Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Possible malware infection....can someone please have a look

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Possible malware infection....can someone please have a look

Unread postby OU_Packfan » November 8th, 2008, 11:13 pm

Hello All. This is my first post and I hope you will be patient with me as I try and determine if my computer has a malware infection. I am getting my homepage redirected to a chinese website hxxp ://www.3929.cn .... despite repeated attempts to remove the site and change it back to my original homepage once the dialup service is accessed it automatically opens to the chinese website once again.

Can someone please review the hijackthis text below and advise? Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:36 PM, on 11/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20900)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SlipStream Web Accelerator\slipcore.exe
C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Microsoft Office97\Office\OSA.EXE
C:\Program Files\SlipStream Web Accelerator\slipgui.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\HISurfer\dialer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.3929.cn?tn=102720
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\SlipStream Web Accelerator\PBHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: SlipStream - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\SlipStream Web Accelerator\Toolband.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe -H
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\SlipStream Web Accelerator\slipcore.exe"
O4 - HKLM\..\Run: [BarbieGirlsTray] C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [A00F441462F.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_A00F441462F.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [IE7-11] rundll32 advpack.dll,LaunchINFSection NR_IE7en.inf,AfterUserStart (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - S-1-5-18 Startup: HotSync Manager.LNK = C:\Program Files\palmOne\HOTSYNC.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: HotSync Manager.LNK = C:\Program Files\palmOne\HOTSYNC.EXE (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user')
O4 - Startup: HotSync Manager.LNK = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office97\Office\OSA.EXE
O4 - Global Startup: SlipStream.lnk = C:\Program Files\SlipStream Web Accelerator\slipgui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\SlipStream Web Accelerator\gui_resource.dll/327
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\SlipStream Web Accelerator\gui_resource.dll/328
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{958CA3F1-55A2-4514-A604-18ADD4AAA0F9}: NameServer = 64.136.173.5 64.136.164.77
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\WINDOWS\system32\DRIVERS\xaudio.exe

--
End of file - 10806 bytes
Last edited by Shaba on November 10th, 2008, 5:36 am, edited 1 time in total.
Reason: link disabled
OU_Packfan
Active Member
 
Posts: 11
Joined: November 8th, 2008, 9:53 pm
Advertisement
Register to Remove

Re: Possible malware infection....can someone please have a look

Unread postby Shaba » November 10th, 2008, 5:37 am

Hi OU_Packfan

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Possible malware infection....can someone please have a look

Unread postby OU_Packfan » November 11th, 2008, 1:13 am

Thanks Shaba......

ComboFix 08-11-10.01 - Administrator 2008-11-10 23:51:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.101 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
.

2008-11-10 18:04 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-11-08 20:48 . 2008-11-08 20:48 <DIR> d-------- c:\program files\Trend Micro
2008-11-07 23:38 . 2008-11-07 23:38 <DIR> d-------- c:\windows\LastGood
2008-11-07 23:38 . 2008-11-07 23:50 <DIR> d-------- c:\program files\Panda Security
2008-11-07 02:00 . 2008-11-07 02:00 142 --a------ c:\windows\system32\spupdsvc.inf
2008-10-22 22:26 . 2008-10-22 22:26 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sammsoft
2008-10-22 22:25 . 2008-10-22 22:25 <DIR> d-------- c:\program files\AskBarDis
2008-10-22 22:25 . 2008-10-22 22:25 <DIR> d-------- c:\program files\Advanced Registry Optimizer
2008-10-22 20:59 . 2008-10-22 20:59 <DIR> d-------- c:\program files\Lavasoft
2008-10-22 20:59 . 2008-10-22 21:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-14 12:39 . 2008-10-14 12:39 <DIR> d-------- c:\program files\Windows Sidebar
2008-10-14 12:38 . 2008-10-14 20:20 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-14 12:38 . 2008-10-14 20:20 60,800 --a------ c:\windows\system32\S32EVNT1.DLL
2008-10-14 12:38 . 2008-10-14 20:20 10,671 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-10-14 12:38 . 2008-10-14 20:20 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-10-14 12:37 . 2008-10-14 20:20 <DIR> d-------- c:\program files\Symantec
2008-10-14 12:37 . 2008-10-14 20:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2008-10-13 19:41 . 2008-10-13 19:41 <DIR> d-------- c:\documents and settings\All Users\Symantec Temporary Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 04:56 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-11 04:33 --------- d-----w c:\documents and settings\Administrator\Application Data\SlipStream
2008-11-07 07:02 --------- d-----w c:\program files\Norton 360
2008-10-28 02:40 --------- d-----w c:\program files\palmOne
2008-10-16 07:01 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-14 17:42 --------- d-----w c:\documents and settings\Administrator\Application Data\Symantec
2008-10-04 06:24 --------- d-----w c:\program files\iTunes
2008-10-04 06:24 --------- d-----w c:\program files\iPod
2008-10-04 06:24 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-04 06:23 --------- d-----w c:\program files\Bonjour
2008-10-04 06:22 --------- d-----w c:\program files\QuickTime
2008-10-04 06:22 --------- d-----w c:\program files\Common Files\Apple
2008-10-04 01:38 --------- d-----w c:\program files\Apple Software Update
2008-10-01 17:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-22 00:01 --------- d-----w c:\program files\GameSpy Arcade
2008-09-21 23:59 --------- d-----w c:\program files\directx
2008-09-21 23:43 --------- d--h--w c:\program files\InstallShield Installation Information
2008-09-21 23:43 --------- d-----w c:\program files\Infogrames Interactive
2007-05-04 11:13 16,384 -csha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2007-05-04 11:13 16,384 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2007-05-04 11:13 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-06 14:20 279944 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"AROReminder"="c:\program files\Advanced Registry Optimizer\ARO.exe" [2008-08-22 2084480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SlipStream"="c:\program files\SlipStream Web Accelerator\slipcore.exe" [2006-01-19 253952]
"BarbieGirlsTray"="c:\program files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe" [2007-03-14 24576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-05 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2008-08-26 c:\windows\system32\advpack.dll]
"IE7-11"="advpack.dll" [2008-08-26 c:\windows\system32\advpack.dll]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
HotSync Manager.LNK - c:\program files\palmOne\HOTSYNC.EXE [2004-04-13 299008]
PowerReg Scheduler.exe [2007-10-13 233472]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Office Startup.lnk - c:\program files\Microsoft Office97\Office\OSA.EXE [1997-08-05 51984]
SlipStream.lnk - c:\program files\SlipStream Web Accelerator\slipgui.exe [2007-09-27 159744]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 iwbsv;iwbsv;c:\windows\system32\drivers\iwbsv.sys [2007-04-27 28352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]

*Newly Created Service* - CISVC
*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = www.3929.cn?tn=102720
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-Internet Settings,ProxyServer = http=127.0.0.1:5400
R1 -: HKCU-Internet Settings,ProxyOverride = <local>;127.0.0.1:5400;*update.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;download.mcafee.com;*.phobos.apple.com;update.adobe.com;localhost
O8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 -: Show All Original Images - c:\program files\SlipStream Web Accelerator\gui_resource.dll/327
O8 -: Show Original Image - c:\program files\SlipStream Web Accelerator\gui_resource.dll/328
O17 -: HKLM\CCS\Interface\{958CA3F1-55A2-4514-A604-18ADD4AAA0F9}: NameServer = 64.136.173.5 64.136.164.77
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 23:56:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-11 0:02:12
ComboFix-quarantined-files.txt 2008-11-11 05:01:52

Pre-Run: 58,102,812,672 bytes free
Post-Run: 58,246,508,544 bytes free

164 --- E O F --- 2008-11-07 07:00:38




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:50 AM, on 11/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20900)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SlipStream Web Accelerator\slipcore.exe
C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Microsoft Office97\Office\OSA.EXE
C:\Program Files\SlipStream Web Accelerator\slipgui.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.3929.cn?tn=102720
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\SlipStream Web Accelerator\PBHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: SlipStream - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\SlipStream Web Accelerator\Toolband.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe -H
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\SlipStream Web Accelerator\slipcore.exe"
O4 - HKLM\..\Run: [BarbieGirlsTray] C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [IE7-11] rundll32 advpack.dll,LaunchINFSection NR_IE7en.inf,AfterUserStart (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - S-1-5-18 Startup: HotSync Manager.LNK = C:\Program Files\palmOne\HOTSYNC.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: HotSync Manager.LNK = C:\Program Files\palmOne\HOTSYNC.EXE (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user')
O4 - Startup: HotSync Manager.LNK = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office97\Office\OSA.EXE
O4 - Global Startup: SlipStream.lnk = C:\Program Files\SlipStream Web Accelerator\slipgui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\SlipStream Web Accelerator\gui_resource.dll/327
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\SlipStream Web Accelerator\gui_resource.dll/328
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{958CA3F1-55A2-4514-A604-18ADD4AAA0F9}: NameServer = 64.136.173.5 64.136.164.77
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\WINDOWS\system32\DRIVERS\xaudio.exe

--
End of file - 10056 bytes
OU_Packfan
Active Member
 
Posts: 11
Joined: November 8th, 2008, 9:53 pm

Re: Possible malware infection....can someone please have a look

Unread postby Shaba » November 11th, 2008, 9:33 am

Have you set this proxy server for IE?

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Possible malware infection....can someone please have a look

Unread postby OU_Packfan » November 11th, 2008, 1:03 pm

Hi Shaba,

That proxy server setting is used when my Slipstream accelerator program is enabled to run to speed my dial up connection along. When Slipstream is disabled the following line in the Hijack This scan disappears.....
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400

I wonder if the Ask toolbar is problematic? It tried to be my toolbar default. I think it came in when I downloaded CCleaner. I would like to get rid of it as I don't want it to be in my system.

I should also tell you that Norton 360 found a few Tracking Cookies, three Trojan Horse viruses and Trojan.Vundo on the 23rd of Oct 2008 (Norton indicated it affected 4 Processes, 7 Files, 1 Service and 129 Registry Entries. (Program File\Internet Explorer\iexplore.exe and Windows\System32\rundll.exe, ). I assume it removed them but I do not know if it has the ability to repair the changes/damage they have done to my system (Norton is also not specific as to the type of Trojan Horse viruses that they uncovered.) I downloaded FixVundo and it said it did not detect Vundo, perhaps because it had been removed by Norton 360.

Here is the latest Hijack scan result with Slipstream disabled.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:05 AM, on 11/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20900)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SlipStream Web Accelerator\slipcore.exe
C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Microsoft Office97\Office\OSA.EXE
C:\Program Files\SlipStream Web Accelerator\slipgui.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\HISurfer\dialer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.3929.cn?tn=102720
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\SlipStream Web Accelerator\PBHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: SlipStream - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\SlipStream Web Accelerator\Toolband.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe -H
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\SlipStream Web Accelerator\slipcore.exe"
O4 - HKLM\..\Run: [BarbieGirlsTray] C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [IE7-11] rundll32 advpack.dll,LaunchINFSection NR_IE7en.inf,AfterUserStart (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - S-1-5-18 Startup: HotSync Manager.LNK = C:\Program Files\palmOne\HOTSYNC.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: HotSync Manager.LNK = C:\Program Files\palmOne\HOTSYNC.EXE (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user')
O4 - Startup: HotSync Manager.LNK = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office97\Office\OSA.EXE
O4 - Global Startup: SlipStream.lnk = C:\Program Files\SlipStream Web Accelerator\slipgui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{958CA3F1-55A2-4514-A604-18ADD4AAA0F9}: NameServer = 64.136.173.5 64.136.164.77
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\WINDOWS\system32\DRIVERS\xaudio.exe

--
End of file - 9767 bytes
OU_Packfan
Active Member
 
Posts: 11
Joined: November 8th, 2008, 9:53 pm

Re: Possible malware infection....can someone please have a look

Unread postby Shaba » November 11th, 2008, 1:42 pm

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
Folder::
C:\Program Files\AskBarDis

Registry::
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.3929.cn?tn=102720
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Possible malware infection....can someone please have a look

Unread postby OU_Packfan » November 11th, 2008, 6:51 pm

Hi Shaba,

ComboFix had a bit of difficulty the first time I used it to eliminate the Ask Toolbar stuff. It seemed to delete all the files and had trouble when it generated the log file. When the log file closed all of my desktop icons disappeared. I waited about 20 minutes and task manager could not be used so I shut the CPU down and rebooted. I then ran ComboFix again followed by Hijack. Results are below. I still have the issue of the chinese website opening as my homepage.....



ComboFix 08-11-10.01 - Administrator 2008-11-11 17:31:55.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.162 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
.

2008-11-10 18:04 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-11-08 20:48 . 2008-11-08 20:48 <DIR> d-------- c:\program files\Trend Micro
2008-11-07 23:38 . 2008-11-07 23:50 <DIR> d-------- c:\program files\Panda Security
2008-11-07 02:00 . 2008-11-07 02:00 142 --a------ c:\windows\system32\spupdsvc.inf
2008-10-22 22:26 . 2008-10-22 22:26 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sammsoft
2008-10-22 22:25 . 2008-10-22 22:25 <DIR> d-------- c:\program files\Advanced Registry Optimizer
2008-10-22 20:59 . 2008-10-22 20:59 <DIR> d-------- c:\program files\Lavasoft
2008-10-22 20:59 . 2008-10-22 21:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-14 12:39 . 2008-10-14 12:39 <DIR> d-------- c:\program files\Windows Sidebar
2008-10-14 12:38 . 2008-10-14 20:20 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-14 12:38 . 2008-10-14 20:20 60,800 --a------ c:\windows\system32\S32EVNT1.DLL
2008-10-14 12:38 . 2008-10-14 20:20 10,671 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-10-14 12:38 . 2008-10-14 20:20 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-10-14 12:37 . 2008-10-14 20:20 <DIR> d-------- c:\program files\Symantec
2008-10-14 12:37 . 2008-10-14 20:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2008-10-13 19:41 . 2008-10-13 19:41 <DIR> d-------- c:\documents and settings\All Users\Symantec Temporary Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 22:24 --------- d-----w c:\documents and settings\Administrator\Application Data\SlipStream
2008-11-11 21:41 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-07 07:02 --------- d-----w c:\program files\Norton 360
2008-10-28 02:40 --------- d-----w c:\program files\palmOne
2008-10-16 07:01 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-14 17:42 --------- d-----w c:\documents and settings\Administrator\Application Data\Symantec
2008-10-04 06:24 --------- d-----w c:\program files\iTunes
2008-10-04 06:24 --------- d-----w c:\program files\iPod
2008-10-04 06:24 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-04 06:23 --------- d-----w c:\program files\Bonjour
2008-10-04 06:22 --------- d-----w c:\program files\QuickTime
2008-10-04 06:22 --------- d-----w c:\program files\Common Files\Apple
2008-10-04 01:38 --------- d-----w c:\program files\Apple Software Update
2008-10-01 17:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-22 00:01 --------- d-----w c:\program files\GameSpy Arcade
2008-09-21 23:59 --------- d-----w c:\program files\directx
2008-09-21 23:43 --------- d--h--w c:\program files\InstallShield Installation Information
2008-09-21 23:43 --------- d-----w c:\program files\Infogrames Interactive
2007-05-04 11:13 16,384 -csha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2007-05-04 11:13 16,384 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2007-05-04 11:13 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-11-11_ 0.01.16.96 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-05 01:16:46 1,887,080 ----a-w c:\windows\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
- 2004-08-04 12:00:00 15,360 ------w c:\windows\SoftwareDistribution\Download\0d3b5d19cc06db007bbe6584808bfa9e\backup\ctfmon.exe
+ 2008-10-05 03:16:26 235,936 ----a-r c:\windows\system32\Macromed\Flash\FlashUtil10a.exe
+ 2008-11-11 17:12:42 89,102 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-11-11 21:41:24 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_690.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"AROReminder"="c:\program files\Advanced Registry Optimizer\ARO.exe" [2008-08-22 2084480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SlipStream"="c:\program files\SlipStream Web Accelerator\slipcore.exe" [2006-01-19 253952]
"BarbieGirlsTray"="c:\program files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe" [2007-03-14 24576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-05 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2008-08-26 c:\windows\system32\advpack.dll]
"IE7-11"="advpack.dll" [2008-08-26 c:\windows\system32\advpack.dll]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
HotSync Manager.LNK - c:\program files\palmOne\HOTSYNC.EXE [2004-04-13 299008]
PowerReg Scheduler.exe [2007-10-13 233472]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Office Startup.lnk - c:\program files\Microsoft Office97\Office\OSA.EXE [1997-08-05 51984]
SlipStream.lnk - c:\program files\SlipStream Web Accelerator\slipgui.exe [2007-09-27 159744]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 iwbsv;iwbsv;c:\windows\system32\drivers\iwbsv.sys [2007-04-27 28352]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
S3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-11-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = www.3929.cn?tn=102720
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-Internet Settings,ProxyServer = http=127.0.0.1:5400
R1 -: HKCU-Internet Settings,ProxyOverride = <local>;127.0.0.1:5400;*update.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;download.mcafee.com;*.phobos.apple.com;update.adobe.com;localhost
O8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 -: Show All Original Images - c:\program files\SlipStream Web Accelerator\gui_resource.dll/327
O8 -: Show Original Image - c:\program files\SlipStream Web Accelerator\gui_resource.dll/328
O17 -: HKLM\CCS\Interface\{958CA3F1-55A2-4514-A604-18ADD4AAA0F9}: NameServer = 64.136.173.5 64.136.164.77
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-11 17:34:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-11 17:40:03
ComboFix-quarantined-files.txt 2008-11-11 22:39:52
ComboFix2.txt 2008-11-11 21:55:43
ComboFix3.txt 2008-11-11 21:23:37
ComboFix4.txt 2008-11-11 05:02:14

Pre-Run: 58,199,441,408 bytes free
Post-Run: 58,187,661,312 bytes free

164 --- E O F --- 2008-11-07 07:00:38




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:46:49 PM, on 11/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20900)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SlipStream Web Accelerator\slipcore.exe
C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Microsoft Office97\Office\OSA.EXE
C:\Program Files\SlipStream Web Accelerator\slipgui.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HISurfer\dialer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.3929.cn?tn=102720
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\SlipStream Web Accelerator\PBHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: SlipStream - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\SlipStream Web Accelerator\Toolband.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe -H
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\SlipStream Web Accelerator\slipcore.exe"
O4 - HKLM\..\Run: [BarbieGirlsTray] C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [IE7-11] rundll32 advpack.dll,LaunchINFSection NR_IE7en.inf,AfterUserStart (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - S-1-5-18 Startup: HotSync Manager.LNK = C:\Program Files\palmOne\HOTSYNC.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: HotSync Manager.LNK = C:\Program Files\palmOne\HOTSYNC.EXE (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user')
O4 - Startup: HotSync Manager.LNK = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office97\Office\OSA.EXE
O4 - Global Startup: SlipStream.lnk = C:\Program Files\SlipStream Web Accelerator\slipgui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\SlipStream Web Accelerator\gui_resource.dll/327
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\SlipStream Web Accelerator\gui_resource.dll/328
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/f ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{958CA3F1-55A2-4514-A604-18ADD4AAA0F9}: NameServer = 64.136.173.5 64.136.164.77
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\WINDOWS\system32\DRIVERS\xaudio.exe

--
End of file - 9962 bytes
OU_Packfan
Active Member
 
Posts: 11
Joined: November 8th, 2008, 9:53 pm

Re: Possible malware infection....can someone please have a look

Unread postby Shaba » November 12th, 2008, 5:09 am

Looks like that start page is still there.

Boot to safe mode.

Open HijackThis, click do a system scan only and checkmark this:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.3929.cn?tn=102720

Close all windows including browser and press fix checked.

Reboot.

Post back a fresh HijackThis log, please.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Possible malware infection....can someone please have a look

Unread postby OU_Packfan » November 12th, 2008, 5:17 pm

The Hijackthis program does not seem to operate in the fix mode in my safe mode in Win XP. It does the scan and provides the log OK but does nothing once R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.3929.cn?tn=102720 is checked and fix button is pushed.

Should I try Hijack this Fix process in the normal mode operation of Win XP or is there another process I need to complete?

Thanks.
OU_Packfan
Active Member
 
Posts: 11
Joined: November 8th, 2008, 9:53 pm

Re: Possible malware infection....can someone please have a look

Unread postby Shaba » November 13th, 2008, 7:01 am

No then we need further research.

Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2

  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    *System Protection and Tracing
    *Processes
    *Save created processes to the log
    *Drivers
    *Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.

Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Possible malware infection....can someone please have a look

Unread postby OU_Packfan » November 13th, 2008, 5:13 pm

Hi Shaba,

Here is the gmer scan result. Thanks for your helpfulness.....


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-13 16:02:23
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT 81B036F0 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF3891EB0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF3892130]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF3892690]
SSDT 822198F0 ZwOpenSection
SSDT 81AFC6D0 ZwResumeThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF38928E0]

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntkrnlpa.exe!ZwSetValueKey + 57 8061856B 4 Bytes [ F7, EE, 11, 78 ]
? C:\WINDOWS\system32\drivers\iwbsv.sys The process cannot access the file because it is being used by another process.
PAGE ntkrnlpa.exe!LsaDeregisterLogonProcess + 99D9 8061856B 4 Bytes [ F7, EE, 11, 78 ]

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\Explorer.EXE[1776] SHELL32.dll!SHFileOperationW 7CA7067C 5 Bytes JMP 01941102 C:\Program Files\Unlocker\UnlockerHook.dll

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS\Explorer.EXE[1776] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [65008E0D] C:\Program Files\SlipStream Web Accelerator\PBHelper.dll (Popup Blocker Browser Helper Object/SlipStream Data Inc.)
IAT C:\WINDOWS\Explorer.EXE[1776] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!MessageBoxIndirectA] [65007E60] C:\Program Files\SlipStream Web Accelerator\PBHelper.dll (Popup Blocker Browser Helper Object/SlipStream Data Inc.)
IAT C:\WINDOWS\Explorer.EXE[1776] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!MessageBoxIndirectW] [65007EC3] C:\Program Files\SlipStream Web Accelerator\PBHelper.dll (Popup Blocker Browser Helper Object/SlipStream Data Inc.)

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.14 ----
OU_Packfan
Active Member
 
Posts: 11
Joined: November 8th, 2008, 9:53 pm

Re: Possible malware infection....can someone please have a look

Unread postby Shaba » November 14th, 2008, 5:11 am

Please click this link-->Jotti

Copy/paste the file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

C:\WINDOWS\system32\drivers\iwbsv.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Possible malware infection....can someone please have a look

Unread postby OU_Packfan » November 15th, 2008, 12:21 am

Hello Shaba,

Virusscan gave the following result for the file C:\WINDOWS\system32\drivers\iwbsv.sys. I had disabled the Norton 360 firewall and the Auto-Protect functions before I ran the jotti site.


The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

What might be your next suggestion?

Thanks.
OU_Packfan
Active Member
 
Posts: 11
Joined: November 8th, 2008, 9:53 pm

Re: Possible malware infection....can someone please have a look

Unread postby Shaba » November 15th, 2008, 6:00 am

Then we do this:

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
C:\WINDOWS\system32\drivers\iwbsv.sys

Driver::
iwbsv

Registry::
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.3929.cn?tn=102720


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Possible malware infection....can someone please have a look

Unread postby OU_Packfan » November 15th, 2008, 4:21 pm

Hello Shaba,

ComboFix seems to have removed the chinese website that always came up as the homepage. I rebooted and now it uses MSN as the homepage. So far so good.



ComboFix 08-11-13.02 - Administrator 2008-11-15 12:45:04.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.114 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\drivers\iwbsv.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\iwbsv.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IWBSV
-------\Service_iwbsv


((((((((((((((((((((((((( Files Created from 2008-10-15 to 2008-11-15 )))))))))))))))))))))))))))))))
.

2008-11-13 15:32 . 2008-11-13 15:46 345 --a------ c:\windows\gmer.ini
2008-11-12 20:42 . 2008-10-24 06:25 455,936 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 16:23 . 2008-11-12 16:23 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-10 18:04 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-11-08 20:48 . 2008-11-08 20:48 <DIR> d-------- c:\program files\Trend Micro
2008-11-07 23:38 . 2008-11-07 23:50 <DIR> d-------- c:\program files\Panda Security
2008-11-07 02:00 . 2008-11-07 02:00 142 --a------ c:\windows\system32\spupdsvc.inf
2008-10-22 20:59 . 2008-10-22 20:59 <DIR> d-------- c:\program files\Lavasoft
2008-10-22 20:59 . 2008-10-22 21:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-15 17:56 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-15 17:44 --------- d-----w c:\documents and settings\Administrator\Application Data\SlipStream
2008-11-14 02:10 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-07 07:02 --------- d-----w c:\program files\Norton 360
2008-10-28 02:40 --------- d-----w c:\program files\palmOne
2008-10-24 11:25 455,936 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-15 01:21 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-10-15 01:20 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-10-15 01:20 60,800 ----a-w c:\windows\system32\S32EVNT1.DLL
2008-10-15 01:20 123,952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-15 01:20 10,671 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-10-15 01:20 --------- d-----w c:\program files\Symantec
2008-10-14 17:42 --------- d-----w c:\documents and settings\Administrator\Application Data\Symantec
2008-10-14 17:39 --------- d-----w c:\program files\Windows Sidebar
2008-10-04 06:24 --------- d-----w c:\program files\iTunes
2008-10-04 06:24 --------- d-----w c:\program files\iPod
2008-10-04 06:24 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-04 06:23 --------- d-----w c:\program files\Bonjour
2008-10-04 06:22 --------- d-----w c:\program files\QuickTime
2008-10-04 06:22 --------- d-----w c:\program files\Common Files\Apple
2008-10-04 01:38 --------- d-----w c:\program files\Apple Software Update
2008-10-01 17:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-22 00:01 --------- d-----w c:\program files\GameSpy Arcade
2008-09-21 23:59 --------- d-----w c:\program files\directx
2008-09-21 23:43 --------- d--h--w c:\program files\InstallShield Installation Information
2008-09-21 23:43 --------- d-----w c:\program files\Infogrames Interactive
2008-09-15 12:17 1,846,912 ----a-w c:\windows\system32\win32k.sys
2008-09-04 16:32 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-30 01:06 1,350,664 ----a-w c:\windows\system32\msxml6.dll
2008-08-29 14:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-26 09:08 827,904 ----a-w c:\windows\system32\wininet.dll
2007-05-04 11:13 16,384 -csha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2007-05-04 11:13 16,384 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2007-05-04 11:13 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((( snapshot_2008-11-15_ 0.56.13.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2008-11-15 17:53:19 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_690.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SlipStream"="c:\program files\SlipStream Web Accelerator\slipcore.exe" [2006-01-19 253952]
"BarbieGirlsTray"="c:\program files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe" [2007-03-14 24576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-05 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2008-08-26 c:\windows\system32\advpack.dll]
"IE7-11"="advpack.dll" [2008-08-26 c:\windows\system32\advpack.dll]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
HotSync Manager.LNK - c:\program files\palmOne\HOTSYNC.EXE [2004-04-13 299008]
PowerReg Scheduler.exe [2007-10-13 233472]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Office Startup.lnk - c:\program files\Microsoft Office97\Office\OSA.EXE [1997-08-05 51984]
SlipStream.lnk - c:\program files\SlipStream Web Accelerator\slipgui.exe [2007-09-27 159744]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-11-10 28544]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2008-02-18 149352]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2008-01-12 23888]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-11-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-15 12:53:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-11-15 13:01:07 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-11-15 18:00:59
ComboFix2.txt 2008-11-15 05:56:48
ComboFix3.txt 2008-11-13 04:11:38
ComboFix4.txt 2008-11-11 22:40:05
ComboFix5.txt 2008-11-15 17:40:28

Pre-Run: 57,832,112,128 bytes free
Post-Run: 57,873,543,168 bytes free

182 --- E O F --- 2008-11-14 02:10:51


I then ran a Kaspersky virus scan from their website and the following result was logged for my computer:

Saturday, November 15, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, November 14, 2008 20:14:58
Records in database: 1385149


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\

Scan statistics
Files scanned 81284
Threat name 26
Infected objects 94
Suspicious objects 1
Duration of the scan 01:50:32

File name Threat name Threats count
C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0692324B Suspicious: Exploit.HTML.Iframe.FileDownload 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0692324B Infected: Email-Worm.Win32.NetSky.q 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\10917CA2 Infected: Email-Worm.Win32.NetSky.c 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\193764DC Infected: Email-Worm.Win32.NetSky.c 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\195E5CB0 Infected: Email-Worm.Win32.NetSky.c 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1A4A6F38.htm Infected: Exploit.HTML.Mht 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\24B35BB3 Infected: Email-Worm.Win32.NetSky.d 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\25A57EA9 Infected: Email-Worm.Win32.NetSky.j 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\25DB281B Infected: Email-Worm.Win32.NetSky.c 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\25E2330D Infected: Email-Worm.Win32.NetSky.q 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\25FF75F4 Infected: Email-Worm.Win32.NetSky.j 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\260E3E36 Infected: Email-Worm.Win32.NetSky.d 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\262019D0 Infected: Email-Worm.Win32.NetSky.j 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\262B3816 Infected: Email-Worm.Win32.NetSky.d 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\264D659D Infected: Email-Worm.Win32.NetSky.c 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\281E3E50.tmp Infected: Email-Worm.Win32.Bagle.dt 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\28795B3F Infected: Email-Worm.Win32.NetSky.d 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\28BA22F7 Infected: Email-Worm.Win32.NetSky.j 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D053298.exe Infected: Trojan-Downloader.Win32.Adload.a 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D095C94.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D0C0691.exe Infected: Trojan-Downloader.Win32.Adload.a 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D0F308D.vxd Infected: not-a-virus:AdWare.Win32.BargainBuddy.q 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D125A8A.srg Infected: not-a-virus:AdWare.Win32.BargainBuddy.q 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D160486.dll Infected: not-a-virus:AdWare.Win32.BargainBuddy.n 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D6362CC.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.n 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D670CC9.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.n 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D695EFC.exe Infected: not-a-virus:Porn-Dialer.Win32.Generic 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D6A36C5.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D6D60C1.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D700ABE.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D7434BA.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D775EB7.exe Infected: Trojan-Downloader.Win32.Adload.a 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D7A08B3.exe Infected: Trojan-Downloader.Win32.Adload.a 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D7D32AF.cab Infected: Trojan-Downloader.Win32.Adload.a 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D7D32AF.exe Infected: Trojan-Downloader.Win32.Adload.a 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D815CAC.vxd Infected: not-a-virus:AdWare.Win32.BargainBuddy.q 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D8406A8.srg Infected: not-a-virus:AdWare.Win32.BargainBuddy.q 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D8730A5.dll Infected: not-a-virus:AdWare.Win32.BargainBuddy.n 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D8A5AA1.dll Infected: not-a-virus:AdWare.Win32.BargainBuddy.n 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\324066A2.dll Infected: not-a-virus:AdWare.Win32.BargainBuddy.n 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3DA6579C.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\482C2B9A.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\482F5596.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\48337F93.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4836298F.exe Infected: Trojan-Downloader.Win32.Adload.a 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4839538C.cab Infected: Trojan-Downloader.Win32.Adload.a 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4839538C.srg Infected: not-a-virus:AdWare.Win32.BargainBuddy.q 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4839538C.vxd Infected: not-a-virus:AdWare.Win32.BargainBuddy.q 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\483D7D88.dll Infected: not-a-virus:AdWare.Win32.BargainBuddy.l 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4B084516 Infected: Email-Worm.Win32.NetSky.d 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4EFF368F Infected: Email-Worm.Win32.NetSky.c 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\51591781.exe Infected: Trojan-Downloader.Win32.WinShow.am 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\53687ED1 Infected: Email-Worm.Win32.NetSky.c 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\539220A2 Infected: Email-Worm.Win32.NetSky.c 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\53B3447E Infected: Email-Worm.Win32.NetSky.c 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\53CD1461 Infected: Email-Worm.Win32.NetSky.j 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\53F1623A Infected: Email-Worm.Win32.NetSky.j 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\54AB3B6D Infected: Email-Worm.Win32.NetSky.d 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\54CF0945 Infected: Email-Worm.Win32.NetSky.j 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\54EC0325 Infected: Email-Worm.Win32.NetSky.j 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\59E34922.tmp Infected: Email-Worm.Win32.Bagle.bw 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5B1A3443 Infected: Email-Worm.Win32.NetSky.d 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5B7F49D3 Infected: Email-Worm.Win32.NetSky.d 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60E74CA4.exe Infected: Trojan-Downloader.Win32.Adload.a 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\69261790.jar Infected: Exploit.Java.ByteVerify 2

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\69261790.jar Infected: Trojan-Downloader.Java.OpenConnection.aa 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6967538C.exe Infected: Trojan-Downloader.Win32.Tiny.bm 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6A147B5A.gif Infected: Exploit.HTML.Mht 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\72350186 Infected: Email-Worm.Win32.NetSky.j 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\72667751 Infected: Email-Worm.Win32.NetSky.j 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7A1761F1 Infected: Email-Worm.Win32.NetSky.q 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7AF832F9 Infected: Email-Worm.Win32.NetSky.q 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7B1C00D1 Infected: Email-Worm.Win32.NetSky.c 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7C2B4534 Infected: Email-Worm.Win32.Bagle.au 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7E962435 Infected: Email-Worm.Win32.NetSky.d 1

C:\olddata\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7FBC1414 Infected: Email-Worm.Win32.NetSky.c 1

C:\olddata\Documents and Settings\Beth Clark\Application Data\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Bayfraud.hn 3

C:\olddata\Documents and Settings\Beth Clark\Application Data\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Bankfraud.ou 1

C:\olddata\Documents and Settings\Beth Clark\Application Data\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Fiffraud.i 1

C:\olddata\Documents and Settings\Beth Clark\Application Data\Microsoft\Outlook Express\Mail\Sent Items.mbx Infected: Email-Worm.Win32.Magistr.a 2

C:\olddata\link.exe Infected: Trojan-Downloader.Win32.Delf.az 1

C:\olddata\WINDOWS\SimpleRegistration.dll Infected: not-a-virus:AdWare.Win32.TimeSink.d 1

C:\Program Files\Outlook Express\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Bayfraud.hn 3

C:\Program Files\Outlook Express\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Bankfraud.ou 1

C:\Program Files\Outlook Express\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Fiffraud.i 1

C:\Program Files\Outlook Express\Outlook Express\Mail\Sent Items.mbx Infected: Email-Worm.Win32.Magistr.a 2

C:\WINDOWS\system32\8LUlns.dll Infected: Trojan-Downloader.Win32.BHOSta.ck 1

C:\WINDOWS\system32\drivers\iwbsv.sys Infected: Trojan-Downloader.Win32.Agent.afif 1

The selected area was scanned.

Should I now use jotti to clean up these?

Thanks.
OU_Packfan
Active Member
 
Posts: 11
Joined: November 8th, 2008, 9:53 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 57 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware