Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

CiD:

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

CiD:

Unread postby Olle B » November 27th, 2007, 2:57 am

On my kids computer there is continuously a window opening every minute or so with different commercials. They all open in a window with
CiD:
in the blue top bar.

I hace run Norton 2007 and Ad-aware before running HijackThis. I have tried to attach the Hijack file that starts with
Logfile of Trend Micro HijackThis v2.0.0 (BETA
but I only get the message
The extension log is not allowed.


All suggestions are welcome.

Regards,

Olle Bäcklund
Sweden
Olle B
Regular Member
 
Posts: 15
Joined: November 26th, 2007, 6:09 pm
Advertisement
Register to Remove

Re: CiD:

Unread postby Blade81 » November 30th, 2007, 3:50 am

Hi

Before doing anything else delete HijackThis you're currently running.

Then download and install TrendMicro HijackThis
* Once installed open HijackThis by clicking Start > Programs > HijackThis and click the button labeled
Do a system scan only

* Click the scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.
* Once the scan is complete the scan button will now read save log. Click this button to save the log file to your PC. Once you select where you would like to save the file it will open in your systems default text editor. Typically this application is Notepad. Post the log here.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: CiD:

Unread postby Olle B » December 4th, 2007, 6:03 pm

I have done as you asked me but I still get the message: The extension log is not allowed

Instead of trelog file I have added the information from the log file below

Regards,

Olle Bäcklund

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:54:08, on 2007-12-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
C:\Program\Delade filer\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program\Storegate\Autostore\AutoStoreSvc.exe
C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program\Delade filer\PCSuite\DataLayer\DataLayer.exe
C:\Program\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program\Analog Devices\SoundMAX\SMTray.exe
C:\Program\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\system32\iid.exe
C:\Program\ATI Technologies\ATI.ACE\cli.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Program\DELADE~1\PCSuite\Services\SERVIC~1.EXE
C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program\intern~1\iexplore.exe
C:\Program\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program\Delade filer\Teleca Shared\CapabilityManager.exe
C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program\DELADE~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program\Delade filer\Teleca Shared\Generic.exe
C:\Program\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program\ATI Technologies\ATI.ACE\cli.exe
C:\Program\ATI Technologies\ATI.ACE\cli.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SynCor.exe
C:\Program\MSN Messenger\usnsvc.exe
C:\Program\LimeWire\LimeWire.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\LIVEUP~1\DOWNLO~1\Updt852\spa.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program\Symantec\LiveUpdate\LUALL.EXE
C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\LIVEUP~1\DOWNLO~1\Updt639\spa.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.playahead.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program\Delade filer\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar3.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program\Delade filer\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [DataLayer] C:\Program\Delade filer\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Smapp] C:\Program\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [COOL STYLE 01 TEAM] C:\Documents and Settings\All Users\Application Data\Peakfragcoolstyle\Readme Poke.exe
O4 - HKLM\..\Run: [Net iD] C:\WINDOWS\system32\iid.exe
O4 - HKLM\..\Run: [ghpqjkklef] c:\windows\system32\ghpqjkklef.exe ghpqjkklef
O4 - HKLM\..\Run: [ATICCC] "C:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [updateMgr] "C:\Program\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [BitTorrent] "C:\Program\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [funkmeet] C:\DOCUME~1\ALEXAN~1\APPLIC~1\TOOLBO~1\copywavemove.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program\Rainlendar2\Rainlendar2.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - https://visma.storegate.se/user/Files/C ... oader4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Automatisk LiveUpdate-schemaläggare - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Autostore - Storegate AB - C:\Program\Storegate\Autostore\AutoStoreSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 11058 bytes
Olle B
Regular Member
 
Posts: 15
Joined: November 26th, 2007, 6:09 pm

Re: CiD:

Unread postby Blade81 » December 5th, 2007, 6:27 pm

1. Download this file -
combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your
next reply with a fresh hjt log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: CiD:

Unread postby Olle B » December 7th, 2007, 8:12 am

Thank you once again for your help.

Unfortunetaly your webpage does not accept files with txt extension to be up-loaded, I have therefore done as last time and copied the text from logfile from Combofix as last time, I hope it will be okey.
Yours

Olle Bäcklund
-------------------

ComboFix 07-12-02.6 - Olle 2007-12-06 21:44:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1053.18.123 [GMT 1:00]
Running from: C:\Documents and Settings\Olle\Skrivbord\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\ALEXANDER\Application Data\macromedia\Flash Player\#SharedObjects\W3P28QKC\iforex.com
C:\Documents and Settings\ALEXANDER\Application Data\macromedia\Flash Player\#SharedObjects\W3P28QKC\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\ALEXANDER\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\ALEXANDER\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Documents and Settings\Olle\Application Data\macromedia\Flash Player\#SharedObjects\52C2RTXF\iforex.com
C:\Documents and Settings\Olle\Application Data\macromedia\Flash Player\#SharedObjects\52C2RTXF\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Olle\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\Olle\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\WINDOWS\pack.epk
c:\WINDOWS\system32\ghpqjkklef.dat
c:\WINDOWS\system32\ghpqjkklef_nav.dat
C:\WINDOWS\system32\ghpqjkklef_navps.dat
C:\WINDOWS\system32\nvs2.inf

.
((((((((((((((((((((((((( Files Created from 2007-11-06 to 2007-12-06 )))))))))))))))))))))))))))))))
.

2007-12-04 23:07 . 2007-12-05 16:47 <KAT> d-------- C:\WINDOWS\SxsCaPendDel
2007-12-04 22:47 . 2007-12-04 22:47 <KAT> d-------- C:\Program\Trend Micro
2007-12-01 00:07 . 2007-05-29 13:55 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-12-01 00:07 . 2007-05-29 13:55 10,592 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2007-12-01 00:07 . 2007-05-29 13:55 705 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2007-11-30 23:57 . 2007-11-30 23:57 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 . 2007-11-30 23:57 279,088 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 . 2007-11-30 23:57 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,545 --a------ C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 . 2007-11-30 23:57 1,430 --a------ C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,421 --a------ C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,415 --a------ C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-24 16:17 . 2007-11-24 16:17 <KAT> d-------- C:\Documents and Settings\ALEXANDER\Application Data\Sonic Solutions
2007-11-23 21:54 . 2007-11-23 21:56 <KAT> d-------- C:\Documents and Settings\MILENA\Application Data\Teleca
2007-11-23 21:54 . 2007-11-23 21:54 <KAT> d-------- C:\Documents and Settings\MILENA\Application Data\ATI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-06 17:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-05 21:22 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-05 21:22 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-05 21:22 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-05 21:22 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-05 21:22 --------- d-----w C:\Program\Symantec
2007-12-05 16:53 --------- d-----w C:\Program\Delade filer\Symantec Shared
2007-12-05 15:49 --------- d-----w C:\Documents and Settings\MILENA\Application Data\AdobeUM
2007-11-24 14:04 --------- d-----w C:\Program\Norton Internet Security
2007-11-08 15:32 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-11-08 15:32 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-10-30 18:55 625,032 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-30 18:55 39,856 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2007-10-30 18:55 37,936 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2007-10-30 18:55 35,120 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2007-10-30 18:55 27,696 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-30 18:55 242,056 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-10-30 18:55 191,536 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-30 18:55 145,968 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2007-10-30 18:55 12,848 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2007-10-30 18:24 12,963 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-30 18:24 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2007-10-23 18:36 40,733 ----a-w C:\WINDOWS\system32\rightonadz-uninst.exe
2007-10-03 14:18 33,511 ----a-w C:\WINDOWS\system32\ninjaext-uninstall.exe
2007-09-12 15:07 397,312 ----a-w C:\Documents and Settings\ALEXANDER\jogl.dll
2007-09-12 11:58 674,600 ----a-w C:\WINDOWS\system32\pbsvc.exe
2007-09-12 11:58 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-09-12 11:58 22,328 ----a-w C:\Documents and Settings\ALEXANDER\Application Data\PnkBstrK.sys
2007-07-19 12:58 22 ----a-w C:\Program\c.zip
2007-07-19 12:58 22 ----a-w C:\Program\b.zip
2007-07-19 12:56 22 ----a-w C:\Program\a.zip
2007-05-27 08:49 25,214 ----a-w C:\Program\B.ico
2007-05-27 08:49 25,214 ----a-w C:\Program\A.ico
2007-05-14 07:34 43,025 ----a-w C:\Documents and Settings\MILENA\Favoriter.zip
2003-06-20 02:05 49,776 ----a-w C:\WINDOWS\inf\usbhub20.sys
2003-06-20 02:05 24,752 ----a-w C:\WINDOWS\inf\hidclass.sys
2003-06-20 02:05 20,688 ----a-w C:\WINDOWS\inf\usbd.sys
2003-06-20 02:05 19,728 ----a-w C:\WINDOWS\inf\usbehci.sys
2003-06-20 02:05 138,288 ----a-w C:\WINDOWS\inf\usbport.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program\MSN Messenger\msnmsgr.exe" [2007-01-19 12:55]
"swg"="C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-18 11:03]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DataLayer"="C:\Program\Delade filer\PCSuite\DataLayer\DataLayer.exe" [2005-06-07 11:31]
"PCSuiteTrayApplication"="C:\Program\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2005-06-29 15:29]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:34 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-05-12 00:34 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 00:34 C:\WINDOWS\system32\rundll32.exe]
"Smapp"="C:\Program\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 07:57]
"DrvLsnr"="C:\Program\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 10:34]
"COOL STYLE 01 TEAM"="C:\Documents and Settings\All Users\Application Data\Peakfragcoolstyle\Readme Poke.exe" [2007-05-17 11:28]
"Net iD"="C:\WINDOWS\system32\iid.exe" [2007-03-15 09:11]
"ghpqjkklef"="c:\windows\system32\ghpqjkklef.exe" []
"ATICCC"="C:\Program\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 15:41]
"ccApp"="C:\Program\Delade filer\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program\Norton Internet Security\osCheck.exe" [2007-01-14 00:11]
"Sony Ericsson PC Suite"="C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 15:17]
"Symantec PIF AlertEng"="C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 10:22]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:34]

