Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Need Help Again

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Need Help Again

Unread postby n3m3sis0075 » November 12th, 2007, 1:24 pm

I need help again my browsing speed has slowed drastically and I can't seem to find the problem. When I scan for viruses and such theres no results... Heres my HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:32 PM, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1125545579\ee\aolsoftware.exe
c:\program files\common files\aol\1125545579\ee\aexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 4501 bytes
n3m3sis0075
Regular Member
 
Posts: 30
Joined: August 5th, 2007, 12:40 am
Advertisement
Register to Remove

Re: Need Help Again

Unread postby beynac » November 15th, 2007, 12:31 pm

Hi.

I'm sorry that you've been kept waiting. I'm looking through your log and will post again shortly.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Re: Need Help Again

Unread postby beynac » November 15th, 2007, 1:23 pm

There's no sign of malware in your HijackThis log. Let's clean a few things up and then run a scan. Do you use the AOL browser? If so, clear the cache as shown below. If you use another browser (e.g. Internet Explorer or Firefox), even if it's only occasionally, please run ATF Cleaner. Please let me know which browser(s) you use.

----------------------------------------------------

Clear the AOL Browser Cache

You appear to be using the AOL browser. If so, we need to clear the cache. If this is not done regularly, it can seriously slow your browsing.

To clear the browser cache using AOL System Information:
  • Right-click the AOL icon in the system tray, then click System Information....
  • Click the Utilities tab.
  • Click the Clear or Clear Browser Cache button.
  • Click the Close button.

--------------------------------------------------

ATF Cleaner by Atribune ©

Note: You only need to do this step if you sometimes use another browser (other than AOL).

Download ATF Cleaner by Atribune © from here : http://www.atribune.org/ccount/click.php?id=1
This is a stand-alone program that does not need to be installed. Save it to a convenient location and make a shortcut on your desktop. Using this program will remove temporary files, temporary internet files and cookies from your system, which will mean that any scans will run faster.
  • Make sure that all browser windows are closed
  • Double-click the shortcut on your desktop to run the program.
  • Under Main, choose Select All
  • Untick Prefetch
  • Click Empty Selected
  • If you use Firefox browser,
    • Click Firefox at the top and choose Select All
    • Click on Empty Selected
    • NOTE: If you would like to keep any saved passwords, please untick that option.
  • Click Exit to close.
  • If you use Opera browser,
    • Click Opera at the top and choose Select All
    • Click on Empty Selected
    • NOTE: If you would like to keep any saved passwords, please untick that option.
  • Click Exit to close.

--------------------------------------------

AVG Anti-Spyware:

Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open. Do not run a scan yet.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:
  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
  • It is essential that you get the update - keep trying until successful.
You will need to change the following settings:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act? - make sure that Quarantine is selected.
    • Under How to scan? - All checkboxes should be ticked.
    • Under Possibly unwanted software - All checkboxes should be ticked.
    • Under Reports - Select Do not automatically generate reports.
    • Under What to scan? - Select Scan every file.
You can now close AVG Anti-Spyware. Do not scan yet.

---------------------------------------------------

Boot to Safe Mode.

You will need to reboot your computer into Safe Mode for the next steps. It would be a good idea for you to print these instructions, as you will not have access to the internet.

Important: If you have an always on connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode. I suggest that you print out these instructions.
  • Restart your computer.
  • Continually tap the F8 button as your computer is booting (a menu appears).
  • Use up-arrow key to select Safe Mode and press Enter.

------------------------------------------------

Run AVG Anti-Spyware:

Close all open windows and then start AVG Anti-Spyware, which you downloaded earlier
  • Click on Scanner on the toolbar.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
    • Make sure that Set all elements to: shows Quarantine
    • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
    • When the program has finished, it will display the message All actions have been applied.
    • Then click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Tray Icon and select Exit.

-----------------------------------------------------------------

Reboot in Normal Mode.

-------------------------------------------------------------------------

Please post the following, as a reply to this thread:
  • An answer to my question - "which browser(s) do you use?"
  • The AVG Anti-Spyware report
  • A new HijackThis log

Are you having any other problems with the computer, or is it just the slow browsing?
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Re: Need Help Again

Unread postby n3m3sis0075 » November 16th, 2007, 12:04 am

I use AOL Explorer mainly but I do have Firefox and Internet Explorer, oddly my Firefox won't ever open...
n3m3sis0075
Regular Member
 
Posts: 30
Joined: August 5th, 2007, 12:40 am

Re: Need Help Again

Unread postby beynac » November 16th, 2007, 9:39 am

Hi.

I think that there may have been a bit of a misunderstanding. I wanted you to run the AVG Anti-Spyware scan whatever your browser. Also, as you use Internet Explorer, please use ATF Cleaner. I will try to sort out Firefox for you once we have confirmed that the computer is clean.

----------------------------------------

Please post:
  • Confirmation that you have cleared the cache in AOL's browser
  • Confirmation that you have run ATF Cleaner
  • The AVG Anti-Spyware report
  • An answer to my question: "Are you having any other problems with the computer, or is it just the slow browsing?"

Please also let me know if browsing speed has improved since clearing the browser caches.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Re: Need Help Again

Unread postby n3m3sis0075 » November 18th, 2007, 1:31 pm

Ok I did a scan with my Symantec instead and it found 3 problems and dealt with it. Also ran ATF cleaner. Browsing speed has improved but there still is a poroblem. Every once in a while my download manager turns on by itself and I can't even click on it or tell what's being downloaded. How can I solve this problem?
n3m3sis0075
Regular Member
 
Posts: 30
Joined: August 5th, 2007, 12:40 am

Re: Need Help Again

Unread postby n3m3sis0075 » November 18th, 2007, 2:46 pm

I also noticed that my processes were unusually high at around 100% at nearly all times when I only have like 1 or 2 applications open...
n3m3sis0075
Regular Member
 
Posts: 30
Joined: August 5th, 2007, 12:40 am

Re: Need Help Again

Unread postby beynac » November 18th, 2007, 3:18 pm

I did a scan with my Symantec instead and it found 3 problems and dealt with it

I asked you to run AVG Anti-Spyware for a reason. If you don't want to follow my instructions , then I can't help you. However, let's start with a clean sheet. The other problems you describe indicate that there may be something hidden.

Please carry out the following instructions completely, and in the order given. Do NOT run AVG Anti-Spyware or any other scans.

----------------------------------------------------------

ComboFix by sUBs

Important: If you already have ComboFix on your computer, please delete it and download the latest version.
  • Download this file - ComboFix.exe. (Please save it on your desktop).
  • Close all open windows.
  • Double click ComboFix.exe and follow the prompts.
  • When finished, it will produce a log for you. Please post that log in your next reply
Important: Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

If necessary, please split the log into separate posts to ensure that they don't get cut off. It is important that I see the full log.

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

----------------------------------------------------------

Rename HijackThis

I think that you may have something that's hiding from HijackThis. To fool the 'nasty' into letting us see the complete picture, we need to rename HijackThis.
  • Click on Start then My Computer
  • Navigate to the folder C:\Program Files\Trend Micro\HijackThis\
  • Rename HijackThis.exe as NoHiding.exe
  • Right-click on NoHiding and select Send To then Desktop (create shortcut)
  • Close the window
Always use the new shortcut to run HijackThis (now "NoHiding").

----------------------------------------------------------

Please post, as a reply to this thread:
  • The ComboFix log
  • A new HijackThis log (run as NoHiding)
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Re: Need Help Again

Unread postby n3m3sis0075 » November 18th, 2007, 7:21 pm

Sorry bout the AVG thing I tried DLing it last time and it rebooted my computer for some weird reason so I used Symantec instead. Next time I'll let you know before doing so.

ComboFix 07-11-08.1 - user 2007-11-18 18:08:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.594 [GMT -5:00]
Running from: C:\Documents and Settings\user\My Documents\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Nemesis\ravmonlog
C:\Documents and Settings\user\ravmonlog
C:\Program Files\Common Files\vcclient
C:\Program Files\Common Files\vcclient\temp.txt
C:\Program Files\Common Files\vcclient\Version.txt
C:\Program Files\internet explorer\iekey.dll
C:\ravmonlog
C:\WINDOWS\winsysupd31.dat
C:\WINDOWS\winsysupd41.dat

.
((((((((((((((((((((((((( Files Created from 2007-10-18 to 2007-11-18 )))))))))))))))))))))))))))))))
.

2007-11-18 18:07 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-17 10:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-17 10:22 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-18 23:14 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-18 18:46 141,612 ----a-w C:\WINDOWS\system32\drivers\dump_wmimmc.sys
2007-11-18 18:34 --------- d-----w C:\Program Files\Warcraft III
2007-11-12 02:51 --------- d-----w C:\Program Files\Steam
2007-11-11 15:08 --------- d-----w C:\Program Files\QuickTime
2007-11-04 19:50 --------- d-----w C:\Program Files\Viewpoint
2007-11-04 19:50 --------- d-----w C:\Documents and Settings\user\Application Data\Viewpoint
2007-11-04 19:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-27 18:28 --------- d-----w C:\Program Files\AIM6
2007-10-27 18:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-04 10:30 --------- d-----w C:\Program Files\iTunes
2007-10-04 10:30 --------- d-----w C:\Program Files\iPod
2007-09-27 00:20 --------- d-----w C:\Program Files\Apple Software Update
2007-09-26 10:35 --------- d-----w C:\Program Files\Common Files\Apple
2007-09-23 18:00 --------- d-----w C:\Program Files\LimeWire
2006-01-18 00:30:32 385,209 --sh--w C:\WINDOWS\system32\nnnmp.bak1
2006-01-31 00:49:56 410,302 --sh--w C:\WINDOWS\system32\nnnmp.bak2
2006-01-31 11:50:54 386,022 --sh--w C:\WINDOWS\system32\nnnmp.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 16:38]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-03-14 18:49]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-08-08 22:23]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 10:20]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
RunDll32 cmicnfg.cpl,CMICtrlWnd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1125545579\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lielb]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pviever]
"C:\Program Files\Gay-Lesbian-Photo\Gay-Lesbian-Photo.exe" hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RavAV]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Snap!IM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\tempei4\valve\steam\steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon Internet Security Suite]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
"C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YPCService"=3 (0x3)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"dvpapi"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys
S3 jbridgep;jbridgep;\??\C:\DOCUME~1\user\LOCALS~1\Temp\jbridgep.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\autoplay.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-28 13:16:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-18 20:00:00 C:\WINDOWS\Tasks\Backup.job"
- C:\WINDOWS\system32\ntbackup.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-18 18:13:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-18 18:15:53 - machine was rebooted
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:20:12 PM, on 11/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\AOL\1125545579\ee\aolsoftware.exe
c:\program files\common files\aol\1125545579\ee\aexplore.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\NoHiding.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 4760 bytes
n3m3sis0075
Regular Member
 
Posts: 30
Joined: August 5th, 2007, 12:40 am

Re: Need Help Again

Unread postby beynac » November 19th, 2007, 10:09 am

Good afternoon.

ComboFix deleted some files and folders but they look like the remnants of malware rather than the malware itself. There are some more things showing in the ComboFix log which we need to get rid of. It looks as if you have had some nasty stuff on this computer. There is a very good chance that you have had a backdoor trojan. Again, the signs are there but the malware itself seems to have gone. However, as a precaution, I would advise you to change all your online passwords, but do not do it using this computer - use another, clean one. If you use the computer for any financial transactions (online banking, credit card payments, PayPal or any other financial accounts), then call your banks, credit card companies etc and inform them that you may be a victim of identity theft. Ask them to put a watch on the accounts or change all of the account/card numbers. We need to make sure that the computer is clean before you use it for any secure transactions.

Some of the infections are spread by flash drives. Please do not plug in any USB drives until further notice. This includes flash drives, mp3 players, cameras, telephones etc.). We will sort out this side of things later.

----------------------------------------------------------

First, let's delete the bad files and folders that were shown in the ComboFix log. Click on Start then My Computer, find the following files and folders (highlighted in red) and delete them, if present. Don't worry if any are missing, but please let me know.
  • C:\WINDOWS\system32\nnnmp.bak1 <- File
  • C:\WINDOWS\system32\nnnmp.bak2 <- File
  • C:\WINDOWS\system32\nnnmp.ini2 <- File
  • C:\Program Files\Gay-Lesbian-Photo\ <- Folder and all its contents

----------------------------------------------------------

Backup the Windows Registry
  • Download Erunt to your desktop from here
  • Double-click on the file to install the program
  • Untick the NTREGOPT desktop shortcut option
  • Click No when you get the option to run Erunt at Windows startup.
  • During the installation, tick Launch Erunt
  • Accept the defaults for running a backup
  • Erunt will then backup your registry

----------------------------------------------------------------------

Edit the Windows Registry

Open Notepad (Click on Start then Run. Type notepad into the textbox and click OK).Select the contents of the Code Box below and copy/paste into Notepad

Code: Select all
REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RavAV]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pviever]


  • Make sure that Word Wrap is turned off in Notepad - (click the Format menu and uncheck Word Wrap)
  • Important:
    • Make sure there are NO blank lines before REGEDIT4
    • Make sure there is one blank line at the end of the file
    • Make sure that you have copied all of the text (e.g. don't miss the first 'R')
  • Click Save As on the File menu and name the file fix.reg
  • Change the Save as Type to All Files
  • Save the file on your desktop
  • Close Notepad and make sure that all other windows are closed
  • Double-click on the fix.reg file
  • When it prompts to merge, click Yes

-------------------------------------------------

F-Secure BlackLight

Please download F-Secure Blacklight (fsbl.exe) from here.
  • Double click the file to run it, choose I accept the agreement then click Next
  • Click the Scan button
  • It will create a log on your desktop (fsbl-date/time.log).
  • If it finds anything, do not rename any. Legitimate items can also be present.
  • Exit Blacklight
Please post the contents of the log as a reply to this thread.

-------------------------------------------------

I would still like to see an AVG Anti-Spyware scan but, as it caused probelms last time, let's do an online scan instead.

ESET Online Scanner

Please run the ESET Online Scanner. You must use Internet Explorer to run the scan.
  • Check the box to accept the Terms of Use
  • Click Start
  • When prompted, left-click on the Information Bar which pops up at the top of your browser window
  • Click on Install ActiveX Control
  • A message box will pop up. Click on Install to install the software
  • Click Start
  • Do not check the following boxes
    • remove found threats
    • scan for unwanted applications
  • Click Start
  • When the scan has ended it should show a report giving details of any threats found
  • The report will be saved as C:/Program Files/esetonlinescanner/log.txt
Please post that report as a reply to this thread.

-------------------------------------------------

Please post the following, as a reply to this thread:
  • The Blacklight log
  • The ESET Online Scan report
  • A new HijackThis log (run as NoHiding)
Please let me know if there has been any improvement in browsing speed. Are you still getting the other problems (high CPU usage and the download manager activity)?
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Re: Need Help Again

Unread postby n3m3sis0075 » November 19th, 2007, 11:13 pm

I can't seem to find the following files:
C:\WINDOWS\system32\nnnmp.bak1 <- File
C:\WINDOWS\system32\nnnmp.bak2 <- File
C:\WINDOWS\system32\nnnmp.ini2 <- File
C:\Program Files\Gay-Lesbian-Photo\ <- Folder and all its contents

Also the fsbl.exe link doesn't work.
n3m3sis0075
Regular Member
 
Posts: 30
Joined: August 5th, 2007, 12:40 am

Re: Need Help Again

Unread postby beynac » November 20th, 2007, 5:38 am

Good morning.

I can't seem to find the following files:
C:\WINDOWS\system32\nnnmp.bak1 <- File
C:\WINDOWS\system32\nnnmp.bak2 <- File
C:\WINDOWS\system32\nnnmp.ini2 <- File
C:\Program Files\Gay-Lesbian-Photo\ <- Folder and all its contents

Hmm... The folder may have been removed earlier, but the files were there when you ran ComboFix. It's good if they've gone, but we need to make sure.

Download OTMoveIt by OldTimer to your Desktop.
  • Double-click OTMoveIt.exe to launch it.
  • Copy/Paste the contents of the box below into the left hand pane of OTMoveIt - (Do not type it).
C:\WINDOWS\system32\nnnmp.bak1
C:\WINDOWS\system32\nnnmp.bak2
C:\WINDOWS\system32\nnnmp.ini2
C:\Program Files\Gay-Lesbian-Photo


  • Click the Move It button.
  • The list will be processed and the results will appear in the right hand pane.
  • If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  • When finished click Exit to exit the programme.
  • A log - C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).

-------------------------------------------

Also the fsbl.exe link doesn't work.

I've just tried it and it worked fine. Please could you try again. If it works this time, please post the log (see the instructions in my previous post). Link: ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe

If it doesn't work, please let me know exactly what happens (e.g. file not found, the file downloads but doesn't run) and then do the following (this is only necessary if you don't run Blacklight successfully):

AVG Anti-Rootkit
  • Click here to download AVG Anti-Rootkit Free (save it to your desktop).
  • Double-click on the downloaded file to run the installation program.
  • Follow the prompts to install the program
  • Click Finish and your computer will reboot.
  • After it reboots, double-click on the AVG Anti-Rootkit Free shortcut on your desktop.
  • Click on the Perform in-depth search button to begin the scan.
  • The scan will take a while so be patient and let it complete.
  • When the scan is finished, click the Save result to file button.
  • Save the scan results to your desktop
  • Do not remove anything yet.
You can delete the installation program from your desktop.

------------------------------------------

Did you carry out the other steps in my previous post? Please confirm that you installed Erunt and ran the registry update ("fix.reg"). Did you run the ESET Online Scan. If so, please post the log. If not, please do so.

------------------------------------------

To summarise, please post:
  • The OT_MoveIt log
  • The Blacklight log OR the AVG Anti-Rootkit log
  • Confirmation the you have installed Erunt and run the registry fix
  • The ESET Online Scan report
  • A new HijackThis log
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Re: Need Help Again

Unread postby n3m3sis0075 » November 20th, 2007, 6:25 am

C:\WINDOWS\system32\nnnmp.bak1 moved successfully.
C:\WINDOWS\system32\nnnmp.bak2 moved successfully.
C:\WINDOWS\system32\nnnmp.ini2 moved successfully.
File/Folder C:\Program Files\Gay-Lesbian-Photo not found.

Created on 11/20/2007 05:17:16

I've also done the ERUNT registry update, AVG Anti-Spyware, as well as ESET Online Scan. However, for the AVG Anti-Spyware and the ESET Online Scan I can't seem to get a log on anything, I've tried copy and pasting but it doesn't work. Also the link you gave me ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe still won't load for some strange reason, my browser just remains on an untitled screen when I try to click the link or copy and paste it.

I'll try the Anti-Rootkit. But here's my HiJack log for now.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:24:18 AM, on 11/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1125545579\ee\aolsoftware.exe
C:\Program Files\iTunes\iTunes.exe
c:\program files\common files\aol\1125545579\ee\aexplore.exe
C:\Program Files\Trend Micro\HijackThis\NoHiding.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 4904 bytes
n3m3sis0075
Regular Member
 
Posts: 30
Joined: August 5th, 2007, 12:40 am

Re: Need Help Again

Unread postby beynac » November 20th, 2007, 7:29 am

Hi. The HijackThis log is still clean. :) You've now got rid of those files and confirmed that the folder is not there. Let's have a look for the AVG Anti-Spyware and ESET reports.

--------------------------------------------

AVG Anti-Spyware
  • Open the program
  • Click on Reports on the top menu
  • There should be a list of reports displayed
  • Select the earliest one - the details will show in the right-hand pane
  • Select the text in the right-hand pane
  • Right-click on the selected text and select Copy
  • Paste the text as a reply to this thread.
Please let me know if there are no reports shown.

------------------------------------------

ESET Online Scanner
  • Select the following bold text: C:/Program Files/esetonlinescanner/log.txt
  • Copy it to clipboard (right-click on it and select Copy or press Ctrl+C)
  • Click on Start > Run
  • Click in the text box and paste the previously selected text.
  • Click OK
The report should open in Notepad. Please copy/paste this as a reply to this thread.

------------------------------------------

I don't understand why the Blacklight link isn't working for you but don't worry, just run the AVG Anti-Rootkit one instead.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Re: Need Help Again

Unread postby n3m3sis0075 » November 20th, 2007, 7:16 pm

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2670 (20071119)
# vers_arch_module=1.059 (20071108)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=111198c76bf1734a964951e58de4a7af
# end=finished
# remove_checked=false
# unwanted_checked=false
# utc_time=2007-11-20 05:34:02
# local_time=2007-11-20 12:34:02 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=457991
# found=7
# scan_time=5329
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application E0D92AC5FDD264E4ED40D45C75934F1B
C:\Program Files\AIM\Sysfiles\WxBug.EXE »WISE »MiniBugTransporter.dll Win32/Adware.WBug.A application 00000000000000000000000000000000
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\elite.inf INF/Downloader.RK trojan 9DDA56C79AC25769123DF8E6E43CA0AF
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\m67m.inf INF/Downloader.RK trojan E69442B0B1EE87DB997C80154DB860F6
C:\WINDOWS\Resources\Themes\124030\124030.msstyles multiple infiltrations 878DD386AD8E218246FB1B3255A9F1C7
C:\WINDOWS\Resources\Themes\124030\124030.msstyles »WISE »HLsetup2.exe Win32/TrojanDownloader.Small.BKE trojan 00000000000000000000000000000000
C:\WINDOWS\Resources\Themes\124030\124030.msstyles »WISE »NNWDAB638.EXE Win32/Adware.NdotNet application 00000000000000000000000000000000

The AVG Anti-Spyware seems to be acting up because when I try to view reports it says none saved so should i scan again?
n3m3sis0075
Regular Member
 
Posts: 30
Joined: August 5th, 2007, 12:40 am
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 289 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware