days have been really busy. The weekend with the in-laws went well though :D I shall hopfully have combofix done for tomorrow and the third file scanned. Thanks.
Gozza
Active Member
 
Posts: 12
Joined: September 7th, 2007, 2:17 pm

Unread postby Gozza » September 27th, 2007, 8:12 am

Hi Katana, just a quick update. I had a nightmare with combofix throwing up Norton warnings about malicious scripts while trying to scan the PC :x I managed to finally get a scan log late lastnight, so I will post the all of the results when I get home this evening. Apologies for the dely.
Gozza
Active Member
 
Posts: 12
Joined: September 7th, 2007, 2:17 pm

Unread postby Gozza » September 27th, 2007, 4:50 pm

File: AClient.dll
Status: INFECTED/MALWARE
MD5: b2c7cfc097624b084bdcd1fa94d2fc9e
Packers detected: -
Bit9 reports: File not found
A-Squared Found nothing
AntiVir Found TR/Dldr.ConHook.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Packer.Morphine.B
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Trojan.BhoBot
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Packed.Win32.Morphine.a (probable variant)
Fortinet Found nothing
Kaspersky Anti-Virus Found Packed.Win32.Morphine.a (probable variant)
NOD32 Found a variant of Win32/BHO.BO
Norman Virus Control Found W32/BHO.QG
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Mal/EncPk-M
VirusBuster Found TrojanSpy.BZub.Gen!Pac.14
VBA32 Found nothing

File: 22225288.exe
Status: INFECTED/MALWARE
MD5: 995e5c331e7bbfe8764a77dd09364308
Packers detected: Analyzing...
Bit9 reports: File not found
A-Squared Found nothing
AntiVir Found TR/Crypt.Morphine.Gen
ArcaVir Found nothing
Avast Found Win32:BHO-GW
AVG Antivirus Found nothing
BitDefender Found Packer.Morphine.B
ClamAV Found Trojan.Packed-86
CPsecure Found nothing
Dr.Web Found Trojan.Click.3614
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Packed.Win32.Morphine.a (probable variant)
Fortinet Found nothing
Kaspersky Anti-Virus Found Packed.Win32.Morphine.a (probable variant)
NOD32 Found a variant of Win32/BHO.BO
Norman Virus Control Found W32/BHO.QG
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Mal/EncPk-M
VirusBuster Found nothing
VBA32 Found Trojan.DownLoader.29569

File: 23430621.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 995e5c331e7bbfe8764a77dd09364308
Packers detected: -
Bit9 reports: File not found
A-Squared Found nothing
AntiVir Found TR/Crypt.Morphine.Gen
ArcaVir Found nothing
Avast Found Win32:BHO-GW
AVG Antivirus Found Generic8.BLP
BitDefender Found Packer.Morphine.B
ClamAV Found Trojan.Packed-86
CPsecure Found Packed.W32.Morphine.A
Dr.Web Found Trojan.Click.3614
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Packed.Win32.Morphine.a (probable variant)
Fortinet Found W32/Agent.A!tr.spy
Kaspersky Anti-Virus Found Packed.Win32.Morphine.a (probable variant)
NOD32 Found a variant of Win32/BHO.BO
Norman Virus Control Found W32/BHO.QG
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Mal/EncPk-M
VirusBuster Found nothing
VBA32 Found Trojan.DownLoader.29569

ComboFix 07-09-21.2 - "Kite" 2007-09-26 22:03:09.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.140 [GMT 2:00]
.

((((((((((((((((((((((((( Files Created from 2007-08-26 to 2007-09-26 )))))))))))))))))))))))))))))))
.

2007-09-25 23:27 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-19 22:53 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-19 22:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATIAP~1\Kaspersky Lab
2007-09-05 20:50 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-02 16:54 424,448 --a------ C:\WINDOWS\system32\AClient.dll
2007-08-27 16:28 19,968 --a------ C:\WINDOWS\system32\Ldrcrpt.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-26 21:52 --------- d-------- C:\DOCUME~1\ALLUSE~1\DATIAP~1\WholeSecurity
2007-09-26 19:46 --------- d-------- C:\Programmi\File comuni\Symantec Shared
2007-09-05 00:21 --------- d-------- C:\Programmi\Windows Defender
2007-09-05 00:14 --------- d-------- C:\Programmi\QuickTime
2007-09-05 00:13 --------- d-------- C:\Programmi\Norton SystemWorks
2007-09-05 00:13 --------- d-------- C:\Programmi\MSN Messenger
2007-09-05 00:07 --------- d-------- C:\Programmi\Google
2007-09-05 00:03 --------- d-------- C:\Programmi\Apoint
2007-08-28 16:46 --------- d-------- C:\DOCUME~1\Kite\DATIAP~1\AdobeUM
2007-08-24 09:58 --------- d-------- C:\DOCUME~1\Kite\DATIAP~1\Canon
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-06-26 08:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-07-01 14:02]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-07-01 13:58]
"Apoint"="C:\Programmi\Apoint\Apoint.exe" [2003-11-07 19:21]
"SonyPowerCfg"="C:\Programmi\sony\vaio power management\SPMgr.exe" [2004-06-29 21:45]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2006-01-19 22:25]
"eBayToolbar"="C:\Programmi\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2007-09-08 18:53]
"ccApp"="C:\Programmi\File comuni\Symantec Shared\ccApp.exe" [2002-08-19 23:22]
"ccRegVfy"="C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe" [2002-08-19 23:23]
"GhostStartTrayApp"="C:\Programmi\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe" [2002-08-14 16:21]
"OpwareSE2"="C:\Programmi\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 11:00]
"Windows Defender"="C:\Programmi\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"Adobe Photo Downloader"="C:\Programmi\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:39]
"MsnMsgr"="C:\Programmi\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Programmi\Symantec\LiveUpdate\ALUNotify.exe
"DWQueuedReporting"="C:\PROGRA~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"C:\Programmi\D-Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HKSERV.EXE]
C:\Programmi\Sony\HotKey Utility\HKserv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
ICO.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDService.exe]
C:\Programmi\Utimaco\SafeGuard PrivateDisk\pdservice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\strkjhk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]
"C:\Programmi\sony\vaio update 2\VAIOUpdt.exe" /Stationary

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMConsole.exe]
C:\Programmi\Sony\VAIO Media Integrated Server\Platform\VMConsole.exe /windowmin

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VCI"=2 (0x2)
"VAIOMediaPlatform-Mobile-Gateway"=3 (0x3)
"VAIOMediaPlatform-IntegratedServer-UPnP"=2 (0x2)
"VAIOMediaPlatform-IntegratedServer-HTTP"=2 (0x2)
"VAIOMediaPlatform-IntegratedServer-AppServer"=2 (0x2)
"VAIO Entertainment TV Device Arbitration Service"=3 (0x3)
"VAIO Entertainment Task Scheduler"=3 (0x3)
"VAIO Entertainment File Import Service"=2 (0x2)
"VAIO Entertainment Aggregation and Control Service"=3 (0x3)

R1 GhPciScan;GhostPciScanner;\??\C:\Programmi\Norton SystemWorks\Norton Ghost\ghpciscan.sys
R1 PrivateDisk;PrivateDisk;C:\WINDOWS\system32\Drivers\PrivateDiskM.sys
R2 SMART Web Server;SMART Web Server;"C:\Programmi\SMART Technologies Inc\SMART Board Software\WebServer.exe"
R3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\system32\Drivers\NPDRIVER.SYS
R3 SPI;Sony Programmable I/O Control Device;C:\WINDOWS\system32\DRIVERS\SonyPI.sys
S2 siregsrv;siregsrv;C:\PROGRA~1\NORTON~2\SPEEDD~1\SIREGSRV.EXE
S3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys
S3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys
S3 SE2Bbus;Sony Ericsson Device 043 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE2Bbus.sys
S3 SE2Bmdfl;Sony Ericsson Device 043 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE2Bmdfl.sys
S3 SE2Bmdm;Sony Ericsson Device 043 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE2Bmdm.sys
S3 SE2Bobex;Sony Ericsson Device 043 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\SE2Bobex.sys
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;C:\Programmi\File comuni\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM
S4 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;C:\Programmi\File comuni\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cd842168-3b54-11dc-ac5a-0013ce1926a6}]
AutoRun\command- H:\fooool.exe
explore\Command- H:\fooool.exe
open\Command- H:\fooool.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-26 17:48:23 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Programmi\Windows Defender\MpCmdRun.exe
"2007-09-21 22:06:27 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
"2007-08-31 16:27:55 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
"2007-09-26 17:48:41 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-26 22:05:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-26 22:42:22
C:\ComboFix-quarantined-files.txt ... 2007-09-26 22:42
.
--- E O F ---
Gozza
Active Member
 
Posts: 12
Joined: September 7th, 2007, 2:17 pm

Unread postby Katana » September 27th, 2007, 5:15 pm

A quick question before I work up a fix,

Do you have a USB drive, or is H:/ an external hard drive ?

Edit :- Never mind, I just read about the USB problem :)

The only thing is, if the USB drive was used on more than one PC then they will all need cleaning.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby Katana » September 28th, 2007, 9:48 am

Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    DirLook::
    C:\WINDOWS\Temp\TMP000000169188488A7578FFC5
    
    File::
    C:\WINDOWS\1388146.exe
    C:\WINDOWS\166769.exe
    C:\WINDOWS\17402964.exe
    C:\WINDOWS\18607596.exe
    C:\WINDOWS\19812538.exe
    C:\WINDOWS\21013916.exe
    C:\WINDOWS\22225288.exe
    C:\WINDOWS\23430621.exe
    C:\WINDOWS\25854937.exe
    C:\WINDOWS\2595472.exe
    C:\WINDOWS\27059779.exe
    C:\WINDOWS\28262509.exe
    C:\WINDOWS\29464798.exe
    C:\WINDOWS\30666796.exe
    C:\WINDOWS\31867673.exe
    C:\WINDOWS\33070312.exe
    C:\WINDOWS\34272441.exe
    C:\WINDOWS\35473898.exe
    C:\WINDOWS\36679231.exe
    C:\WINDOWS\37882271.exe
    C:\WINDOWS\3797069.exe
    C:\WINDOWS\39084160.exe
    C:\WINDOWS\40287730.exe
    C:\WINDOWS\41490390.exe
    C:\WINDOWS\42693099.exe
    C:\WINDOWS\43894446.exe
    C:\WINDOWS\45096855.exe
    C:\WINDOWS\46300907.exe
    C:\WINDOWS\47503205.exe
    C:\WINDOWS\48704132.exe
    C:\WINDOWS\49907833.exe
    C:\WINDOWS\5000940.exe
    C:\WINDOWS\51111314.exe
    C:\WINDOWS\52312000.exe
    C:\WINDOWS\53513418.exe
    C:\WINDOWS\54718280.exe
    C:\WINDOWS\55927219.exe
    C:\WINDOWS\57127845.exe
    C:\WINDOWS\system32\AClient.dll
    
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cd842168-3b54-11dc-ac5a-0013ce1926a6}]
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\strkjhk]
    
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
    

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

find a file
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it findfiles.bat Please save it on your desktop.

dir /s /a C:\fooool.exe > filesfound.txt
dir /s /a C:\xlibgfl254.dll >> filesfound.txt
start notepad.exe filesfound.txt
del /q findfiles.bat


Double click findfiles.bat.
Please be patient as this is searching your entire drive.
Notepad will open (wait until it opens by itself), copy and paste the contents in your reply.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 18 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware