Go Back   Cyber Tech Help Support Forums > Software > Malware Removal
Reload this Page Annoying Popups and Infostealer,Winnfix etc: Moved from XP by Murray
Register FAQ Calendar Search Today's Active Topics Mark Forums Read

Notices

Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Reply
Page 1 of 2 1 2
 
Topic Tools
  #1  
Old April 18th, 2007, 04:28 PM
beaverman beaverman is offline
Member
  
Join Date: Dec 2004
Posts: 43
Annoying Popups and Infostealer,Winnfix etc: Moved from XP by Murray
I've tried numerous things to get rid of these annoying popups on one of my computer.My daughter got a virus from MSN by opening a file. I've run Vundo and it removed some files but they keep coming back, CCleaner, Rogue etc. I'll post a HJT log.


Logfile of HijackThis v1.99.1
Scan saved at 10:04:49 AM, on 18/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Shaw Internet
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://my.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://corttheman.spaces.live.com//P...d/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://my.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://my.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - Unknown owner - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Reply With Quote
  #2  
Old April 20th, 2007, 07:32 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
  
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Hi beaverman. Download Combofix.exe from here.

Doubleclick on combofix.exe and follow the prompts. A window will open with a warning. Type "1" (and Enter) to start the fix. When the scan completes, Disk Cleanup will run and then a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Copy this log in your next reply together with a new HijackThis log.

Also go here and download Silent Runners.vbs to a new folder on your Desktop (Clicking the the download link works if you use IE. If you use FireFox, rightclick on the link and choose "Save Link As") and run it. It generates a log too. It takes a minute or two and it will notify you with a popup when your log is ready (make sure you wait for the popups please) Please post the information back in this thread too (you may need to make a couple of posts). If your antivirus program queries the script, allow it to run. It's not malicious.

In the meantime, I'll close your other topics to avoid duplication of effort.
Reply With Quote
  #3  
Old April 24th, 2007, 05:11 AM
beaverman beaverman is offline
Member
  
Join Date: Dec 2004
Posts: 43
Logs for hjt two more to follow
Logfile of HijackThis v1.99.1
Scan saved at 11:05:08 PM, on 23/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://my.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://corttheman.spaces.live.com//P...d/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://my.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://my.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - Unknown owner - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Reply With Quote
  #4  
Old April 24th, 2007, 05:12 AM
beaverman beaverman is offline
Member
  
Join Date: Dec 2004
Posts: 43
Logs for combofix one to follow
"Owner" - 07-04-23 23:07:12 Service Pack 2
ComboFix 07-04-22.6V - Running from: "C:\Documents and Settings\Owner\Desktop\"

((((((((((((((((((((((((((((((( Files Created from 2007-03-23 to 2007-04-23 ))))))))))))))))))))))))))))))))))

2007-04-23 15:33 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-04-19 11:53 <DIR> d-------- C:\Avenger
2007-04-19 09:28 780,348 ---hs---- C:\WINDOWS\system32\wvvwa.bak1
2007-04-18 19:57 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-04-18 19:36 96,768 --a------ C:\Vundofix.exe.exe
2007-04-18 01:58 774,148 ---hs---- C:\WINDOWS\system32\wycdd.ini2
2007-04-18 01:48 773,640 ---hs---- C:\WINDOWS\system32\wycdd.bak1
2007-04-18 00:57 773,640 ---hs---- C:\WINDOWS\system32\ststv.bak1
2007-04-17 14:38 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-04-17 14:31 773,193 ---hs---- C:\WINDOWS\system32\kjkkj.ini2
2007-04-17 14:30 772,785 ---hs---- C:\WINDOWS\system32\kjkkj.bak1
2007-04-17 14:10 775,506 ---hs---- C:\WINDOWS\system32\onnmp.ini2
2007-04-17 13:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-04-17 13:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-04-17 13:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-17 13:55 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-04-17 10:33 188,928 --a------ C:\WINDOWS\system32\oo.exe
2007-04-02 02:46 <DIR> d-------- C:\!KillBox
2007-04-02 02:05 3,108 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-02 02:01 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-04-02 02:01 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-04-02 02:01 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-04-02 01:04 <DIR> d-------- C:\VundoFix Backups
2007-03-31 23:32 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-03-31 21:06 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))

2007-04-21 16:34 -------- d-------- C:\Program Files\norton systemworks
2007-04-17 10:33 141777 --------- C:\WINDOWS\system32\net.exe
2007-04-03 23:15 -------- d-------- C:\Program Files\yahoo!
2007-03-31 21:06 -------- d-------- C:\Program Files\msn messenger
2007-03-27 23:19 -------- d-------- C:\Program Files\msn encarta plus
2007-03-17 08:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 10:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 10:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 10:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 08:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-05 15:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"VTTrayp"="VTtrayp.exe"
"VTTimer"="VTTimer.exe"
"Recguard"=hex(2):25,57,49,4e,44,49,52,25,5c,53,4d ,49,4e,53,54,5c,52,45,43,47,\
"Reminder"=hex(2):25,57,49,4e,44,49,52,25,5c,43,72 ,65,61,74,6f,72,5c,52,65,6d,\
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"AudioDeck"="C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1"
"osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\""
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe"
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.ex e"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.546 2\\GoogleToolbarNotifier.exe"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoViewOnDrive"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer\run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{F2A0229A-C4CA-4789-B606-973D24DCDD1C}"="McAfee AntiSpyware Shell Extension"
"{02805711-246B-40FD-9FA5-A9BA3F8783AD}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader \\READER~1.EXE "
"item"="Adobe Reader Speed Launch"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Install Pending Files.LNK]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Install Pending Files.LNK"
"backup"="C:\\WINDOWS\\pss\\Install Pending Files.LNKCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SIFXINST\\SIFXINST.EX E /ApplyPending"
"item"="Install Pending Files"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office\\OSA9.EX E -b -l"
"item"="Microsoft Office"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\WinZip Quick Pick.lnk"
"backup"="C:\\WINDOWS\\pss\\WinZip Quick Pick.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WinZip\\WZQKPICK.EXE "
"item"="WinZip Quick Pick"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="ADeck"
"hkey"="HKLM"
"command"="C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="mcagent"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagen t.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="mcregwiz"
"hkey"="HKLM"
"command"="c:\\progra~1\\mcafee.com\\agent\\mcregw iz.exe /autorun"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="mcupdate"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupda te.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_AntiSpyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="MssCli"
"hkey"="HKLM"
"command"="c:\\progra~1\\mcafee\\MCAFEE~1\\MssCli. exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnph ost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Ad-Aware SE Personal.job
C:\WINDOWS\tasks\LiveUpdate.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Owner.job
C:\WINDOWS\tasks\Spybot - Search & Destroy.job
C:\WINDOWS\tasks\SUPERAntiSpyware Free Edition.job
************************************************** ******************
catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-23 23:08:49
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

************************************************** ******************
Completion time: 07-04-23 23:08:55
C:\ComboFix-quarantined-files.txt ... 07-04-23 23:08
C:\ComboFix2.txt ... 07-04-23 15:33
Reply With Quote
  #5  
Old April 24th, 2007, 05:12 AM
beaverman beaverman is offline
Member
  
Join Date: Dec 2004
Posts: 43
Logs for silent runners
"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"updateMgr" = ""C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1" ["Adobe Systems Incorporated"]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe" ["Google Inc."]
"SUPERAntiSpyware" = "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"VTTrayp" = "VTtrayp.exe" ["S3 Graphics Co., Ltd."]
"VTTimer" = "VTTimer.exe" ["S3 Graphics, Inc."]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE"
"Reminder" = "C:\WINDOWS\Creator\Remind_XP.exe"
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"AudioDeck" = "C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1" ["VIA Technologies, Inc."]
"osCheck" = ""C:\Program Files\Norton AntiVirus\osCheck.exe"" ["Symantec Corporation"]
"Symantec PIF AlertEng" = ""C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"" ["Symantec Corporation"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" ["Sun Microsystems, Inc."]
HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{F2A0229A-C4CA-4789-B606-973D24DCDD1C}" = "McAfee AntiSpyware Shell Extension"
-> {HKLM...CLSID} = "McAfee AntiSpyware Shell Extension"
\InProcServer32\(Default) = "c:\progra~1\mcafee\mcafee antispyware\mssshell.dll" ["McAfee, Inc."]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKLM...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
<<!>> "{F2A0229A-C4CA-4789-B606-973D24DCDD1C}" = "McAfee AntiSpyware Shell Extension"
-> {HKLM...CLSID} = "McAfee AntiSpyware Shell Extension"
\InProcServer32\(Default) = "c:\progra~1\mcafee\mcafee antispyware\mssshell.dll" ["McAfee, Inc."]
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]
HKLM\Software\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\Folder\shellex\ColumnHandler s\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~2\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~2\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

Group Policies {policy setting}:
--------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\
"NoDrives" = (REG_DWORD) hex:0x00000000
{unrecognized setting}
"NoViewOnDrive" = (REG_DWORD) hex:0x00000000
{unrecognized setting}
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\
"Colors" = (REG_DWORD) hex:0x00000000
{unrecognized setting}
HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Loca l Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Scheduled Tasks:
------------------------
"Ad-Aware SE Personal" -> launches: "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe" ["Lavasoft Sweden"]
"LiveUpdate" -> launches: "C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Run Full System Scan - Owner" -> launches: "C:\PROGRA~1\NORTON~2\Navw32.exe /TASK:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Spybot - Search & Destroy" -> launches: "C:\PROGRA~1\SPYBOT~1\SpybotSD.exe" ["Safer Networking Limited"]
"SUPERAntiSpyware Free Edition" -> launches: "C:\PROGRA~1\SUPERA~1\SUPERA~1.EXE" ["SUPERAntiSpyware.com"]

Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar5.dll" ["Google Inc."]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar5.dll" ["Google Inc."]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_01"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll" ["Sun Microsystems, Inc."]
{5E638779-1818-4754-A595-EF1C63B87A56}\
"ButtonText" = "Express Cleanup"
"MenuText" = "Express Cleanup"
"Exec" = "C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk" [null data]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
Canon Camera Access Library 8, CCALib8, "C:\Program Files\Canon\CAL\CALMAIN.exe" ["Canon Inc."]
LiveUpdate Notice Service Ex, LiveUpdate Notice Ex, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Norton UnErase Protection, NProtectService, "C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE" ["Symantec Corporation"]
PrismXL, PrismXL, "C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS" ["New Boundary Technologies, Inc."]
Speed Disk service, Speed Disk service, "C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB. EXE" ["Symantec Corporation"]
Symantec AppCore Service, SymAppCore, ""C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, ""C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Lic NetConnect service, CLTNetCnService, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]

Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monito rs\
Canon BJ Language Monitor S600\Driver = "CNMLM2v.DLL" ["CANON INC."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

----------
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 59 seconds, including 18 seconds for message boxes)
Reply With Quote
  #6  
Old April 24th, 2007, 05:14 AM
beaverman beaverman is offline
Member
  
Join Date: Dec 2004
Posts: 43
Sorry it took so long. Work!!!!!!
Reply With Quote
  #7  
Old April 24th, 2007, 05:36 PM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
  
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
No Problem.

Can you please run one more utility. Go here and download reglooks.exe to your Desktop. Doubleclick on it to run it and when it has finished scanning, a log named result.txt will open in Notepad. Copy the log and post it in this thread.
Reply With Quote
  #8  
Old April 24th, 2007, 11:08 PM
beaverman beaverman is offline
Member
  
Join Date: Dec 2004
Posts: 43
Reglooks log
Here is the reglooks log.

REGLOOKS logfile
version 0.970
24/04/2007 17:03:25.32
running from: "C:\Documents and Settings\Owner\Desktop"
--- SSODL regkeys ---
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad
only standard or legit regkeys found

--- STS regkeys ---
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler
only standard or legit regkeys found

--- USERINIT regkey ---
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Userinit"="C:\\WINDOWS\\system32\\userinit.ex e,"

--- SHELL regkey ---
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell"="Explorer.exe"

--- SYSTEM regkey ---
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"System"=""

--- APPINIT_DLLS regkey ---
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
"AppInit_DLLs"=""

--- NOTIFY regkeys ---
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
"!SASWinLogon" "DllName"="C:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"

--- BOOTEXECUTE regkey ---
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Session Manager
BootExecute= autocheck autochk *\0\0

--- SHELLEXECUTEHOOKS regkey ---
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{F2A0229A-C4CA-4789-B606-973D24DCDD1C}"="McAfee AntiSpyware Shell Extension"
"{02805711-246B-40FD-9FA5-A9BA3F8783AD}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

--- AUTORUN regkeys ---
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
"AutoRun"=""

--- HKLM\Run regkeys ---
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
"VTTrayp"="VTtrayp.exe"
"VTTimer"="VTTimer.exe"
"Recguard"=hex(2):25,57,49,4e,44,49,52,25,5c,53,4d ,49,4e,53,54,5c,52,45,43,47,\
55,41,52,44,2e,45,58,45,00
"Reminder"=hex(2):25,57,49,4e,44,49,52,25,5c,43,72 ,65,61,74,6f,72,5c,52,65,6d,\
69,6e,64,5f,58,50,2e,65,78,65,00
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"AudioDeck"="C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1"
"osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\""
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe"
[run\OptionalComponents]
[run\OptionalComponents\IMAIL]
"Installed"="1"
[run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[run\OptionalComponents\MSFS]
"Installed"="1"

--- HKLM\RunOnce regkeys ---
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce
no HKLM RunOnce keys found

--- HKLM\RunOnceEx regkeys ---
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnceEx
no HKLM RunOnceEx keys found

--- HKLM\RunServices regkeys ---
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices
no HKLM RunServices keys found

--- HKLM\RunServicesOnce regkeys ---
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServicesOnce
regkey does not exist

--- HKCU\Run regkeys ---
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.ex e"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.546 2\\GoogleToolbarNotifier.exe"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

--- HKCU\RunOnce regkeys ---
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce
no HKCU RunOnce keys found

--- HKCU\RunOnceEx regkeys ---
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnceEx
regkey does not exist

--- HKCU\RunServices regkeys ---
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunServices
no HKCU RunServices keys found

--- HKCU\RunServicesOnce regkeys ---
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunServicesOnce
regkey does not exist

--- HKU\.DEFAULT\Run regkeys ---
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EX E"

--- HKU\S-1-5-18\Run regkeys ---
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EX E"

--- HKU\S-1-5-19\Run regkeys ---
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
no HKU\S-1-5-19\Run keys found

--- HKU\S-1-5-20\Run regkeys ---
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
no HKU\S-1-5-20\Run keys found

--- HKLM\Explorer\Run regkeys ---
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer\Run
no HKLM Explorer\Run keys found

--- HKCU\Explorer\Run regkeys ---
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer\Run
no HKCU Explorer\Run keys found

--- Image File Execution regkeys ---
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
no debuggers found

--- BROWSER HELPER OBJECTS regkeys ---
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects
no bho's found

--- TOOLBAR regkeys ---
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" FILE ="c:\\program files\\google\\googletoolbar5.dll"

--- URLSEARCHHOOKS regkeys ---
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
only standard regkeys found

--- SRCEENSAVER regkey ---
HKEY_CURRENT_USER\Control Panel\Desktop
"SCRNSAVE.EXE"="C:\\WINDOWS\\system32\\ss3dfo. scr"

--- CONTEXTMENUHANDLERS regkeys ---
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
"Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE =%SystemRoot%\System32\cscui.dll
"Open With" CLSID ={09799AFB-AD67-11d1-ABCD-00C04FC30936} FILE =%SystemRoot%\system32\SHELL32.dll
"Open With EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE =%SystemRoot%\system32\SHELL32.dll
"Symantec.Norton.Antivirus.IEContextMenu" CLSID ={FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} FILE ="C:\\PROGRA~1\\NORTON~2\\NavShExt.dll"
"WinZip" CLSID ={E0D79304-84BE-11CE-9641-444553540000} FILE ="C:\\PROGRA~1\\WINZIP\\WZSHLSTB.DLL"
"{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" Start Menu Pin FILE =%SystemRoot%\system32\SHELL32.dll
"{CA8ACAFA-5FBB-467B-B348-90DD488DE003}" SUPERAntiSpyware Context Menu FILE ="C:\\Program Files\\SUPERAntiSpyware\\SASCTXMN.DLL"

HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHan dlers
"EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE =%SystemRoot%\system32\SHELL32.dll
"Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE =%SystemRoot%\System32\cscui.dll
"Sharing" CLSID ={f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} FILE ="ntshrui.dll"
"WinZip" CLSID ={E0D79304-84BE-11CE-9641-444553540000} FILE ="C:\\PROGRA~1\\WINZIP\\WZSHLSTB.DLL"
"{CA8ACAFA-5FBB-467B-B348-90DD488DE003}" SUPERAntiSpyware Context Menu FILE ="C:\\Program Files\\SUPERAntiSpyware\\SASCTXMN.DLL"

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandle rs
"Symantec.Norton.Antivirus.IEContextMenu" CLSID ={FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} FILE ="C:\\PROGRA~1\\NORTON~2\\NavShExt.dll"
"WinZip" CLSID ={E0D79304-84BE-11CE-9641-444553540000} FILE ="C:\\PROGRA~1\\WINZIP\\WZSHLSTB.DLL"

--- ALTERNATESHELL regkey ---
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot
"AlternateShell"="cmd.exe"

--- SAFEBOOT MINIMAL SERVICES ---
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal
no unknown services found

--- SAFEBOOT NETWORK SERVICES ---
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Network
no unknown services found

--- SERVICES ---
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Automatic LiveUpdate Scheduler
"DisplayName"="Automatic LiveUpdate Scheduler"
"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\CCALib8
"DisplayName"="Canon Camera Access Library 8"
C:\Program Files\Canon\CAL\CALMAIN.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\ccEvtMgr
"DisplayName"="Symantec Event Manager"
"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\ccSetMgr
"DisplayName"="Symantec Settings Manager"
"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\CLTNetCnService
"DisplayName"="Symantec Lic NetConnect service"
"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\CO_Mon
"DisplayName"="CO_Mon"
\??\C:\WINDOWS\system32\Drivers\CO_Mon.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\DC21x4
"DisplayName"="DC21x4 Based Network Adapter Driver"
system32\DRIVERS\dc21x4.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\eeCtrl
"DisplayName"="Symantec Eraser Control driver"
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\EraserUtilRebootDrv
"DisplayName"="EraserUtilRebootDrv"
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\FETND5BV
"DisplayName"="VIA Rhine-Family Fast Ethernet Adapter Driver Service"
system32\DRIVERS\fetnd5bv.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\gusvc
"DisplayName"="Google Updater Service"
"C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\HSFHWBS2
system32\DRIVERS\HSFHWBS2.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\HSF_DP
system32\DRIVERS\HSF_DP.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\ISPwdSvc
"DisplayName"="Symantec IS Password Validation"
"C:\Program Files\Norton AntiVirus\isPwdSvc.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\LiveUpdate
"DisplayName"="LiveUpdate"
"C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\LiveUpdate Notice Ex
"DisplayName"="LiveUpdate Notice Service Ex"
"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\LiveUpdate Notice Service
"DisplayName"="LiveUpdate Notice Service"
"C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\McAfeeAntiSpyware
"DisplayName"="McAfee AntiSpyware Real-Time Scanner"
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\mcupdmgr.exe
"DisplayName"="McAfee SecurityCenter Update Manager"
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\NAVENG
"DisplayName"="NAVENG"
\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\2007042 4.020\NAVENG.SYS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\NAVEX15
"DisplayName"="NAVEX15"
\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\2007042 4.020\NAVEX15.SYS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\NPDriver
"DisplayName"="Norton UnErase Protection Driver"
\??\C:\WINDOWS\system32\Drivers\NPDRIVER.SYS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\NProtectService
"DisplayName"="Norton UnErase Protection"
C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\P3
"DisplayName"="Intel PentiumIII Processor Driver"
system32\DRIVERS\p3.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\PrismXL
"DisplayName"="PrismXL"
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SASDIFSV
"DisplayName"="SASDIFSV"
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SASENUM
"DisplayName"="SASENUM"
\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SASKUTIL
"DisplayName"="SASKUTIL"
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SDdriver
"DisplayName"="SDdriver"
\??\C:\WINDOWS\system32\Drivers\sddriver.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Serenum
"DisplayName"="Serenum Filter Driver"
system32\DRIVERS\serenum.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SPBBCDrv
"DisplayName"="SPBBCDrv"
\??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Speed Disk service
"DisplayName"="Speed Disk service"
C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Symantec Core LC
"DisplayName"="Symantec Core LC"
"C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SymAppCore
"DisplayName"="Symantec AppCore Service"
"C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SYMDNS
\SystemRoot\System32\Drivers\SYMDNS.SYS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SymEvent
\??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SYMFW
\SystemRoot\System32\Drivers\SYMFW.SYS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SYMIDS
\SystemRoot\System32\Drivers\SYMIDS.SYS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SYMIDSCO
\??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20070417.002\SymIDSCo.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\symlcbrd
"DisplayName"="symlcbrd"
\??\C:\WINDOWS\system32\drivers\symlcbrd.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SYMNDIS
\SystemRoot\System32\Drivers\SYMNDIS.SYS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SYMREDRV
\SystemRoot\System32\Drivers\SYMREDRV.SYS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SYMTDI
"DisplayName"="SYMTDI"
\SystemRoot\System32\Drivers\SYMTDI.SYS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\USB
no imagepath value found
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\usnjsvc
"DisplayName"="Messenger Sharing Folders USN Journal Reader service"
"C:\Program Files\MSN Messenger\usnsvc.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\VIA Codec Default
no imagepath value found
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\winachsf
system32\DRIVERS\HSF_CNXT.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\{407AF60F-1764-4996-BB52-CF7B7EB3059B}
no imagepath value found

--- SECURITYPROVIDERS regkey ---
HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

--- SVCHOST regkey ---
HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost
HTTPFilter: HTTPFilter\0\0
LocalService: Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnph ost\0SSDPSRV\0\0
NetworkService: DnsCache\0\0
netsvcs: 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServ er\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCom patibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServ er\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntm ssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\ 0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedacc ess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0 WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0wscsvc\0xmlprov\0B ITS\0wuauserv\0ShellHWDetection\0helpsvc\0WmdmPmSN \0\0
DcomLaunch: DcomLaunch\0TermService\0\0
rpcss: RpcSs\0\0
imgsvc: StiSvc\0\0
termsvcs: TermService\0\0
WudfServiceGroup: WUDFSvc\0\0

--- WOW-CMDLINE regkeys ---
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\WOW
"cmdline" = %SystemRoot%\system32\ntvdm.exe
"wowcmdline" = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386

--- STARTUP FOLDERS ---
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

--- TASK SCHEDULER JOBS ---
C:\WINDOWS\tasks\Ad-Aware SE Personal.job
C:\WINDOWS\tasks\LiveUpdate.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Owner.job
C:\WINDOWS\tasks\Spybot - Search & Destroy.job
C:\WINDOWS\tasks\SUPERAntiSpyware Free Edition.job

--- File associations ---
.BAT files: ("%1" %*)
.COM files: ("%1" %*)
.EXE files: ("%1" %*)
.HLP files: (%SystemRoot%\System32\winhlp32.exe %1)
.INF files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.INI files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.JS files: (%SystemRoot%\System32\WScript.exe "%1" %*)
.PIF files: ("%1" %*)
.REG files: (regedit.exe "%1")
.SCR files: ("%1" /S)
.TXT files: (%SystemRoot%\system32\NOTEPAD.EXE %1)
.VBS files: (%SystemRoot%\System32\WScript.exe "%1" %*)

FINISHED
Thanx a lot for all the time.
Reply With Quote
  #9  
Old April 24th, 2007, 11:21 PM
beaverman beaverman is offline
Member
  
Join Date: Dec 2004
Posts: 43
Also I've run Vundo and at some point it found some undesirable System32 logs and deleted them. I've run CCleaner also.
Reply With Quote
  #10  
Old April 25th, 2007, 01:36 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
  
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Can you post the contents of C:\Vundo.txt please beaverman so I can see what it removed.
Reply With Quote
  #11  
Old April 25th, 2007, 01:07 PM
beaverman beaverman is offline
Member
  
Join Date: Dec 2004
Posts: 43
Nothing is coming up when I run Vundo. When I run Super Anti Spyware a Vundo variant shows up in the C:\RECYCLER\NPROTECT\00003188.DLL
No doubt a previuos Vundo that was removed.
Reply With Quote
  #12  
Old April 26th, 2007, 03:46 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
  
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Download The Avenger from here http://swandog46.geekstogo.com/avenger.zip to your Desktop and unzip it.

Copy all the text contained in the code box below by highlighting it and right clicking and selecting "Copy"

Code:
Files to delete:
C:\WINDOWS\system32\wvvwa.bak1
C:\WINDOWS\system32\wycdd.ini2
C:\WINDOWS\system32\wycdd.bak1
C:\WINDOWS\system32\ststv.bak1
C:\WINDOWS\system32\kjkkj.ini2
C:\WINDOWS\system32\kjkkj.bak1
C:\WINDOWS\system32\onnmp.ini2
C:\WINDOWS\system32\oo.exe
Now, start The Avenger program by clicking on its icon on your desktop. Look under "Script file to execute" and click on "Input Script Manually". Next click on the Magnifying Glass icon and a blank dialogue box will open called "View/Edit script". Position your mouse inside the box, rightclick and choose Paste. All the text above in the code box should now appear there. Click Done and click on the Green Light to begin execution of the script. Answer "Yes" twice when prompted.

The Avenger will restart your computer. When you have rebooted, a black command window briefly opens on your desktop, this is normal. A logfile will be created that records all actions that The Avenger performed. This log file is saved to C:\avenger.txt. The deleted files will be backed up and saved to C:\avenger\backup.zip.

Once your computer has rebooted, please post back the contents of C:\avenger.txt, a new Hijack This log and a new Silent Runners log.
Reply With Quote
  #13  
Old April 26th, 2007, 05:05 AM
beaverman beaverman is offline
Member
  
Join Date: Dec 2004
Posts: 43
Here are the logs
Hjt
Logfile of HijackThis v1.99.1
Scan saved at 11:01:59 PM, on 25/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://my.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://corttheman.spaces.live.com//P...d/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://my.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://my.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - Unknown owner - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Reply With Quote
  #14  
Old April 26th, 2007, 05:07 AM
beaverman beaverman is offline
Member
  
Join Date: Dec 2004
Posts: 43
Silent runners
"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"updateMgr" = ""C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1" ["Adobe Systems Incorporated"]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe" ["Google Inc."]
"SUPERAntiSpyware" = "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"VTTrayp" = "VTtrayp.exe" ["S3 Graphics Co., Ltd."]
"VTTimer" = "VTTimer.exe" ["S3 Graphics, Inc."]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE"
"Reminder" = "C:\WINDOWS\Creator\Remind_XP.exe"
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"AudioDeck" = "C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1" ["VIA Technologies, Inc."]
"osCheck" = ""C:\Program Files\Norton AntiVirus\osCheck.exe"" ["Symantec Corporation"]
"Symantec PIF AlertEng" = ""C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"" ["Symantec Corporation"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" ["Sun Microsystems, Inc."]
HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{63da6ec0-2e98-11cf-8d82-444553540000}" = "FTP Folders Webview"
-> {HKLM...CLSID} = "Microsoft FTP Folder"
\InProcServer32\(Default) = "C:\WINDOWS\system32\msieftp.dll" [MS]
"{883373C3-BF89-11D1-BE35-080036B11A03}" = "Microsoft DocProp Shell Ext"
-> {HKLM...CLSID} = "Microsoft DocProp Shell Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\docprop2.dll" [MS]
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}" = "Directory Query UI"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\dsquery.dll" [MS]
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}" = "Directory Object Find"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\dsquery.dll" [MS]
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}" = "Directory Property UI"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\dsuiext.dll" [MS]
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}" = "Microsoft Agent Character Property Sheet Handler"
-> {HKLM...CLSID} = "Microsoft Agent Character Property Sheet Handler"
\InProcServer32\(Default) = "C:\WINDOWS\msagent\agentpsh.dll" [MS]
"{1D2680C9-0E2A-469d-B787-065558BC7D43}" = "Fusion Cache"
-> {HKLM...CLSID} = "Fusion Cache"
\InProcServer32\(Default) = "C:\WINDOWS\system32\mscoree.dll" [MS]
"{F2A0229A-C4CA-4789-B606-973D24DCDD1C}" = "McAfee AntiSpyware Shell Extension"
-> {HKLM...CLSID} = "McAfee AntiSpyware Shell Extension"
\InProcServer32\(Default) = "c:\progra~1\mcafee\mcafee antispyware\mssshell.dll" ["McAfee, Inc."]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKLM...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
<<!>> "{F2A0229A-C4CA-4789-B606-973D24DCDD1C}" = "McAfee AntiSpyware Shell Extension"
-> {HKLM...CLSID} = "McAfee AntiSpyware Shell Extension"
\InProcServer32\(Default) = "c:\progra~1\mcafee\mcafee antispyware\mssshell.dll" ["McAfee, Inc."]
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]
HKLM\Software\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [null data]
HKLM\Software\Classes\Folder\shellex\ColumnHandler s\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~2\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~2\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

Group Policies {policy setting}:
--------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\
"NoDrives" = (REG_DWORD) hex:0x00000000
{unrecognized setting}
"NoViewOnDrive" = (REG_DWORD) hex:0x00000000
{unrecognized setting}
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\
"Colors" = (REG_DWORD) hex:0x00000000
{unrecognized setting}
HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Loca l Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ss3dfo.scr" [MS]

Enabled Scheduled Tasks:
------------------------
"Ad-Aware SE Personal" -> launches: "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe" ["Lavasoft Sweden"]
"LiveUpdate" -> launches: "C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Run Full System Scan - Owner" -> launches: "C:\PROGRA~1\NORTON~2\Navw32.exe /TASK:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Spybot - Search & Destroy" -> launches: "C:\PROGRA~1\SPYBOT~1\SpybotSD.exe" ["Safer Networking Limited"]
"SUPERAntiSpyware Free Edition" -> launches: "C:\PROGRA~1\SUPERA~1\SUPERA~1.EXE" ["SUPERAntiSpyware.com"]

Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar5.dll" ["Google Inc."]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar5.dll" ["Google Inc."]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [null data]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_01"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll" ["Sun Microsystems, Inc."]
{5E638779-1818-4754-A595-EF1C63B87A56}\
"ButtonText" = "Express Cleanup"
"MenuText" = "Express Cleanup"
"Exec" = "C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk" [null data]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
Canon Camera Access Library 8, CCALib8, "C:\Program Files\Canon\CAL\CALMAIN.exe" ["Canon Inc."]
LiveUpdate Notice Service Ex, LiveUpdate Notice Ex, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Norton UnErase Protection, NProtectService, "C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE" ["Symantec Corporation"]
PrismXL, PrismXL, "C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS" ["New Boundary Technologies, Inc."]
Speed Disk service, Speed Disk service, "C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB. EXE" ["Symantec Corporation"]
Symantec AppCore Service, SymAppCore, ""C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, ""C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Lic NetConnect service, CLTNetCnService, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]

Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monito rs\
Canon BJ Language Monitor S600\Driver = "CNMLM2v.DLL" ["CANON INC."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

----------
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 79 seconds, including 4 seconds for message boxes)
Reply With Quote
  #15  
Old April 26th, 2007, 05:08 AM
beaverman beaverman is offline
Member
  
Join Date: Dec 2004
Posts: 43
And Avenger
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\xeqdkugx
*******************
Script file located at: \??\C:\sucoiowv.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\wvvwa.bak1 deleted successfully.
File C:\WINDOWS\system32\wycdd.ini2 deleted successfully.
File C:\WINDOWS\system32\wycdd.bak1 deleted successfully.
File C:\WINDOWS\system32\ststv.bak1 deleted successfully.
File C:\WINDOWS\system32\kjkkj.ini2 deleted successfully.
File C:\WINDOWS\system32\kjkkj.bak1 deleted successfully.
File C:\WINDOWS\system32\onnmp.ini2 deleted successfully.
File C:\WINDOWS\system32\oo.exe deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
Reply With Quote
Reply
Page 1 of 2 1 2

Bookmarks

« Previous Topic | Next Topic »
Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
PLEASE HELP!!! (Adaware, popups, etc.) Moved from XP by Murray RubyQT Malware Removal 33 October 31st, 2008 10:56 PM
to stop spyware and malware popups: Moved from WinNT by Murray padmee Malware Removal 9 December 6th, 2007 12:17 PM
really annoying toolbar: Moved from XP by Murray Ian S Malware Removal 1 December 1st, 2006 02:20 PM
VERY annoying popup, please help!: Moved from XP by Murray overkill Malware Removal 4 September 19th, 2006 11:57 PM
Very slow, too many popups.. Please Help!!!: Moved from XP by Murray erinz2418 Malware Removal 0 July 11th, 2006 06:41 PM


All times are GMT +1. The time now is 05:22 AM.