C:\Documents and Settings\Olle\Start-meny\Program\Autostart\
Storegate Autostore.lnk - C:\Program\Storegate\Autostore\AutoStore.exe [2007-05-10 06:34:28]

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\
Adobe Gamma Loader.lnk - C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-22 15:58:01]
Adobe Reader Speed Launch.lnk - C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
NETGEAR WG111T Smart Wizard.lnk - C:\Program\NETGEAR\WG111T Configuration Utility\wlan111t.exe [2006-11-04 21:09:03]

R3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\wg11tnd5.sys
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\DNINDIS5.SYS
S2 Automatisk LiveUpdate-schemaläggare;Automatisk LiveUpdate-schemaläggare;"C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe"
S3 ATHFMWDL;NETGEAR WG111T bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys
S3 BCM44X2;BCM 10/100 Ethernet Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\BCM4E5.SYS
S3 jgameenp;jgameenp;\??\C:\DOCUME~1\ALEXAN~1\LOKALA~1\Temp\jgameenp.sys

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-12-03 19:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Sök igenom datorn - Olle.job"
- C:\Program\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-06 21:49:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-06 21:50:27
.
--- E O F ---
Olle B
Regular Member
 
Posts: 15
Joined: November 26th, 2007, 6:09 pm

Re: CiD:

Unread postby Blade81 » December 7th, 2007, 12:34 pm

Hi

Unfortunetaly your webpage does not accept files with txt extension to be up-loaded, I have therefore done as last time and copied the text from logfile from Combofix as last time, I hope it will be okey.

That's actually the way the logs should be posted. Not as an attachment but text pasted as a reply :)

Can you explain what following files are?
C:\Program\c.zip
C:\Program\b.zip
C:\Program\a.zip
C:\Program\B.ico
C:\Program\A.ico

If not, upload them to http://www.virustotal.com and post back the results.


Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
File::
C:\WINDOWS\system32\rightonadz-uninst.exe
C:\WINDOWS\system32\ninjaext-uninstall.exe
C:\DOCUME~1\ALEXAN~1\LOKALA~1\Temp\jgameenp.sys

Folder::
C:\Documents and Settings\All Users\Application Data\Peakfragcoolstyle\

Driver::
jgameenp

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COOL STYLE 01 TEAM"=-
"ghpqjkklef"=-



Save this as
CFScript


Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log (and Virustotal results).
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: CiD:

Unread postby Olle B » December 12th, 2007, 6:09 pm

I have done three things:
1) investigated the 3 zip-files & 2 ico-files and tested them with virustotal.com. The zip-files seem empty and the ico files only contains two different Windows Media Player icons. The result from virustotal.com you will find below.
2) run the script with Combofix, the result you will find below.
3) Then I sat down and had a look at what processes were running and suddenly two processes started, ran for some 10 secs and then closed. They were called "LuCallbackProxy" and "Lucoms~1.exe". I thought I recognized them and looked them up with Symantec which pointed at w32.beagle.GM. Could that be a lead?
-------------
The result from virustotal..com

ALL THREE ZIP-FILES GIVE THE SAME RESAULT AS SHOWN BELOW.
File a.zip received on 11.14.2007 21:29:19 (CET)
MD5: 76cdb2bad9582d23c1f6f4d868218d6c
Datum 2007.11.14 21:29:19 (CET) [>26D]
Resultat 1/32
Permalink: http://www.virustotal.com/se/resultado. ... b28cb7e0fe

--------------------------------
(Result of b.zip)
MD5: 76cdb2bad9582d23c1f6f4d868218d6c
Datum 2007.11.14 21:29:19 (CET) [>26D]
Resultat 1/32
Permalink: http://www.virustotal.com/se/resultado. ... c976dae308

--------------------------------------
(Result of c.zip)
MD5: 76cdb2bad9582d23c1f6f4d868218d6c
Datum 2007.11.14 21:29:19 (CET) [>26D]
Resultat 1/32
Permalink: http://www.virustotal.com/se/resultado. ... 7e3a14bc7a

---------------------------------
(Result from A.ico)
MD5: 902dabc529fd4525cda1e8312c7bae1b
Datum 2007.12.10 22:42:40 (CET) [<1D]
Resultat 0/32
Permalink: http://www.virustotal.com/se/resultado. ... 544ce30b8c
-------------------------------------
(Result of B.ico)
MD5: 82af60ea9d04f8655e9091d257b57055
Datum 2007.12.10 23:05:54 (CET) [<1D]
Resultat 0/32
Permalink: http://www.virustotal.com/se/resultado. ... 13c0efc496

-------------------------------
-------------------------------

The Combofix log:
ComboFix 07-12-02.6 - Olle 2007-12-11 22:31:32.2 - NTFSx86
Running from: C:\Documents and Settings\Olle\Skrivbord\ComboFix.exe
Command switches used :: E:\CFScript.txt
* Created a new restore point

FILE
C:\DOCUME~1\ALEXAN~1\LOKALA~1\Temp\jgameenp.sys
C:\WINDOWS\system32\ninjaext-uninstall.exe
C:\WINDOWS\system32\rightonadz-uninst.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Peakfragcoolstyle\\Bindbiasplus
C:\Documents and Settings\All Users\Application Data\Peakfragcoolstyle\\copy trans skip
C:\Documents and Settings\All Users\Application Data\Peakfragcoolstyle\\glue barb bias
C:\Documents and Settings\All Users\Application Data\Peakfragcoolstyle\\iso send gram
C:\Documents and Settings\All Users\Application Data\Peakfragcoolstyle\\Once Link Five
C:\Documents and Settings\All Users\Application Data\Peakfragcoolstyle\\OozeSetup.exe
C:\Documents and Settings\All Users\Application Data\Peakfragcoolstyle\\Readme Poke.exe
C:\WINDOWS\system32\ninjaext-uninstall.exe
C:\WINDOWS\system32\rightonadz-uninst.exe
C:\Documents and Settings\All Users\Application Data\Peakfragcoolstyle\

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_JGAMEENP
-------\jgameenp


((((((((((((((((((((((((( Files Created from 2007-11-11 to 2007-12-11 )))))))))))))))))))))))))))))))
.

2007-12-04 23:07 . 2007-12-05 16:47 <KAT> d-------- C:\WINDOWS\SxsCaPendDel
2007-12-04 22:47 . 2007-12-04 22:47 <KAT> d-------- C:\Program\Trend Micro
2007-12-01 00:07 . 2007-05-29 13:55 22,112 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-12-01 00:07 . 2007-05-29 13:55 10,592 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2007-12-01 00:07 . 2007-05-29 13:55 705 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2007-11-30 23:57 . 2007-11-30 23:57 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 . 2007-11-30 23:57 279,088 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 . 2007-11-30 23:57 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,545 --a------ C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 . 2007-11-30 23:57 1,430 --a------ C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,421 --a------ C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,415 --a------ C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-24 16:17 . 2007-11-24 16:17 <KAT> d-------- C:\Documents and Settings\ALEXANDER\Application Data\Sonic Solutions
2007-11-23 21:54 . 2007-11-23 21:56 <KAT> d-------- C:\Documents and Settings\MILENA\Application Data\Teleca
2007-11-23 21:54 . 2007-11-23 21:54 <KAT> d-------- C:\Documents and Settings\MILENA\Application Data\ATI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 20:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-11 17:10 --------- d-----w C:\Program\Delade filer\Symantec Shared
2007-12-08 19:58 --------- d-----w C:\Program\LimeWire
2007-12-05 21:22 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-05 21:22 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-05 21:22 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-05 21:22 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-05 21:22 --------- d-----w C:\Program\Symantec
2007-12-05 15:49 --------- d-----w C:\Documents and Settings\MILENA\Application Data\AdobeUM
2007-11-24 14:04 --------- d-----w C:\Program\Norton Internet Security
2007-11-08 15:32 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-11-08 15:32 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-10-30 18:55 625,032 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-30 18:55 39,856 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2007-10-30 18:55 37,936 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2007-10-30 18:55 35,120 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2007-10-30 18:55 27,696 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-30 18:55 242,056 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-10-30 18:55 191,536 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-30 18:55 145,968 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2007-10-30 18:55 12,848 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2007-10-30 18:24 12,963 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-30 18:24 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2007-09-12 15:07 397,312 ----a-w C:\Documents and Settings\ALEXANDER\jogl.dll
2007-09-12 11:58 674,600 ----a-w C:\WINDOWS\system32\pbsvc.exe
2007-09-12 11:58 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-09-12 11:58 22,328 ----a-w C:\Documents and Settings\ALEXANDER\Application Data\PnkBstrK.sys
2007-07-19 12:58 22 ----a-w C:\Program\c.zip
2007-07-19 12:58 22 ----a-w C:\Program\b.zip
2007-07-19 12:56 22 ----a-w C:\Program\a.zip
2007-05-27 08:49 25,214 ----a-w C:\Program\B.ico
2007-05-27 08:49 25,214 ----a-w C:\Program\A.ico
2007-05-14 07:34 43,025 ----a-w C:\Documents and Settings\MILENA\Favoriter.zip
2003-06-20 02:05 49,776 ----a-w C:\WINDOWS\inf\usbhub20.sys
2003-06-20 02:05 24,752 ----a-w C:\WINDOWS\inf\hidclass.sys
2003-06-20 02:05 20,688 ----a-w C:\WINDOWS\inf\usbd.sys
2003-06-20 02:05 19,728 ----a-w C:\WINDOWS\inf\usbehci.sys
2003-06-20 02:05 138,288 ----a-w C:\WINDOWS\inf\usbport.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-06_21.49.23,01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 09:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program\MSN Messenger\msnmsgr.exe" [2007-01-19 12:55]
"swg"="C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-18 11:03]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DataLayer"="C:\Program\Delade filer\PCSuite\DataLayer\DataLayer.exe" [2005-06-07 11:31]
"PCSuiteTrayApplication"="C:\Program\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2005-06-29 15:29]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:34 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-05-12 00:34 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 00:34 C:\WINDOWS\system32\rundll32.exe]
"Smapp"="C:\Program\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 07:57]
"DrvLsnr"="C:\Program\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 10:34]
"Net iD"="C:\WINDOWS\system32\iid.exe" [2007-03-15 09:11]
"ATICCC"="C:\Program\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 15:41]
"ccApp"="C:\Program\Delade filer\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program\Norton Internet Security\osCheck.exe" [2007-01-14 00:11]
"Sony Ericsson PC Suite"="C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 15:17]
"Symantec PIF AlertEng"="C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 10:22]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:34]

C:\Documents and Settings\Olle\Start-meny\Program\Autostart\
Storegate Autostore.lnk - C:\Program\Storegate\Autostore\AutoStore.exe [2007-05-10 06:34:28]

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\
Adobe Gamma Loader.lnk - C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-22 15:58:01]
Adobe Reader Speed Launch.lnk - C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
NETGEAR WG111T Smart Wizard.lnk - C:\Program\NETGEAR\WG111T Configuration Utility\wlan111t.exe [2006-11-04 21:09:03]

R3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\wg11tnd5.sys
S2 Automatisk LiveUpdate-schemaläggare;Automatisk LiveUpdate-schemaläggare;"C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe"
S3 ATHFMWDL;NETGEAR WG111T bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys
S3 BCM44X2;BCM 10/100 Ethernet Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\BCM4E5.SYS
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\DNINDIS5.SYS

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{972a83c4-771a-11db-97c9-000fb536df7f}]
\Shell\access\command - Secured_Area.exe
\Shell\AutoRun\command - Secured_Area.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-12-03 19:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Sök igenom datorn - Olle.job"
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 22:45:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-11 22:48:57 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-06 21:50
.
--- E O F ---
Olle B
Regular Member
 
Posts: 15
Joined: November 26th, 2007, 6:09 pm

Re: CiD:

Unread postby Blade81 » December 13th, 2007, 2:55 am

Hi

3) Then I sat down and had a look at what processes were running and suddenly two processes started, ran for some 10 secs and then closed. They were called "LuCallbackProxy" and "Lucoms~1.exe". I thought I recognized them and looked them up with Symantec which pointed at w32.beagle.GM. Could that be a lead?

Both are legal. Lucoms~1.exe process belongs to Symantec LiveUpdate Server and LuCallbackProxy to Symantec Update Module.

* Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats and the option Scan unwanted applications is checkmarked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: CiD:

Unread postby Olle B » December 17th, 2007, 5:25 am

Hi

I have run Eset and HighJackThis and below you will fins the logs. I did not see any adds popping up during the session but I have not watched i carefully I must admit. I also had a look in the start-up file without finding anything.

Eset log:
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2725 (20071216)
# vers_arch_module=1.059 (20071108)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=2e76f370d81ee844ae51067c30d783b1
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2007-12-16 10:41:17
# local_time=2007-12-16 11:41:17 (+0100, Västeuropa, normaltid)
# country="Sweden"
# osver=5.1.2600 NT Service Pack 2
# scanned=235636
# found=6
# scan_time=3786
C:\Documents and Settings\ALEXANDER\Application Data\toolbookdumb\copywavemove.exe Win32/Obfuscated.A1 trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ALEXANDER\Application Data\toolbookdumb\mnwupxji.exe Win32/Obfuscated.A1 trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ALEXANDER\Application Data\toolbookdumb\WaitRegsGlobalData.exe Win32/Obfuscated.A1 trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\DANIEL\Application Data\toolbookdumb\qucitctw.exe Win32/Obfuscated.A1 trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\c\Documents and Settings\All Users\Application Data\Peakfragcoolstyle\OozeSetup.exe.vir Win32/Obfuscated.A1 trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\c\Documents and Settings\All Users\Application Data\Peakfragcoolstyle\Readme Poke.exe.vir Win32/Obfuscated.A1 trojan (unable to clean - deleted) 00000000000000000000000000000000


HighJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:16:03, on 2007-12-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
C:\Program\Delade filer\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program\Storegate\Autostore\AutoStoreSvc.exe
C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Program\Delade filer\PCSuite\DataLayer\DataLayer.exe
C:\Program\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program\Analog Devices\SoundMAX\SMTray.exe
C:\Program\DELADE~1\PCSuite\Services\SERVIC~1.EXE
C:\Program\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\system32\iid.exe
C:\Program\ATI Technologies\ATI.ACE\cli.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Delade filer\Teleca Shared\CapabilityManager.exe
C:\Program\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program\Storegate\Autostore\AutoStore.exe
C:\Program\Delade filer\Teleca Shared\Generic.exe
C:\Program\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program\ATI Technologies\ATI.ACE\cli.exe
C:\Program\ATI Technologies\ATI.ACE\cli.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/av ... _homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program\Delade filer\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar3.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program\Delade filer\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [DataLayer] C:\Program\Delade filer\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Smapp] C:\Program\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [Net iD] C:\WINDOWS\system32\iid.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Storegate Autostore.lnk = C:\Program\Storegate\Autostore\AutoStore.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - https://visma.storegate.se/user/Files/C ... oader4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Automatisk LiveUpdate-schemaläggare - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Autostore - Storegate AB - C:\Program\Storegate\Autostore\AutoStoreSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10063 bytes
Olle B
Regular Member
 
Posts: 15
Joined: November 26th, 2007, 6:09 pm

Re: CiD:

Unread postby Blade81 » December 17th, 2007, 11:06 am

Hi

Delete c:\qoobox & c:\combofix folders (if found) and combofix.exe file on your desktop.


Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u3.
  • Scroll down to where it says
    The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the
    Download
    button to the right.
  • Check the box that says:
    Accept License Agreement.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.


UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • Download Adaware
    Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial
    The program is available for download here
  • Download Spybot
    Spybot is a scanner like adaware. It scans for spyware and other malicious programs. It is important to have both Adaware and Spybot on your computer because each program provides unique detection and pretection measures. Spybot has preventitive tools that stop programs from even installing on your computer.
    To see how to set this up as well as more spybot features, see here
    Spybot can be downloaded at this location
  • Download SpywareBlaster
    Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
    kill bits
    in the registry, so that certain activex controls can't install.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster here here
    SpywareBlaster tutorial
  • Download iespyad
    It puts many bad webpages on your restricted zones list. This means that you can still view the
    bad
    webpages, but the webpages cannot do certain things (such as use javascripts and cookies).
    If you need help understanding how it works, there is a tutorial here
    Download it here
  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. Click the start button (at the lower left hand corner of your screen)
    2. Click run
    3. In the dialog box, type services.msc
    4. hit enter, then locate dns client
    5. Highlight it, then double-click it.
    6. On the dropdown box, change the setting from automatic to manual.
    7. Click ok

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
    See here to choose one unless your Norton has a firewall.


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade 8)
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: CiD:

Unread postby Olle B » December 19th, 2007, 8:53 am

Hi

I hope I will not desappoint you too much by saying that the adds are still poping up... :cry:
Any more suggestions?

/ Olle
Olle B
Regular Member
 
Posts: 15
Joined: November 26th, 2007, 6:09 pm

Re: CiD:

Unread postby Blade81 » December 19th, 2007, 3:00 pm

No problem :)

Please Download NoLop to your desktop.
  • First close any other programs you have running as this will require
    a reboot
  • Double click NoLop.exe to run it
  • Now click the button labelled
    Search and
    Destroy


    <<your computer will now be scanned for infected files>>
  • When scanning is finished you will be prompted to reboot only if
    infected, Click OK
  • Now click the
    REBOOT
    Button.
  • A Message should popup from NoLop. If not, double click the
    program again and it will finish Please Post the contents of
    C:\NoLop.log along with a fresh HijackThis log
--If you receive an error,
mscomctl.ocx or one of its
dependencies are not correctly registered,
please download
mscomctl.ocx to your system32 folder then rerun the program.
--
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: CiD:

Unread postby Olle B » December 21st, 2007, 4:58 am

Hi,

I have run NoLop and it seemed to hav e found something. Both the NoLop log and the log from HiJackThis are found below.

While looking for the NoLop webpage I ran into this page concerning someone else alos having problems with CiD, I hope it can be of some help.
http://forum.tweakxp.com/forum/Topic222 ... x#bm222400

If I do not talk to you soon again I once again would like to thank you for your help and wish you a very Merry Christmas!
/ Olle

NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Olle\Skrivbord
[2007-12-20]
[23:39:45]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\AFC869CA91CFE466.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\Ajr\Application Data\Google
C:\Documents and Settings\Ajr\Application Data\Identities
C:\Documents and Settings\Ajr\Application Data\Iid
C:\Documents and Settings\Ajr\Application Data\Limewire
C:\Documents and Settings\Ajr\Application Data\Macromedia
C:\Documents and Settings\Ajr\Application Data\Microsoft
C:\Documents and Settings\Ajr\Application Data\Pc Suite
C:\Documents and Settings\Ajr\Application Data\Sun
C:\Documents and Settings\Alexander\Application Data\Adobe
C:\Documents and Settings\Alexander\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Alexander\Application Data\Ati
C:\Documents and Settings\Alexander\Application Data\Bittorrent
C:\Documents and Settings\Alexander\Application Data\Datalayer
C:\Documents and Settings\Alexander\Application Data\Google
C:\Documents and Settings\Alexander\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Alexander\Application Data\Identities
C:\Documents and Settings\Alexander\Application Data\Iid
C:\Documents and Settings\Alexander\Application Data\Lavasoft
C:\Documents and Settings\Alexander\Application Data\Macromedia
C:\Documents and Settings\Alexander\Application Data\Microsoft
C:\Documents and Settings\Alexander\Application Data\Nokia
C:\Documents and Settings\Alexander\Application Data\Nokia Multimedia Player
C:\Documents and Settings\Alexander\Application Data\Pc Suite
C:\Documents and Settings\Alexander\Application Data\Real
C:\Documents and Settings\Alexander\Application Data\Screenshot Sender
C:\Documents and Settings\Alexander\Application Data\Sonic Solutions
C:\Documents and Settings\Alexander\Application Data\Souptoys -- EMPTY Directory
C:\Documents and Settings\Alexander\Application Data\Sun
C:\Documents and Settings\Alexander\Application Data\Teamspeak2
C:\Documents and Settings\Alexander\Application Data\Teleca
C:\Documents and Settings\Alexander\Application Data\Tific
C:\Documents and Settings\Alexander\Application Data\Toolbookdumb
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Ball Mapi Owns Ping
C:\Documents and Settings\All Users\Application Data\Google
C:\Documents and Settings\All Users\Application Data\Messenger Plus!
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Nview_profiles -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Sony Ericsson
C:\Documents and Settings\All Users\Application Data\Souptoys
C:\Documents and Settings\All Users\Application Data\Spcs
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Teleca
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\Daniel\Application Data\Adobe
C:\Documents and Settings\Daniel\Application Data\Ati
C:\Documents and Settings\Daniel\Application Data\Google
C:\Documents and Settings\Daniel\Application Data\Identities
C:\Documents and Settings\Daniel\Application Data\Iid
C:\Documents and Settings\Daniel\Application Data\Limewire
C:\Documents and Settings\Daniel\Application Data\Macromedia
C:\Documents and Settings\Daniel\Application Data\Microsoft
C:\Documents and Settings\Daniel\Application Data\Pc Suite
C:\Documents and Settings\Daniel\Application Data\Real
C:\Documents and Settings\Daniel\Application Data\Souptoys -- EMPTY Directory
C:\Documents and Settings\Daniel\Application Data\Sun
C:\Documents and Settings\Daniel\Application Data\Teleca
C:\Documents and Settings\Daniel\Application Data\Toolbookdumb
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Milena\Application Data\Adobe
C:\Documents and Settings\Milena\Application Data\Adobeum
C:\Documents and Settings\Milena\Application Data\Ati
C:\Documents and Settings\Milena\Application Data\Google
C:\Documents and Settings\Milena\Application Data\Identities
C:\Documents and Settings\Milena\Application Data\Iid
C:\Documents and Settings\Milena\Application Data\Limewire
C:\Documents and Settings\Milena\Application Data\Macromedia
C:\Documents and Settings\Milena\Application Data\Microsoft
C:\Documents and Settings\Milena\Application Data\Pc Suite
C:\Documents and Settings\Milena\Application Data\Real
C:\Documents and Settings\Milena\Application Data\Sun
C:\Documents and Settings\Milena\Application Data\Teleca
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Olle\Application Data\Adobe
C:\Documents and Settings\Olle\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Olle\Application Data\Ati
C:\Documents and Settings\Olle\Application Data\Google
C:\Documents and Settings\Olle\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Olle\Application Data\Identities
C:\Documents and Settings\Olle\Application Data\Iid
C:\Documents and Settings\Olle\Application Data\Lavasoft
C:\Documents and Settings\Olle\Application Data\Macromedia
C:\Documents and Settings\Olle\Application Data\Microsoft
C:\Documents and Settings\Olle\Application Data\Pc Suite
C:\Documents and Settings\Olle\Application Data\Real
C:\Documents and Settings\Olle\Application Data\Sun
C:\Documents and Settings\Olle\Application Data\Symantec
C:\Documents and Settings\Olle\Application Data\Teleca
C:\Documents and Settings\Olle\Application Data\Toolbookdumb
C:\Documents and Settings\Spel\Application Data\Google
C:\Documents and Settings\Spel\Application Data\Identities
C:\Documents and Settings\Spel\Application Data\Iid
C:\Documents and Settings\Spel\Application Data\Macromedia
C:\Documents and Settings\Spel\Application Data\Microsoft
C:\Documents and Settings\Spel\Application Data\Pc Suite

------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:36:08, on 2007-12-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
C:\Program\Delade filer\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program\Storegate\Autostore\AutoStoreSvc.exe
C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program\Delade filer\PCSuite\DataLayer\DataLayer.exe
C:\Program\DELADE~1\PCSuite\Services\SERVIC~1.EXE
C:\Program\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program\Analog Devices\SoundMAX\SMTray.exe
C:\Program\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\system32\iid.exe
C:\Program\ATI Technologies\ATI.ACE\cli.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Delade filer\Teleca Shared\CapabilityManager.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program\Storegate\Autostore\AutoStore.exe
C:\Program\ATI Technologies\ATI.ACE\cli.exe
C:\Program\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Teleca Shared\Generic.exe
C:\Program\Sony Ericsson\Mobile2\Connection Wizard\ConnectionWizard.exe
C:\Program\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program\Delade filer\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar3.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program\Delade filer\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [DataLayer] C:\Program\Delade filer\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Smapp] C:\Program\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [Net iD] C:\WINDOWS\system32\iid.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Owns Ping Ante Admin] C:\Documents and Settings\All Users\Application Data\Ball mapi owns ping\Send This.exe
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [funkmeet] C:\DOCUME~1\Olle\APPLIC~1\TOOLBO~1\copywavemove.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Storegate Autostore.lnk = C:\Program\Storegate\Autostore\AutoStore.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - https://visma.storegate.se/user/Files/C ... oader4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Automatisk LiveUpdate-schemaläggare - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Autostore - Storegate AB - C:\Program\Storegate\Autostore\AutoStoreSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10268 bytes
Olle B
Regular Member
 
Posts: 15
Joined: November 26th, 2007, 6:09 pm

Re: CiD:

Unread postby Blade81 » December 21st, 2007, 3:46 pm

Hi Olle

Looks like we're making progress here :)


Start hjt, click do a system scan only, check:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Owns Ping Ante Admin] C:\Documents and Settings\All Users\Application Data\Ball mapi owns ping\Send This.exe
O4 - HKCU\..\Run: [funkmeet] C:\DOCUME~1\Olle\APPLIC~1\TOOLBO~1\copywavemove.exe

Close browsers & other windows. Fix checked.


Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


Delete following folders if found:
C:\Documents and Settings\Alexander\Application Data\Toolbookdumb
C:\Documents and Settings\All Users\Application Data\Ball Mapi Owns Ping
C:\Documents and Settings\Daniel\Application Data\Toolbookdumb
C:\Documents and Settings\Olle\Application Data\Toolbookdumb


* Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats and the option Scan unwanted applications is checkmarked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems


Merry Christmas to you too! :santa:
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: CiD:

Unread postby NonSuch » December 30th, 2007, 3:30 am

This topic is now closed due to inactivity. If you wish it to be reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 11 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware