Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

hijackthis log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

hijackthis log

Unread postby pat » December 31st, 2006, 8:12 am

Logfile of HijackThis v1.99.1
Scan saved at 6:00:34 AM, on 12/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/do ... gctlsi.cab
O16 - DPF: {01118F00-3E00-11D2-8470-0060089874ED} (SupportSoft RemoteControl Class) - http://symantec.atgnow.com/sdccommon/download/ssrc.cab
O16 - DPF: {01119400-3E00-11D2-8470-0060089874ED} (SupportSoft Listener Control) - http://symantec.atgnow.com/sdccommon/do ... tctlln.cab
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/ ... Signed.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.runaware.com/dolphin/wficat.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8758955013
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/i ... downls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{A221F208-9F5B-4C6F-AD95-64E46F2C4456}: NameServer = 64.126.4.189,64.126.4.193
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: euoefhhs - C:\WINDOWS\SYSTEM32\euoefhhs.dll
O20 - Winlogon Notify: jhmqgbbu - C:\WINDOWS\SYSTEM32\jhmqgbbu.dll
O20 - Winlogon Notify: ptldeutp - C:\WINDOWS\SYSTEM32\ptldeutp.dll
O20 - Winlogon Notify: snpqmugy - C:\WINDOWS\SYSTEM32\snpqmugy.dll
O20 - Winlogon Notify: svcxukgb - C:\WINDOWS\SYSTEM32\svcxukgb.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
pat
Active Member
 
Posts: 7
Joined: December 31st, 2006, 7:51 am
Advertisement
Register to Remove

Unread postby Shaba » December 31st, 2006, 8:16 am

Hi pat

Upload the following files to VirusTotal and send results here, please :)

C:\WINDOWS\SYSTEM32\euoefhhs.dll
C:\WINDOWS\SYSTEM32\jhmqgbbu.dll
C:\WINDOWS\SYSTEM32\ptldeutp.dll
C:\WINDOWS\SYSTEM32\snpqmugy.dll
C:\WINDOWS\SYSTEM32\svcxukgb.dll
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby pat » December 31st, 2006, 8:51 am

Complete scanning result of "euoefhhs.dll", received in VirusTotal at 12.31.2006, 13:22:44 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.21 12.30.2006 no virus found
Authentium 4.93.8 12.30.2006 no virus found
Avast 4.7.892.0 12.30.2006 no virus found
AVG 386 12.30.2006 no virus found
BitDefender 7.2 12.31.2006 no virus found
CAT-QuickHeal 8.00 12.31.2006 no virus found
ClamAV devel-20060426 12.31.2006 no virus found
DrWeb 4.33 12.31.2006 Trojan.Spambot
eSafe 7.0.14.0 12.31.2006 Suspicious Trojan/Worm
eTrust-InoculateIT 23.73.102 12.30.2006 no virus found




eTrust-Vet 30.3.3289 12.29.2006 no virus found
Ewido 4.0 12.31.2006 no virus found
Fortinet 2.82.0.0 12.31.2006 no virus found
F-Prot 3.16f 12.30.2006 no virus found
F-Prot4 4.2.1.29 12.30.2006 no virus found
Ikarus T3.1.0.27 12.31.2006 no virus found
Kaspersky 4.0.2.24 12.31.2006 no virus found
McAfee 4929 12.29.2006 no virus found
Microsoft 1.1904 12.31.2006 no virus found
NOD32v2 1949 12.30.2006 a variant of Win32/TrojanProxy.Agent.JZ
Norman 5.80.02 12.31.2006 no virus found
Panda 9.0.0.4 12.30.2006 Suspicious file
Prevx1 V2 12.31.2006 no virus found
Sophos 4.13.0 12.30.2006 no virus found
Sunbelt 2.2.907.0 12.18.2006 no virus found
TheHacker 6.0.3.139 12.29.2006 no virus found
UNA 1.83 12.29.2006 no virus found
VBA32 3.11.1 12.30.2006 suspected of Malware.Agent.18
VirusBuster 4.3.19:9 12.30.2006 no virus found


Aditional Information
File size: 188948 bytes
MD5: 336fe1062459413473af92b6a664b2a5
SHA1: 3373be7c8959d7b0712437620bc898b57d251a75
packers: MORPHINE
packers: Morphine



Complete scanning result of "jhmqgbbu.dll", received in VirusTotal at 12.31.2006, 13:35:14 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.21 12.30.2006 no virus found
Authentium 4.93.8 12.30.2006 no virus found
Avast 4.7.892.0 12.30.2006 no virus found
AVG 386 12.30.2006 no virus found
BitDefender 7.2 12.31.2006 no virus found
CAT-QuickHeal 8.00 12.31.2006 no virus found
ClamAV devel-20060426 12.31.2006 no virus found
DrWeb 4.33 12.31.2006 Trojan.Spambot
eSafe 7.0.14.0 12.31.2006 Suspicious Trojan/Worm
eTrust-InoculateIT 23.73.102 12.30.2006 no virus found
eTrust-Vet 30.3.3289 12.29.2006 no virus found
Ewido 4.0 12.31.2006 no virus found
Fortinet 2.82.0.0 12.31.2006 no virus found
F-Prot 3.16f 12.30.2006 no virus found
F-Prot4 4.2.1.29 12.30.2006 no virus found
Ikarus T3.1.0.27 12.31.2006 no virus found
Kaspersky 4.0.2.24 12.31.2006 no virus found
McAfee 4929 12.29.2006 no virus found
Microsoft 1.1904 12.31.2006 no virus found
NOD32v2 1949 12.30.2006 a variant of Win32/TrojanProxy.Agent.JZ
Norman 5.80.02 12.31.2006 no virus found
Panda 9.0.0.4 12.30.2006 Suspicious file
Prevx1 V2 12.31.2006 no virus found
Sophos 4.13.0 12.30.2006 no virus found
Sunbelt 2.2.907.0 12.18.2006 no virus found
TheHacker 6.0.3.139 12.29.2006 no virus found
UNA 1.83 12.29.2006 no virus found
VBA32 3.11.1 12.30.2006 suspected of Malware.Agent.18
VirusBuster 4.3.19:9 12.30.2006 no virus found


Aditional Information
File size: 188948 bytes
MD5: 336fe1062459413473af92b6a664b2a5
SHA1: 3373be7c8959d7b0712437620bc898b57d251a75
packers: MORPHINE
packers: Morphine



Complete scanning result of "ptldeutp.dll", received in VirusTotal at 12.31.2006, 13:39:51 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.21 12.30.2006 no virus found
Authentium 4.93.8 12.30.2006 no virus found
Avast 4.7.892.0 12.30.2006 no virus found
AVG 386 12.30.2006 no virus found
BitDefender 7.2 12.31.2006 no virus found
CAT-QuickHeal 8.00 12.31.2006 no virus found
ClamAV devel-20060426 12.31.2006 no virus found
DrWeb 4.33 12.31.2006 Trojan.Spambot
eSafe 7.0.14.0 12.31.2006 Suspicious Trojan/Worm
eTrust-InoculateIT 23.73.102 12.30.2006 no virus found
eTrust-Vet 30.3.3289 12.29.2006 no virus found
Ewido 4.0 12.31.2006 no virus found
Fortinet 2.82.0.0 12.31.2006 no virus found
F-Prot 3.16f 12.30.2006 no virus found
F-Prot4 4.2.1.29 12.30.2006 no virus found
Ikarus T3.1.0.27 12.31.2006 no virus found
Kaspersky 4.0.2.24 12.31.2006 no virus found
McAfee 4929 12.29.2006 no virus found
Microsoft 1.1904 12.31.2006 no virus found
NOD32v2 1949 12.30.2006 a variant of Win32/TrojanProxy.Agent.JZ
Norman 5.80.02 12.31.2006 no virus found
Panda 9.0.0.4 12.30.2006 Suspicious file
Prevx1 V2 12.31.2006 no virus found
Sophos 4.13.0 12.30.2006 no virus found
Sunbelt 2.2.907.0 12.18.2006 no virus found
TheHacker 6.0.3.139 12.29.2006 no virus found
UNA 1.83 12.29.2006 no virus found
VBA32 3.11.1 12.30.2006 suspected of Malware.Agent.18
VirusBuster 4.3.19:9 12.30.2006 no virus found


Aditional Information
File size: 188948 bytes
MD5: 336fe1062459413473af92b6a664b2a5
SHA1: 3373be7c8959d7b0712437620bc898b57d251a75
packers: MORPHINE
packers: Morphine




Complete scanning result of "snpqmugy.dll", received in VirusTotal at 12.31.2006, 13:44:18 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.21 12.30.2006 no virus found
Authentium 4.93.8 12.30.2006 no virus found
Avast 4.7.892.0 12.30.2006 no virus found
AVG 386 12.30.2006 no virus found
BitDefender 7.2 12.31.2006 no virus found
CAT-QuickHeal 8.00 12.31.2006 no virus found
ClamAV devel-20060426 12.31.2006 no virus found
DrWeb 4.33 12.31.2006 Trojan.Spambot
eSafe 7.0.14.0 12.31.2006 Suspicious Trojan/Worm
eTrust-InoculateIT 23.73.102 12.30.2006 no virus found
eTrust-Vet 30.3.3289 12.29.2006 no virus found
Ewido 4.0 12.31.2006 no virus found
Fortinet 2.82.0.0 12.31.2006 no virus found
F-Prot 3.16f 12.30.2006 no virus found
F-Prot4 4.2.1.29 12.30.2006 no virus found
Ikarus T3.1.0.27 12.31.2006 no virus found
Kaspersky 4.0.2.24 12.31.2006 no virus found
McAfee 4929 12.29.2006 no virus found
Microsoft 1.1904 12.31.2006 no virus found
NOD32v2 1949 12.30.2006 a variant of Win32/TrojanProxy.Agent.JZ
Norman 5.80.02 12.31.2006 no virus found
Panda 9.0.0.4 12.30.2006 Suspicious file
Prevx1 V2 12.31.2006 no virus found
Sophos 4.13.0 12.30.2006 no virus found
Sunbelt 2.2.907.0 12.18.2006 no virus found
TheHacker 6.0.3.139 12.29.2006 no virus found
UNA 1.83 12.29.2006 no virus found
VBA32 3.11.1 12.30.2006 suspected of Malware.Agent.18
VirusBuster 4.3.19:9 12.30.2006 no virus found


Aditional Information
File size: 188948 bytes
MD5: 336fe1062459413473af92b6a664b2a5
SHA1: 3373be7c8959d7b0712437620bc898b57d251a75
packers: MORPHINE
packers: Morphine




Complete scanning result of "svcxukgb.dll", received in VirusTotal at 12.31.2006, 13:49:07 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.21 12.30.2006 no virus found
Authentium 4.93.8 12.30.2006 no virus found
Avast 4.7.892.0 12.30.2006 no virus found
AVG 386 12.30.2006 no virus found
BitDefender 7.2 12.31.2006 no virus found
CAT-QuickHeal 8.00 12.31.2006 no virus found
ClamAV devel-20060426 12.31.2006 no virus found
DrWeb 4.33 12.31.2006 Trojan.Spambot
eSafe 7.0.14.0 12.31.2006 Suspicious Trojan/Worm
eTrust-InoculateIT 23.73.102 12.30.2006 no virus found
eTrust-Vet 30.3.3289 12.29.2006 no virus found
Ewido 4.0 12.31.2006 no virus found
Fortinet 2.82.0.0 12.31.2006 no virus found
F-Prot 3.16f 12.30.2006 no virus found
F-Prot4 4.2.1.29 12.30.2006 no virus found
Ikarus T3.1.0.27 12.31.2006 no virus found
Kaspersky 4.0.2.24 12.31.2006 no virus found
McAfee 4929 12.29.2006 no virus found
Microsoft 1.1904 12.31.2006 no virus found
NOD32v2 1949 12.30.2006 a variant of Win32/TrojanProxy.Agent.JZ
Norman 5.80.02 12.31.2006 no virus found
Panda 9.0.0.4 12.30.2006 Suspicious file
Prevx1 V2 12.31.2006 no virus found
Sophos 4.13.0 12.30.2006 no virus found
Sunbelt 2.2.907.0 12.18.2006 no virus found
TheHacker 6.0.3.139 12.29.2006 no virus found
UNA 1.83 12.29.2006 no virus found
VBA32 3.11.1 12.30.2006 suspected of Malware.Agent.18
VirusBuster 4.3.19:9 12.30.2006 no virus found


Aditional Information
File size: 188948 bytes
MD5: 336fe1062459413473af92b6a664b2a5
SHA1: 3373be7c8959d7b0712437620bc898b57d251a75
packers: MORPHINE
packers: Morphine
pat
Active Member
 
Posts: 7
Joined: December 31st, 2006, 7:51 am

Unread postby Shaba » December 31st, 2006, 9:07 am

Hi

Create a Startup List
  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • Check off the 2 boxes next to the Box that says "Generate StartupList log"
  • Copy and past the StartupList from the notepad into your next post


Download F-Secure Blacklight and save it to your desktop -> https://europe.f-secure.com/blacklight/try.shtml

Doubleclick blbeta.exe, accept the agreement, click Scan, then click Next

You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).

DON'T choose Rename if something was found!

Post the contents of fsbl.xxxx.log to here (xxxx= random numbers,blacklight log from your desktop)

Send:

- startuplist
- blacklight log
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby pat » December 31st, 2006, 9:21 am

StartupList report, 12/31/2006,

7:12:03 AM
StartupList version: 1.52.2
Started from :

C:\hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT

5.01.2600)
Detected: Internet Explorer v7.00

(7.00.5730.0011)
* Using default options
* Including empty and uninteresting

sections
* Showing rarely important sections
======================================

============

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows

Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program

Files\Symantec\LiveUpdate\ALUScheduler

Svc.exe
c:\Program Files\Common

Files\Microsoft

Shared\VS7Debug\mdm.exe
C:\Program Files\Norton

AntiVirus\navapsvc.exe
C:\Program Files\Norton

AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog

Devices\SoundMAX\spkrmon.exe
C:\Program Files\Common

Files\Softwin\BitDefender

Communicator\xcommsvr.exe
C:\Program Files\Common

Files\Softwin\BitDefender Scan

Server\bdss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec

Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec

Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet

Explorer\iexplore.exe
C:\Program Files\Internet

Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

--------------------------------------

------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start

Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All

Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common

Startup:
*Folder not found*

--------------------------------------

------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon]
UserInit =

C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\Curre

ntVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\Curre

ntVersion\Winlogon]
*Registry key not found*

--------------------------------------

------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\Curren

tVersion\Run

ccApp = "C:\Program Files\Common

Files\Symantec Shared\ccApp.exe"

--------------------------------------

------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\Curren

tVersion\RunOnce

*No values found*

--------------------------------------

------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\Curren

tVersion\RunOnceEx

*No values found*

--------------------------------------

------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\Curren

tVersion\RunServices

*Registry key not found*

--------------------------------------

------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\Curren

tVersion\RunServicesOnce

*Registry key not found*

--------------------------------------

------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\Curren

tVersion\Run

ctfmon.exe =

C:\WINDOWS\system32\ctfmon.exe

--------------------------------------

------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\Curren

tVersion\RunOnce

*No values found*

--------------------------------------

------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\Curren

tVersion\RunOnceEx

*Registry key not found*

--------------------------------------

------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\Curren

tVersion\RunServices

*Registry key not found*

--------------------------------------

------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\Curren

tVersion\RunServicesOnce

*Registry key not found*

--------------------------------------

------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows

NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------

------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows

NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------

------------

Autorun entries in Registry subkeys

of:
HKLM\Software\Microsoft\Windows\Curren

tVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------

------------

Autorun entries in Registry subkeys

of:
HKLM\Software\Microsoft\Windows\Curren

tVersion\RunOnce
*No subkeys found*

--------------------------------------

------------

Autorun entries in Registry subkeys

of:
HKLM\Software\Microsoft\Windows\Curren

tVersion\RunOnceEx
*No subkeys found*

--------------------------------------

------------

Autorun entries in Registry subkeys

of:
HKLM\Software\Microsoft\Windows\Curren

tVersion\RunServices
*Registry key not found*

--------------------------------------

------------

Autorun entries in Registry subkeys

of:
HKLM\Software\Microsoft\Windows\Curren

tVersion\RunServicesOnce
*Registry key not found*

--------------------------------------

------------

Autorun entries in Registry subkeys

of:
HKCU\Software\Microsoft\Windows\Curren

tVersion\Run
*No subkeys found*

--------------------------------------

------------

Autorun entries in Registry subkeys

of:
HKCU\Software\Microsoft\Windows\Curren

tVersion\RunOnce
*No subkeys found*

--------------------------------------

------------

Autorun entries in Registry subkeys

of:
HKCU\Software\Microsoft\Windows\Curren

tVersion\RunOnceEx
*Registry key not found*

--------------------------------------

------------

Autorun entries in Registry subkeys

of:
HKCU\Software\Microsoft\Windows\Curren

tVersion\RunServices
*Registry key not found*

--------------------------------------

------------

Autorun entries in Registry subkeys

of:
HKCU\Software\Microsoft\Windows\Curren

tVersion\RunServicesOnce
*Registry key not found*

--------------------------------------

------------

Autorun entries in Registry subkeys

of:
HKLM\Software\Microsoft\Windows

NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------

------------

Autorun entries in Registry subkeys

of:
HKCU\Software\Microsoft\Windows

NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------

------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\c

ommand

(Default) = "%1" %*

--------------------------------------

------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\c

ommand

(Default) = "%1" %*

--------------------------------------

------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\c

ommand

(Default) = "%1" %*

--------------------------------------

------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\c

ommand

(Default) = "%1" %*

--------------------------------------

------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\c

ommand

(Default) = "%1" /S

--------------------------------------

------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\c

ommand

(Default) =

C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------

------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\c

ommand

(Default) =

%SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------

------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active

Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f498

8}] *
StubPath =

C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e9

5}]
StubPath = C:\WINDOWS\inf\unregmp2.exe

/ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276

c}] *
StubPath =

C:\WINDOWS\system32\ie4uinit.exe

-UserIconConfig

[>{60B49E34-C7CC-11D0-8953-00A0C90347F

F}] *
StubPath = RunDLL32

IEDKCS32.DLL,BrandIE4 SIGNUP

[>{60B49E34-C7CC-11D0-8953-00A0C90347F

F}MICROS] *
StubPath = RunDLL32

IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88

a}] *
StubPath =

%systemroot%\system32\shmgrate.exe

OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED

}] *
StubPath =

%SystemRoot%\system32\regsvr32.exe /s

/n /i:/UserInstall

%SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C

}] *
StubPath = "%ProgramFiles%\Outlook

Express\setup50.exe" /APP:OE

/CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B

}] *
StubPath = rundll32.exe

advpack.dll,LaunchINFSection

C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Ins

tall.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be

}] *
StubPath = rundll32.exe

advpack.dll,LaunchINFSection

C:\WINDOWS\INF\msmsgs.inf,BLC.QuietIns

tall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6

}] *
StubPath = rundll32.exe

advpack.dll,LaunchINFSection

C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02

}] *
StubPath = "%ProgramFiles%\Outlook

Express\setup50.exe" /APP:WAB

/CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340

}] *
StubPath = regsvr32.exe /s /n /i:U

shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383

}] *
StubPath =

C:\WINDOWS\system32\ie4uinit.exe

-BaseSettings

[{89B4C1CD-B018-4511-B0A1-5476DBF70820

}] *
StubPath =

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\system32\mscories.dll,Insta

ll

--------------------------------------

------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------

------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows

NT\CurrentVersion\WinLogon:

load=*Registry value not found*
HKLM\..\Windows

NT\CurrentVersion\WinLogon:

run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogo

n: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogo

n: run=*Registry key not found*
HKCU\..\Windows

NT\CurrentVersion\WinLogon:

load=*Registry value not found*
HKCU\..\Windows

NT\CurrentVersion\WinLogon:

run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogo

n: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogo

n: run=*Registry key not found*
HKCU\..\Windows

NT\CurrentVersion\Windows: load=
HKCU\..\Windows

NT\CurrentVersion\Windows:

run=*Registry value not found*
HKLM\..\Windows

NT\CurrentVersion\Windows:

load=*Registry value not found*
HKLM\..\Windows

NT\CurrentVersion\Windows:

run=*Registry value not found*
HKLM\..\Windows

NT\CurrentVersion\Windows:

AppInit_DLLs=

--------------------------------------

------------

Shell & screensaver key from

C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not

found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key

not found*
HKLM\..\Policies: Shell=*Registry

value not found*

--------------------------------------

------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not

present
C:\WINDOWS\System\Explorer.exe: not

present
C:\WINDOWS\System32\Explorer.exe: not

present
C:\WINDOWS\Command\Explorer.exe: not

present
C:\WINDOWS\Fonts\Explorer.exe: not

present

--------------------------------------

------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------

------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal

(regedit.exe %1)
- Company name OK: 'Microsoft

Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------

------------

Enumerating Browser Helper Objects:

(no name) - C:\Program

Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) -

C:\WINDOWS\system32\dla\tfswshx.dll -

{5CA3D70E-1895-11CF-8E15-001234567890}
NAV Helper - C:\Program Files\Norton

AntiVirus\NavShExt.dll -

{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}

--------------------------------------

------------

Enumerating Task Scheduler jobs:

MP Scheduled Scan.job
Norton AntiVirus - Run Full System

Scan - Owner.job

--------------------------------------

------------

Enumerating Download Program Files:

[SupportSoft SmartIssue]
InProcServer32 = C:\WINDOWS\Downloaded

Program Files\tgctlsi.dll
CODEBASE =

http://symantec.atgnow.com/sdccommon/d

ownload/tgctlsi.cab

[SupportSoft RemoteControl Class]
InProcServer32 = C:\WINDOWS\Downloaded

Program Files\ssrc.dll
CODEBASE =

http://symantec.atgnow.com/sdccommon/d

ownload/ssrc.cab

[SupportSoft Listener Control]
InProcServer32 = C:\WINDOWS\Downloaded

Program Files\sprtctlln.dll
CODEBASE =

http://symantec.atgnow.com/sdccommon/d

ownload/sprtctlln.cab

[QuickTime Object]
InProcServer32 = C:\Program

Files\QuickTime\QTPlugin.ocx
CODEBASE =

http://www.apple.com/qtactivex/qtplugi

n.cab

[HPSDDX Class]
InProcServer32 = C:\WINDOWS\Downloaded

Program Files\sdd.dll
CODEBASE =

http://www.hp.com/cpso-support-new/SDD

/hpsddObjSigned.cab

[Windows Genuine Advantage Validation

Tool]
InProcServer32 =

C:\WINDOWS\system32\LegitCheckControl.

DLL
CODEBASE =

http://download.microsoft.com/download

/3/9/8/398422c0-8d3e-40e1-a617-af65a72

a0465/LegitCheckControl.cab

[Citrix ICA Client]
InProcServer32 =

C:\Progra~1\Citrix\icaweb32\WFICA.OCX
CODEBASE =

http://www.runaware.com/dolphin/wficat

.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded

Program Files\avsniff.dll
CODEBASE =

http://security.symantec.com/sscv6/Sha

redContent/vc/bin/AvSniff.cab

[WUWebControl Class]
InProcServer32 =

C:\WINDOWS\System32\wuweb.dll
CODEBASE =

http://update.microsoft.com/windowsupd

ate/v6/V5Controls/en/x86/client/wuweb_

site.cab?1138758955013

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded

Program Files\rufsi.dll
CODEBASE =

http://security.symantec.com/sscv6/Sha

redContent/common/bin/cabsa.cab

[Java Plug-in 1.5.0_03]
InProcServer32 = C:\Program

Files\Java\jre1.5.0_03\bin\npjpi150_03

.dll
CODEBASE =

http://java.sun.com/update/1.5.0/jinst

all-1_5_0_03-windows-i586.cab

[LinkSys Content Update]
InProcServer32 =

C:\WINDOWS\system32\GTDownLS_125.ocx
CODEBASE =

http://www.linksysfix.com/netcheck/67/

install/gtdownls.cab

[Java Plug-in 1.4.2_03]
InProcServer32 = C:\Program

Files\Java\j2re1.4.2_03\bin\npjpi142_0

3.dll
CODEBASE =

http://java.sun.com/products/plugin/au

todl/jinstall-142-windows-i586.cab

[Java Plug-in 1.5.0_03]
InProcServer32 = C:\Program

Files\Java\jre1.5.0_03\bin\npjpi150_03

.dll
CODEBASE =

http://java.sun.com/update/1.5.0/jinst

all-1_5_0_03-windows-i586.cab

[Shockwave Flash Object]
InProcServer32 =

C:\WINDOWS\system32\Macromed\Flash\Fla

sh9b.ocx
CODEBASE =

http://fpdownload.macromedia.com/pub/s

hockwave/cabs/flash/swflash.cab

[{DBA230D1-8467-4e69-987E-5FAE815A3B45

}]

--------------------------------------

------------

Enumerating Winsock LSP files:

NameSpace #1:

C:\WINDOWS\System32\mswsock.dll
NameSpace #2:

C:\WINDOWS\System32\winrnr.dll
NameSpace #3:

C:\WINDOWS\System32\mswsock.dll
Protocol #1:

C:\WINDOWS\system32\mswsock.dll
Protocol #2:

C:\WINDOWS\system32\mswsock.dll
Protocol #3:

C:\WINDOWS\system32\mswsock.dll
Protocol #4:

C:\WINDOWS\system32\mswsock.dll
Protocol #5:

C:\WINDOWS\system32\mswsock.dll
Protocol #6:

C:\WINDOWS\system32\mswsock.dll
Protocol #7:

C:\WINDOWS\system32\mswsock.dll
Protocol #8:

C:\WINDOWS\system32\mswsock.dll
Protocol #9:

C:\WINDOWS\system32\mswsock.dll
Protocol #10:

C:\WINDOWS\system32\mswsock.dll
Protocol #11:

C:\WINDOWS\system32\mswsock.dll
Protocol #12:

C:\WINDOWS\system32\mswsock.dll
Protocol #13:

C:\WINDOWS\system32\mswsock.dll
Protocol #14:

C:\WINDOWS\system32\mswsock.dll
Protocol #15:

C:\WINDOWS\system32\mswsock.dll
Protocol #16:

C:\WINDOWS\system32\rsvpsp.dll
Protocol #17:

C:\WINDOWS\system32\rsvpsp.dll

--------------------------------------

------------

Enumerating Windows NT/2000/XP

services

Microsoft ACPI Driver:

System32\DRIVERS\ACPI.sys (system)
aeaudio: system32\drivers\aeaudio.sys

(manual start)
Microsoft Kernel Acoustic Echo

Canceller: system32\drivers\aec.sys

(manual start)
AFD Networking Support Environment:

\SystemRoot\System32\drivers\afd.sys

(system)
Alerter:

%SystemRoot%\System32\svchost.exe -k

LocalService (disabled)
Application Layer Gateway Service:

%SystemRoot%\System32\alg.exe (manual

start)
Application Management:

%SystemRoot%\system32\svchost.exe -k

netsvcs (disabled)
ASP.NET State Service:

%SystemRoot%\Microsoft.NET\Framework\v

2.0.50727\aspnet_state.exe (manual

start)
RAS Asynchronous Media Driver:

System32\DRIVERS\asyncmac.sys (manual

start)
Standard IDE/ESDI Hard Disk

Controller: System32\DRIVERS\atapi.sys

(system)
ATM ARP Client Protocol:

System32\DRIVERS\atmarpc.sys (manual

start)
Windows Audio:

%SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
Audio Stub Driver:

System32\DRIVERS\audstub.sys (manual

start)
Automatic LiveUpdate Scheduler:

"C:\Program

Files\Symantec\LiveUpdate\ALUScheduler

Svc.exe" (autostart)
BitDefender Scan Server: "C:\Program

Files\Common Files\Softwin\BitDefender

Scan Server\bdss.exe" /service

(autostart)
Background Intelligent Transfer

Service:

%SystemRoot%\System32\svchost.exe -k

netsvcs (manual start)
Computer Browser:

%SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
Symantec Event Manager: "C:\Program

Files\Common Files\Symantec

Shared\ccEvtMgr.exe" (autostart)
Symantec Settings Manager: "C:\Program

Files\Common Files\Symantec

Shared\ccSetMgr.exe" (autostart)
CD-ROM Driver:

System32\DRIVERS\cdrom.sys (system)
Indexing Service:

%SystemRoot%\system32\cisvc.exe

(manual start)
ClipBook:

%SystemRoot%\system32\clipsrv.exe

(disabled)
.NET Runtime Optimization Service

v2.0.50727_X86:

C:\WINDOWS\Microsoft.NET\Framework\v2.

0.50727\mscorsvw.exe (manual start)
COM+ System Application:

C:\WINDOWS\System32\dllhost.exe

/Processid:{02D4B3F1-FD88-11D1-960D-00

805FC79235} (manual start)
CO_Mon:

\??\C:\WINDOWS\system32\Drivers\CO_Mon

.sys (manual start)
Cryptographic Services:

%SystemRoot%\system32\svchost.exe -k

netsvcs (autostart)
DCOM Server Process Launcher:

%SystemRoot%\system32\svchost -k

DcomLaunch (autostart)
DHCP Client:

%SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys

(system)
Logical Disk Manager Administrative

Service:

%SystemRoot%\System32\dmadmin.exe /com

(manual start)
dmboot: System32\drivers\dmboot.sys

(disabled)
dmio: System32\drivers\dmio.sys

(disabled)
dmload: System32\drivers\dmload.sys

(disabled)
Logical Disk Manager:

%SystemRoot%\System32\svchost.exe -k

netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer:

system32\drivers\DMusic.sys (manual

start)
DNS Client:

%SystemRoot%\System32\svchost.exe -k

NetworkService (autostart)
Microsoft Kernel DRM Audio

Descrambler:

system32\drivers\drmkaud.sys (manual

start)
drvmcdb: system32\drivers\drvmcdb.sys

(system)
drvnddm: system32\drivers\drvnddm.sys

(autostart)
Intel(R) PRO Adapter Driver:

System32\DRIVERS\e100b325.sys (manual

start)
Symantec Eraser Control driver:

\??\C:\Program Files\Common

Files\Symantec

Shared\EENGINE\eeCtrl.sys (system)
EraserUtilRebootDrv: \??\C:\Program

Files\Common Files\Symantec

Shared\EENGINE\EraserUtilRebootDrv.sys

(manual start)
Error Reporting Service:

%SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
Event Log:

%SystemRoot%\system32\services.exe

(autostart)
COM+ Event System:

C:\WINDOWS\System32\svchost.exe -k

netsvcs (manual start)
Fast User Switching Compatibility:

%SystemRoot%\System32\svchost.exe -k

netsvcs (manual start)
Floppy Disk Controller Driver:

System32\DRIVERS\fdc.sys (manual

start)
Floppy Disk Driver:

System32\DRIVERS\flpydisk.sys (manual

start)
FltMgr: system32\drivers\fltmgr.sys

(system)
Volume Manager Driver:

System32\DRIVERS\ftdisk.sys (system)
GoProto Protocol Driver:

system32\DRIVERS\goprot51.sys (manual

start)
Generic Packet Classifier:

System32\DRIVERS\msgpc.sys (manual

start)
Help and Support:

%SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
Human Interface Device Access:

%SystemRoot%\System32\svchost.exe -k

netsvcs (disabled)
HTTP: System32\Drivers\HTTP.sys

(manual start)
HTTP SSL:

%SystemRoot%\System32\svchost.exe -k

HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port

Driver: System32\DRIVERS\i8042prt.sys

(system)
ialm: System32\DRIVERS\ialmnt5.sys

(manual start)
InstallDriver Table Manager:

"C:\Program Files\Common

Files\InstallShield\Driver\11\Intel

32\IDriverT.exe" (manual start)
CD-Burning Filter Driver:

System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service:

C:\WINDOWS\System32\imapi.exe (manual

start)
IntelC51:

System32\DRIVERS\IntelC51.sys (manual

start)
IntelC52:

System32\DRIVERS\IntelC52.sys (manual

start)
IntelC53:

System32\DRIVERS\IntelC53.sys (manual

start)
Intel Processor Driver:

System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver:

system32\drivers\ip6fw.sys (manual

start)
IP Traffic Filter Driver:

System32\DRIVERS\ipfltdrv.sys (manual

start)
IP in IP Tunnel Driver:

System32\DRIVERS\ipinip.sys (manual

start)
IP Network Address Translator:

System32\DRIVERS\ipnat.sys (manual

start)
IPSEC driver:

System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service:

System32\DRIVERS\irenum.sys (manual

start)
PnP ISA/EISA Bus Driver:

System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver:

System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer:

system32\drivers\kmixer.sys (manual

start)
Server:

%SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
Workstation:

%SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
LiveUpdate:

"C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~

1.EXE" (manual start)
TCP/IP NetBIOS Helper:

%SystemRoot%\System32\svchost.exe -k

LocalService (autostart)
Machine Debug Manager: "c:\Program

Files\Common Files\Microsoft

Shared\VS7Debug\mdm.exe" (autostart)
Messenger:

%SystemRoot%\System32\svchost.exe -k

netsvcs (disabled)
NetMeeting Remote Desktop Sharing:

C:\WINDOWS\System32\mnmsrvc.exe

(manual start)
Unimodem Streaming Filter Device:

system32\drivers\MODEMCSA.sys (manual

start)
mohfilt: System32\DRIVERS\mohfilt.sys

(manual start)
Mouse Class Driver:

System32\DRIVERS\mouclass.sys (system)
WebDav Client Redirector:

System32\DRIVERS\mrxdav.sys (manual

start)
MRXSMB: System32\DRIVERS\mrxsmb.sys

(system)
Distributed Transaction Coordinator:

C:\WINDOWS\System32\msdtc.exe (manual

start)
Windows Installer:

C:\WINDOWS\System32\msiexec.exe /V

(manual start)
Microsoft Streaming Service Proxy:

system32\drivers\MSKSSRV.sys (manual

start)
Microsoft Streaming Clock Proxy:

system32\drivers\MSPCLOCK.sys (manual

start)
Microsoft Streaming Quality Manager

Proxy: system32\drivers\MSPQM.sys

(manual start)
Microsoft System Management BIOS

Driver: System32\DRIVERS\mssmbios.sys

(manual start)
Norton AntiVirus Auto-Protect Service:

"C:\Program Files\Norton

AntiVirus\navapsvc.exe" (autostart)
NAVENG:

\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRU

SD~1\20061230.018\NAVENG.Sys (manual

start)
NAVEX15:

\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRU

SD~1\20061230.018\NavEx15.Sys (manual

start)
Remote Access NDIS TAPI Driver:

System32\DRIVERS\ndistapi.sys (manual

start)
NDIS Usermode I/O Protocol:

System32\DRIVERS\ndisuio.sys (manual

start)
Remote Access NDIS WAN Driver:

System32\DRIVERS\ndiswan.sys (manual

start)
NetBIOS Interface:

System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip:

System32\DRIVERS\netbt.sys (system)
Network DDE:

%SystemRoot%\system32\netdde.exe

(disabled)
Network DDE DSDM:

%SystemRoot%\system32\netdde.exe

(disabled)
Net Logon:

%SystemRoot%\System32\lsass.exe

(manual start)
Network Connections:

%SystemRoot%\System32\svchost.exe -k

netsvcs (manual start)
Intel NCS NetService: C:\Program

Files\Intel\PROSetWired\NCS\Sync\NetSv

c.exe (manual start)
Network Location Awareness (NLA):

%SystemRoot%\System32\svchost.exe -k

netsvcs (manual start)
Network Monitor Driver:

system32\DRIVERS\NMnt.sys (manual

start)
NetGroup Packet Filter Driver:

system32\drivers\npf.sys (manual

start)
Norton AntiVirus Firewall Monitor

Service: "C:\Program Files\Norton

AntiVirus\IWP\NPFMntor.exe"

(autostart)
Norton Protection Center Service:

"C:\Program Files\Common

Files\Symantec Shared\Security

Console\NSCSRVCE.EXE" (manual start)
NT LM Security Support Provider:

%SystemRoot%\System32\lsass.exe

(manual start)
Removable Storage:

%SystemRoot%\system32\svchost.exe -k

netsvcs (manual start)
IPX Traffic Filter Driver:

System32\DRIVERS\nwlnkflt.sys (manual

start)
IPX Traffic Forwarder Driver:

System32\DRIVERS\nwlnkfwd.sys (manual

start)
OMCI:

\SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS

(system)
Parallel port driver:

System32\DRIVERS\parport.sys (manual

start)
PCI Bus Driver:

System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys

(system)
Plug and Play:

%SystemRoot%\system32\services.exe

(autostart)
IPSEC Services:

%SystemRoot%\System32\lsass.exe

(autostart)
WAN Miniport (PPTP):

System32\DRIVERS\raspptp.sys (manual

start)
Processor Driver:

System32\DRIVERS\processr.sys (system)
Protected Storage:

%SystemRoot%\system32\lsass.exe

(autostart)
QoS Packet Scheduler:

System32\DRIVERS\psched.sys (manual

start)
Direct Parallel Link Driver:

System32\DRIVERS\ptilink.sys (manual

start)
PxHelp20:

System32\Drivers\PxHelp20.sys (system)
Remote Access Auto Connection Driver:

System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager:

%SystemRoot%\System32\svchost.exe -k

netsvcs (manual start)
WAN Miniport (L2TP):

System32\DRIVERS\rasl2tp.sys (manual

start)
Remote Access Connection Manager:

%SystemRoot%\System32\svchost.exe -k

netsvcs (manual start)
Remote Access PPPOE Driver:

System32\DRIVERS\raspppoe.sys (manual

start)
Direct Parallel:

System32\DRIVERS\raspti.sys (manual

start)
Rdbss: System32\DRIVERS\rdbss.sys

(system)
RDPCDD: System32\DRIVERS\RDPCDD.sys

(system)
Remote Desktop Help Session Manager:

C:\WINDOWS\system32\sessmgr.exe

(manual start)
Digital CD Audio Playback Filter

Driver: System32\DRIVERS\redbook.sys

(system)
Routing and Remote Access:

%SystemRoot%\System32\svchost.exe -k

netsvcs (disabled)
Remote Packet Capture Protocol v.0

(experimental):

"%ProgramFiles%\WinPcap\rpcapd.exe" -d

-f "%ProgramFiles%\WinPcap\rpcapd.ini"

(manual start)
Remote Procedure Call (RPC) Locator:

%SystemRoot%\System32\locator.exe

(manual start)
Remote Procedure Call (RPC):

%SystemRoot%\system32\svchost -k rpcss

(autostart)
QoS RSVP:

%SystemRoot%\System32\rsvp.exe (manual

start)
Security Accounts Manager:

%SystemRoot%\system32\lsass.exe

(autostart)
SAVRT: \??\C:\Program Files\Norton

AntiVirus\SAVRT.SYS (system)
SAVRTPEL: \??\C:\Program Files\Norton

AntiVirus\SAVRTPEL.SYS (system)
Symantec AVScan: "C:\Program

Files\Norton AntiVirus\SAVScan.exe"

(manual start)
Smart Card:

%SystemRoot%\System32\SCardSvr.exe

(manual start)
Task Scheduler:

%SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys

(manual start)
Secondary Logon:

%SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
System Event Notification:

%SystemRoot%\system32\svchost.exe -k

netsvcs (autostart)
Serenum Filter Driver:

System32\DRIVERS\serenum.sys (manual

start)
Serial port driver:

System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection

Sharing (ICS):

%SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
Shell Hardware Detection:

%SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
smwdm: system32\drivers\smwdm.sys

(manual start)
Symantec Network Drivers Service:

"C:\Program Files\Common

Files\Symantec Shared\SNDSrvc.exe"

(autostart)
SPBBCDrv: \??\C:\Program Files\Common

Files\Symantec

Shared\SPBBC\SPBBCDrv.sys (system)
SPBBCSvc: "C:\Program Files\Common

Files\Symantec

Shared\SPBBC\SPBBCSvc.exe" (autostart)
spkrmon: C:\Program Files\Analog

Devices\SoundMAX\spkrmon.exe

(autostart)
Microsoft Kernel Audio Splitter:

system32\drivers\splitter.sys (manual

start)
Print Spooler:

%SystemRoot%\system32\spoolsv.exe

(autostart)
System Restore Filter Driver:

System32\DRIVERS\sr.sys (system)
System Restore Service:

%SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual

start)
sscdbhk5:

system32\drivers\sscdbhk5.sys (system)
SSDP Discovery Service:

%SystemRoot%\System32\svchost.exe -k

LocalService (manual start)
ssrtln: system32\drivers\ssrtln.sys

(system)
Windows Image Acquisition (WIA):

%SystemRoot%\System32\svchost.exe -k

imgsvc (manual start)
Software Bus Driver:

System32\DRIVERS\swenum.sys (manual

start)
Microsoft Kernel GS Wavetable

Synthesizer:

system32\drivers\swmidi.sys (manual

start)
MS Software Shadow Copy Provider:

C:\WINDOWS\System32\dllhost.exe

/Processid:{E7B2CF4A-61BA-4A75-B9E7-34

C8DA68EB61} (manual start)
Symantec Core LC: "C:\Program

Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe"

(autostart)
SYMDNS:

\SystemRoot\System32\Drivers\SYMDNS.SY

S (manual start)
SymEvent:

\??\C:\WINDOWS\system32\Drivers\SYMEVE

NT.SYS (manual start)
SYMFW:

\SystemRoot\System32\Drivers\SYMFW.SYS

(manual start)
SYMIDS:

\SystemRoot\System32\Drivers\SYMIDS.SY

S (manual start)
SYMIDSCO:

\??\C:\PROGRA~1\COMMON~1\SYMANT~1\Symc

Data\IDS-DI~1\20061216.001\symidsco.sy

s (manual start)
symlcbrd:

\??\C:\WINDOWS\system32\drivers\symlcb

rd.sys (autostart)
SYMNDIS:

\SystemRoot\System32\Drivers\SYMNDIS.S

YS (manual start)
SYMREDRV:

\SystemRoot\System32\Drivers\SYMREDRV.

SYS (manual start)
SYMTDI:

\SystemRoot\System32\Drivers\SYMTDI.SY

S (system)
Microsoft Kernel System Audio Device:

system32\drivers\sysaudio.sys (manual

start)
Performance Logs and Alerts:

%SystemRoot%\system32\smlogsvc.exe

(manual start)
Telephony:

%SystemRoot%\System32\svchost.exe -k

netsvcs (manual start)
TCP/IP Protocol Driver:

System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver:

System32\DRIVERS\termdd.sys (system)
Terminal Services:

%SystemRoot%\System32\svchost -k

DComLaunch (manual start)
tfsnboio: system32\dla\tfsnboio.sys

(autostart)
tfsncofs: system32\dla\tfsncofs.sys

(autostart)
tfsndrct: system32\dla\tfsndrct.sys

(autostart)
tfsndres: system32\dla\tfsndres.sys

(autostart)
tfsnifs: system32\dla\tfsnifs.sys

(autostart)
tfsnopio: system32\dla\tfsnopio.sys

(autostart)
tfsnpool: system32\dla\tfsnpool.sys

(autostart)
tfsnudf: system32\dla\tfsnudf.sys

(autostart)
tfsnudfa: system32\dla\tfsnudfa.sys

(autostart)
Themes:

%SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
Distributed Link Tracking Client:

%SystemRoot%\system32\svchost.exe -k

netsvcs (autostart)
Windows User Mode Driver Framework:

C:\WINDOWS\system32\wdfmgr.exe

(autostart)
Microcode Update Driver:

System32\DRIVERS\update.sys (manual

start)
Universal Plug and Play Device Host:

%SystemRoot%\System32\svchost.exe -k

LocalService (manual start)
Uninterruptible Power Supply:

%SystemRoot%\System32\ups.exe (manual

start)
Microsoft USB 2.0 Enhanced Host

Controller Miniport Driver:

System32\DRIVERS\usbehci.sys (manual

start)
USB2 Enabled Hub:

System32\DRIVERS\usbhub.sys (manual

start)
USB Mass Storage Driver:

system32\DRIVERS\USBSTOR.SYS (manual

start)
Microsoft USB Universal Host

Controller Miniport Driver:

System32\DRIVERS\usbuhci.sys (manual

start)
VGA Display Controller.:

\SystemRoot\System32\drivers\vga.sys

(system)
Volume Shadow Copy:

%SystemRoot%\System32\vssvc.exe

(manual start)
Windows Time:

%SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
Remote Access IP ARP Driver:

System32\DRIVERS\wanarp.sys (manual

start)
Microsoft WINMM WDM Audio

Compatibility Driver:

system32\drivers\wdmaud.sys (manual

start)
WebClient:

%SystemRoot%\System32\svchost.exe -k

LocalService (autostart)
Windows Defender: "C:\Program

Files\Windows Defender\MsMpEng.exe"

(autostart)
Windows Management Instrumentation:

%systemroot%\system32\svchost.exe -k

netsvcs (autostart)
Portable Media Serial Number Service:

%SystemRoot%\System32\svchost.exe -k

netsvcs (manual start)
WMI Performance Adapter:

C:\WINDOWS\System32\wbem\wmiapsrv.exe

(manual start)
Security Center:

%SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
Automatic Updates:

%systemroot%\system32\svchost.exe -k

netsvcs (autostart)
Linksys Home Wireless-G USB Adaptor

Driver: System32\DRIVERS\rt2500usb.sys

(manual start)
Wireless Zero Configuration:

%SystemRoot%\System32\svchost.exe -k

netsvcs (autostart)
BitDefender Communicator: "C:\Program

Files\Common Files\Softwin\BitDefender

Communicator\xcommsvr.exe" /service

(autostart)
Network Provisioning Service:

%SystemRoot%\System32\svchost.exe -k

netsvcs (manual start)


--------------------------------------

------------

Enumerating Windows NT logon/logoff

scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations:

C:\WINDOWS\TEMP\4.tmp =>

C:\WINDOWS\system32\euoefhhs.dll|C:\WI

NDOWS\TEMP\11.tmp =>

C:\WINDOWS\system32\jhmqgbbu.dll|C:\WI

NDOWS\TEMP\12.tmp =>

C:\WINDOWS\system32\ptldeutp.dll|C:\WI

NDOWS\TEMP\13.tmp =>

C:\WINDOWS\system32\snpqmugy.dll|C:\WI

NDOWS\TEMP\14.tmp =>

C:\WINDOWS\system32\svcxukgb.dll|||

--------------------------------------

------------

Enumerating

ShellServiceObjectDelayLoad items:

PostBootReminder:

C:\WINDOWS\system32\SHELL32.dll
CDBurn:

C:\WINDOWS\system32\SHELL32.dll
WebCheck:

C:\WINDOWS\system32\webcheck.dll
SysTray:

C:\WINDOWS\System32\stobject.dll

--------------------------------------

------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\Curren

tVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------

------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\Curren

tVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------

------------

End of report, 36,750 bytes
Report generated in 0.094 seconds

Command line options:
/verbose - to add additional info

on each section
/complete - to include empty

sections and unsuspicious data
/full - to include several

rarely-important sections
/force9x - to include Win9x-only

startups even if running on WinNT
/forcent - to include WinNT-only

startups even if running on Win9x
/forceall - to include all Win9x

and WinNT startups, regardless of

platform
/history - to list version history

only




12/31/06 07:14:25 [Info]: BlackLight Engine 1.0.55 initialized
12/31/06 07:14:25 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/31/06 07:14:25 [Note]: 7019 4
12/31/06 07:14:25 [Note]: 7005 0
12/31/06 07:14:30 [Note]: 7006 0
12/31/06 07:14:30 [Note]: 7011 3300
12/31/06 07:14:30 [Note]: 7026 0
12/31/06 07:14:30 [Note]: 7026 0
12/31/06 07:14:37 [Note]: FSRAW library version 1.7.1021
12/31/06 07:17:09 [Note]: 2000 1012
12/31/06 07:20:24 [Note]: 7007 0
pat
Active Member
 
Posts: 7
Joined: December 31st, 2006, 7:51 am

Unread postby Shaba » December 31st, 2006, 9:30 am

Hi

Please download the Killbox.
Unzip it to the desktop.

Please run Killbox.

In Killbox, in the menu, select Remove Item > Remove PendingFileRenameOperations
Then, in the menu again, select Tools > Delete Temp files

Select "Delete on Reboot" and "All files"

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\SYSTEM32\euoefhhs.dll
C:\WINDOWS\SYSTEM32\jhmqgbbu.dll
C:\WINDOWS\SYSTEM32\ptldeutp.dll
C:\WINDOWS\SYSTEM32\snpqmugy.dll
C:\WINDOWS\SYSTEM32\svcxukgb.dll

Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Send a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby pat » December 31st, 2006, 9:51 am

Logfile of HijackThis v1.99.1
Scan saved at 7:50:50 AM, on 12/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/do ... gctlsi.cab
O16 - DPF: {01118F00-3E00-11D2-8470-0060089874ED} (SupportSoft RemoteControl Class) - http://symantec.atgnow.com/sdccommon/download/ssrc.cab
O16 - DPF: {01119400-3E00-11D2-8470-0060089874ED} (SupportSoft Listener Control) - http://symantec.atgnow.com/sdccommon/do ... tctlln.cab
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/ ... Signed.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.runaware.com/dolphin/wficat.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8758955013
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/i ... downls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{A221F208-9F5B-4C6F-AD95-64E46F2C4456}: NameServer = 64.126.4.189,64.126.4.193
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: euoefhhs - euoefhhs.dll (file missing)
O20 - Winlogon Notify: jhmqgbbu - C:\WINDOWS\SYSTEM32\jhmqgbbu.dll
O20 - Winlogon Notify: ptldeutp - C:\WINDOWS\SYSTEM32\ptldeutp.dll
O20 - Winlogon Notify: snpqmugy - C:\WINDOWS\SYSTEM32\snpqmugy.dll
O20 - Winlogon Notify: svcxukgb - C:\WINDOWS\SYSTEM32\svcxukgb.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
pat
Active Member
 
Posts: 7
Joined: December 31st, 2006, 7:51 am

Unread postby Shaba » December 31st, 2006, 9:57 am

Hi

Did you choose "all files" in Killbox? If not, please do the process again:

Please run Killbox.

In Killbox, in the menu, select Remove Item > Remove PendingFileRenameOperations
Then, in the menu again, select Tools > Delete Temp files

Select "Delete on Reboot" and "All files"

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\SYSTEM32\jhmqgbbu.dll
C:\WINDOWS\SYSTEM32\ptldeutp.dll
C:\WINDOWS\SYSTEM32\snpqmugy.dll
C:\WINDOWS\SYSTEM32\svcxukgb.dll

Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Send a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby pat » December 31st, 2006, 10:00 am

Logfile of HijackThis v1.99.1
Scan saved at 7:59:48 AM, on 12/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/do ... gctlsi.cab
O16 - DPF: {01118F00-3E00-11D2-8470-0060089874ED} (SupportSoft RemoteControl Class) - http://symantec.atgnow.com/sdccommon/download/ssrc.cab
O16 - DPF: {01119400-3E00-11D2-8470-0060089874ED} (SupportSoft Listener Control) - http://symantec.atgnow.com/sdccommon/do ... tctlln.cab
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/ ... Signed.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.runaware.com/dolphin/wficat.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8758955013
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/i ... downls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{A221F208-9F5B-4C6F-AD95-64E46F2C4456}: NameServer = 64.126.4.189,64.126.4.193
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: euoefhhs - euoefhhs.dll (file missing)
O20 - Winlogon Notify: jhmqgbbu - jhmqgbbu.dll (file missing)
O20 - Winlogon Notify: ptldeutp - ptldeutp.dll (file missing)
O20 - Winlogon Notify: snpqmugy - snpqmugy.dll (file missing)
O20 - Winlogon Notify: svcxukgb - svcxukgb.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
pat
Active Member
 
Posts: 7
Joined: December 31st, 2006, 7:51 am

Unread postby Shaba » December 31st, 2006, 10:05 am

Hi

Now it looks better :)

Open HijackThis, click do a system scan only and checkmark these:

O20 - Winlogon Notify: euoefhhs - euoefhhs.dll (file missing)
O20 - Winlogon Notify: jhmqgbbu - jhmqgbbu.dll (file missing)
O20 - Winlogon Notify: ptldeutp - ptldeutp.dll (file missing)
O20 - Winlogon Notify: snpqmugy - snpqmugy.dll (file missing)
O20 - Winlogon Notify: svcxukgb - svcxukgb.dll (file missing)


Close all windows including browser and press fix checked.

Reboot

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases

  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Send:

- a fresh HijackThis log
- kaspersky report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby pat » December 31st, 2006, 11:17 am

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, December 31, 2006 9:15:02 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 31/12/2006
Kaspersky Anti-Virus database records: 255267
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 59569
Number of viruses found: 5
Number of infected objects: 20 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:55:18

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12192006-015507.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPAppActivity.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPHomePageActivity.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-12-31_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\207A22B3.dll Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\346426CA.exe Infected: Trojan.Win32.Small.ju skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\37E216F1.dll Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\37F368DF.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Symantec\PendingAlertsQueue.log Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\History\History.IE5\MSHist012006123120070101\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF8BE.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF8CF.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton AntiVirus\Savrt\0418NAV~.TMP Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{C4DAC7B2-6A92-4229-8B02-E10E7793D03F}\RP302\A0034454.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.am skipped
C:\System Volume Information\_restore{C4DAC7B2-6A92-4229-8B02-E10E7793D03F}\RP312\A0035536.dll Infected: not-a-virus:AdWare.Win32.Searchcolor.a skipped
C:\System Volume Information\_restore{C4DAC7B2-6A92-4229-8B02-E10E7793D03F}\RP312\A0035556.dll Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{C4DAC7B2-6A92-4229-8B02-E10E7793D03F}\RP315\A0035727.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{C4DAC7B2-6A92-4229-8B02-E10E7793D03F}\RP327\A0036092.dll Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{C4DAC7B2-6A92-4229-8B02-E10E7793D03F}\RP335\A0037152.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{C4DAC7B2-6A92-4229-8B02-E10E7793D03F}\RP336\A0037163.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{C4DAC7B2-6A92-4229-8B02-E10E7793D03F}\RP337\A0037169.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{C4DAC7B2-6A92-4229-8B02-E10E7793D03F}\RP346\A0039296.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{C4DAC7B2-6A92-4229-8B02-E10E7793D03F}\RP357\A0043064.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{C4DAC7B2-6A92-4229-8B02-E10E7793D03F}\RP357\A0043065.exe Infected: Trojan.Win32.Small.ju skipped
C:\System Volume Information\_restore{C4DAC7B2-6A92-4229-8B02-E10E7793D03F}\RP357\A0043067.exe Infected: not-a-virus:AdWare.Win32.Searchcolor.a skipped
C:\System Volume Information\_restore{C4DAC7B2-6A92-4229-8B02-E10E7793D03F}\RP358\A0043071.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{C4DAC7B2-6A92-4229-8B02-E10E7793D03F}\RP358\A0043072.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{C4DAC7B2-6A92-4229-8B02-E10E7793D03F}\RP358\A0043073.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{C4DAC7B2-6A92-4229-8B02-E10E7793D03F}\RP358\A0043074.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{C4DAC7B2-6A92-4229-8B02-E10E7793D03F}\RP389\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\tmp00004e10\tmp00000000 Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.




Logfile of HijackThis v1.99.1
Scan saved at 9:16:45 AM, on 12/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/do ... gctlsi.cab
O16 - DPF: {01118F00-3E00-11D2-8470-0060089874ED} (SupportSoft RemoteControl Class) - http://symantec.atgnow.com/sdccommon/download/ssrc.cab
O16 - DPF: {01119400-3E00-11D2-8470-0060089874ED} (SupportSoft Listener Control) - http://symantec.atgnow.com/sdccommon/do ... tctlln.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/ ... Signed.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.runaware.com/dolphin/wficat.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8758955013
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/i ... downls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{A221F208-9F5B-4C6F-AD95-64E46F2C4456}: NameServer = 64.126.4.189,64.126.4.193
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
pat
Active Member
 
Posts: 7
Joined: December 31st, 2006, 7:51 am

Unread postby Shaba » December 31st, 2006, 11:20 am

Hi

Empty this folder:

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\

Empty Recycle Bin

Otherwise looking good :)

How are things running now?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby pat » December 31st, 2006, 11:48 am

Shaba,
Everything is working great!!!

Thank you
pat
Active Member
 
Posts: 7
Joined: December 31st, 2006, 7:51 am

Unread postby Shaba » December 31st, 2006, 12:09 pm

Great! :)

You're clean :)

You have two antiviruses; if both are up-to-date, you can either uninstall bitdefender or turn off its real-time protection, only one antivirus per computer.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

  • Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

Reenable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.


See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources


  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

    Instructions for - Spybot S & D and Ad-aware

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software


Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby NonSuch » January 2nd, 2007, 2:30 pm

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 280 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware