1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help I think I have a trojan conhooker virus and I cant get rid of it

Discussion in 'Windows - Virus and spyware problems' started by sparky322, Jan 12, 2008.

  1. KotaGuy

    KotaGuy Regular member

    Joined:
    Feb 14, 2007
    Messages:
    485
    Likes Received:
    0
    Trophy Points:
    26
    No problem :)

    The ComboFix scan may show other files that have been infected as well.

    This new version of Vundo can be a right pain to get rid of.
     
  2. sparky322

    sparky322 Member

    Joined:
    Jan 12, 2008
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    11
    The vundofix log file shows the file deleted but here is the report:

    VundoFix V6.7.7

    Checking Java version...

    Java version is 1.5.0.9
    Old versions of java are exploitable and should be removed.

    Scan started at 11:07:41 PM 1/2/2008

    Listing files found while scanning....

    C:\WINDOWS\system32\byteaqou.dll
    C:\WINDOWS\system32\chjufjuc.ini
    C:\WINDOWS\system32\cujfujhc.dll
    C:\WINDOWS\system32\ddafqqqu.dll
    C:\WINDOWS\system32\gmmetpti.dll
    C:\WINDOWS\system32\gqwecopj.dll
    C:\WINDOWS\system32\gsscikti.dll
    C:\WINDOWS\system32\gypqyghg.dll
    C:\WINDOWS\system32\hrmnpftw.dll
    C:\WINDOWS\system32\idymjlvi.dll
    C:\WINDOWS\system32\kawpcesa.dll
    C:\WINDOWS\system32\kceypbrt.dll
    C:\WINDOWS\system32\khfgggg.dll
    C:\WINDOWS\system32\kkcvhwbn.dll
    C:\WINDOWS\system32\pnuufvoe.dll
    C:\WINDOWS\system32\rcvuustn.dll
    C:\WINDOWS\system32\rypbunai.dll
    C:\WINDOWS\system32\vwtyknjm.dll
    C:\WINDOWS\system32\xisdgpxq.dll

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\byteaqou.dll
    C:\WINDOWS\system32\byteaqou.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\chjufjuc.ini
    C:\WINDOWS\system32\chjufjuc.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\cujfujhc.dll
    C:\WINDOWS\system32\cujfujhc.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ddafqqqu.dll
    C:\WINDOWS\system32\ddafqqqu.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\gmmetpti.dll
    C:\WINDOWS\system32\gmmetpti.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\gqwecopj.dll
    C:\WINDOWS\system32\gqwecopj.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\gsscikti.dll
    C:\WINDOWS\system32\gsscikti.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\gypqyghg.dll
    C:\WINDOWS\system32\gypqyghg.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\hrmnpftw.dll
    C:\WINDOWS\system32\hrmnpftw.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\idymjlvi.dll
    C:\WINDOWS\system32\idymjlvi.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\kawpcesa.dll
    C:\WINDOWS\system32\kawpcesa.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\kceypbrt.dll
    C:\WINDOWS\system32\kceypbrt.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\khfgggg.dll
    C:\WINDOWS\system32\khfgggg.dll Could not be deleted.

    Attempting to delete C:\WINDOWS\system32\kkcvhwbn.dll
    C:\WINDOWS\system32\kkcvhwbn.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\pnuufvoe.dll
    C:\WINDOWS\system32\pnuufvoe.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\rcvuustn.dll
    C:\WINDOWS\system32\rcvuustn.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\rypbunai.dll
    C:\WINDOWS\system32\rypbunai.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\vwtyknjm.dll
    C:\WINDOWS\system32\vwtyknjm.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\xisdgpxq.dll
    C:\WINDOWS\system32\xisdgpxq.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    Beginning removal...

    VundoFix V6.7.7

    Checking Java version...

    Java version is 1.5.0.9
    Old versions of java are exploitable and should be removed.

    Scan started at 12:28:38 PM 1/12/2008

    Listing files found while scanning....

    C:\WINDOWS\system32\bduxkptl.dll
    C:\WINDOWS\system32\drgjjhtr.ini
    C:\WINDOWS\system32\drhdjrty.dll
    C:\WINDOWS\system32\hnbojndg.exe
    C:\WINDOWS\system32\hwabwymj.dll
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\isvunuey.dll
    C:\WINDOWS\system32\lxgtdxtt.dll
    C:\WINDOWS\system32\NeroCheck.exe
    C:\WINDOWS\system32\pcfihoaw.dll
    C:\WINDOWS\system32\rthjjgrd.dll
    C:\WINDOWS\system32\ssvpdqdi.dll
    C:\WINDOWS\system32\svgulryv.dll
    C:\WINDOWS\system32\ttxdtgxl.ini
    C:\WINDOWS\system32\ujqgadkd.dll
    C:\WINDOWS\system32\yddigdyk.dll

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\bduxkptl.dll
    C:\WINDOWS\system32\bduxkptl.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\drgjjhtr.ini
    C:\WINDOWS\system32\drgjjhtr.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\drhdjrty.dll
    C:\WINDOWS\system32\drhdjrty.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\hnbojndg.exe
    C:\WINDOWS\system32\hnbojndg.exe Has been deleted!

    Attempting to delete C:\WINDOWS\system32\hwabwymj.dll
    C:\WINDOWS\system32\hwabwymj.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\igfxtray.exe Has been deleted!

    Attempting to delete C:\WINDOWS\system32\isvunuey.dll
    C:\WINDOWS\system32\isvunuey.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\lxgtdxtt.dll
    C:\WINDOWS\system32\lxgtdxtt.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\NeroCheck.exe
    C:\WINDOWS\system32\NeroCheck.exe Has been deleted!

    Attempting to delete C:\WINDOWS\system32\pcfihoaw.dll
    C:\WINDOWS\system32\pcfihoaw.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\rthjjgrd.dll
    C:\WINDOWS\system32\rthjjgrd.dll Could not be deleted.

    Attempting to delete C:\WINDOWS\system32\ssvpdqdi.dll
    C:\WINDOWS\system32\ssvpdqdi.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\svgulryv.dll
    C:\WINDOWS\system32\svgulryv.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ttxdtgxl.ini
    C:\WINDOWS\system32\ttxdtgxl.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ujqgadkd.dll
    C:\WINDOWS\system32\ujqgadkd.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\yddigdyk.dll
    C:\WINDOWS\system32\yddigdyk.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\rthjjgrd.dll
    C:\WINDOWS\system32\rthjjgrd.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    VundoFix V6.7.7

    Checking Java version...

    Java version is 1.5.0.9
    Old versions of java are exploitable and should be removed.

    Scan started at 8:28:51 PM 1/12/2008

    Listing files found while scanning....

    No infected files were found.


    VundoFix V6.7.7

    Checking Java version...

    Java version is 1.5.0.9
    Old versions of java are exploitable and should be removed.

    Scan started at 3:54:25 PM 1/16/2008

    Listing files found while scanning....

    No infected files were found.


    VundoFix V6.7.7

    Checking Java version...

    Java version is 1.5.0.9
    Old versions of java are exploitable and should be removed.

    Scan started at 4:13:11 PM 1/16/2008

    Listing files found while scanning....

    No infected files were found.


    Beginning removal...

    Attempting to delete C:\Documents and Settings\Katie\Local Settings\Temp\byvtu.dll
    C:\Documents and Settings\Katie\Local Settings\Temp\byvtu.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    Looking at the last couple post they are completely over my head..so I think what I got from them is that I still have some work to do in order to get rid of this thing so...let me know the next step whenever you guys can...thanks again for all the work so far!
     
  3. Niobis

    Niobis Active member

    Joined:
    Jan 30, 2005
    Messages:
    2,326
    Likes Received:
    0
    Trophy Points:
    66
    Thanks for the VundoFix log. KotaGuy pointed out the Vundo has infected other files. ComboFix will show us these.

    Download ComboFix.exe to the desktop from here.
    Open ComboFix.exe and follow the prompts.
    [bold]Note[/bold]: Do not mouseclick ComboFix's window while it's running, it may cause it to stall.
    When finished, it will produce a log for you. Please post that log.
     
    Last edited: Jan 17, 2008
  4. sparky322

    sparky322 Member

    Joined:
    Jan 12, 2008
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    11
    Here is the logfile from the combofix program:
    ComboFix 08-01-18.1 - Owner 2008-01-17 16:45:02.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.116 [GMT -5:00]
    Running from: C:\Documents and Settings\Owner\My Documents\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\adaway.lic
    C:\WINDOWS\smante~1
    C:\WINDOWS\system32\altgkkid.ini
    C:\WINDOWS\system32\chxkcksg.ini
    C:\WINDOWS\system32\dkdagqju.ini
    C:\WINDOWS\system32\dobe~1
    C:\WINDOWS\system32\eftxjpkb.ini
    C:\WINDOWS\system32\ghgyqpyg.ini
    C:\WINDOWS\system32\ieeaietj.ini
    C:\WINDOWS\system32\jpihyvlm.ini
    C:\WINDOWS\system32\nehgkgvr.ini
    C:\WINDOWS\system32\pgdksury.ini
    C:\WINDOWS\system32\qlqvqarv.ini
    C:\WINDOWS\system32\rcigiqjb.ini
    C:\WINDOWS\system32\trbpyeck.ini
    C:\WINDOWS\system32\uvwtjwvr.ini
    C:\WINDOWS\system32\vlrecmki.ini
    C:\WINDOWS\system32\vpssojsc.ini
    C:\WINDOWS\system32\vyrlugvs.ini
    C:\WINDOWS\system32\wfnvbsym.ini
    C:\WINDOWS\system32\wtfpnmrh.ini
    C:\WINDOWS\system32\wwenginb.ini
    C:\WINDOWS\system32\xecbislv.ini
    C:\WINDOWS\system32\xqsinkph.ini

    .
    ((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
    .

    2008-01-17 16:44 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2008-01-17 16:39 . 2008-01-17 16:39 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-01-17 16:39 . 2008-01-17 16:39 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-01-15 17:43 . 2008-01-15 17:43 <DIR> d-------- C:\Program Files\Kaspersky Lab
    2008-01-15 16:59 . 2008-01-16 16:30 1,625,376 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2008-01-15 16:59 . 2008-01-16 16:30 39,712 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
    2008-01-15 16:59 . 2008-01-16 16:30 22,844 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
    2008-01-15 16:59 . 2008-01-16 16:30 4,796 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
    2008-01-15 16:53 . 2008-01-15 16:53 <DIR> d-------- C:\KAV
    2008-01-15 16:43 . 2008-01-15 16:43 <DIR> d-------- C:\Program Files\CCleaner
    2008-01-12 15:47 . 2008-01-16 16:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
    2008-01-12 15:44 . 2008-01-12 15:44 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
    2008-01-12 15:44 . 2008-01-12 15:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2008-01-12 15:44 . 2008-01-12 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
    2008-01-12 15:23 . 2008-01-16 20:08 <DIR> d-------- C:\HijackThis
    2008-01-12 13:23 . 2008-01-12 13:23 <DIR> d-------- C:\Program Files\Trend Micro
    2008-01-12 13:01 . 2007-08-01 16:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2008-01-12 13:00 . 2008-01-12 13:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\HouseCall 6.6
    2008-01-12 11:35 . 2008-01-12 11:35 <DIR> d-------- C:\Program Files\Lavasoft
    2008-01-12 11:35 . 2008-01-12 11:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-01-12 11:34 . 2008-01-12 11:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-01-04 04:50 . 2008-01-04 04:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TrojanHunter
    2008-01-03 19:34 . 2008-01-05 13:07 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
    2008-01-02 23:25 . 2008-01-05 13:06 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-01-02 23:25 . 2008-01-02 23:25 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
    2008-01-02 23:25 . 2008-01-02 23:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-01-02 23:07 . 2008-01-16 20:03 <DIR> d-------- C:\VundoFix Backups
    2008-01-02 21:55 . 2008-01-04 17:34 <DIR> d-------- C:\Program Files\Spyware Doctor
    2008-01-02 21:55 . 2008-01-03 16:19 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-01-02 21:55 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
    2008-01-02 21:52 . 2008-01-02 23:19 <DIR> d-------- C:\Program Files\Norton Security Scan
    2008-01-02 21:35 . 2008-01-09 15:44 13,312 --a------ C:\WINDOWS\system32\ctfmon .exe
    2007-12-26 15:55 . 2008-01-09 15:43 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
    2007-12-24 12:59 . 2008-01-16 20:13 <DIR> d-------- C:\Program Files\iTunes
    2007-12-24 12:59 . 2007-12-24 12:59 <DIR> d-------- C:\Program Files\iPod
    2007-12-24 12:52 . 2008-01-12 16:35 <DIR> d-------- C:\Program Files\QuickTime
    2007-12-24 12:47 . 2007-12-24 12:47 <DIR> d-------- C:\Program Files\Apple Software Update
    2007-12-24 12:47 . 2007-12-24 12:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
    2007-12-24 11:39 . 2007-12-24 11:39 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\Apple Computer
    2007-12-24 11:35 . 2004-06-23 13:39 <DIR> d--h----- C:\Documents and Settings\Katie\WLANProfiles
    2007-12-24 11:35 . 2004-06-23 13:17 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\Symantec
    2007-12-24 11:35 . 2004-06-23 14:18 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\CyberLink

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-17 01:21 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
    2008-01-16 01:05 --------- d-----w C:\Program Files\OpenOffice.org 2.2
    2008-01-13 05:39 --------- d-----w C:\Program Files\Yahoo!
    2008-01-12 21:33 --------- d-----w C:\Program Files\SymNetDrv
    2008-01-12 21:33 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-01-12 16:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
    2007-12-04 22:42 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
    2007-12-02 03:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\Move Networks
    .
    Code:
    <pre>
    ----a-w           185,632 2008-01-04 22:45:01  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
    ----a-w            71,280 2008-01-04 22:44:46  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
    ----a-w           124,096 2008-01-12 17:42:23  C:\Program Files\Common Files\Symantec Shared\CfgWiz .exe
    ----a-w            32,768 2008-01-12 17:42:25  C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
    ----a-w            86,016 2008-01-09 20:43:54  C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr .exe
    ----a-w           267,048 2008-01-12 17:42:38  C:\Program Files\iTunes\iTunesHelper .exe
    ----a-w            77,824 2008-01-12 17:42:28  C:\Program Files\Java\jre1.6.0\bin\jusched .exe
    ----a-w            53,248 2008-01-04 22:44:50  C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask .exe
    ----a-w           286,720 2008-01-01 22:33:11  C:\Program Files\QuickTime\qttask .exe
    ----a-w         1,065,288 2008-01-03 20:54:17  C:\Program Files\Spyware Doctor\SDTrayApp .exe
    ----a-w         1,318,912 2008-01-04 22:45:26  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
    ----a-w            95,960 2008-01-12 17:42:28  C:\Program Files\SymNetDrv\SNDMon .exe
    ----a-w           499,712 2008-01-12 17:42:29  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
    ----a-w            98,304 2008-01-12 17:42:28  C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
    ----a-w            13,312 2008-01-09 20:44:10  C:\WINDOWS\system32\ctfmon .exe
    ----a-w           155,648 2008-01-09 20:43:54  C:\WINDOWS\system32\NeroCheck .exe
    </pre>

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-03-31 07:00 13312]
    "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [ ]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [ ]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
    "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [ ]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
    "PRONoMgr.exe"="C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [ ]
    "mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [ ]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [ ]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-12 15:44 219136]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
    C:\WINDOWS\System32\LgNotify.dll 2003-12-16 18:49 110592 C:\WINDOWS\system32\LgNotify.dll

    R0 rmedia;Ricoh MediaCard Driver;C:\WINDOWS\System32\DRIVERS\rmedia.sys [2003-10-20 21:09]
    R0 sonyhcb;Sony Digital Imaging Base;C:\WINDOWS\System32\DRIVERS\sonyhcb.sys [2001-11-05 09:23]
    S3 sonyhcs;Sony Digital Imaging Video;C:\WINDOWS\System32\DRIVERS\sonyhcs.sys [2001-11-05 09:23]

    *Newly Created Service* - ALG
    *Newly Created Service* - IPNAT
    .
    Contents of the 'Scheduled Tasks' folder
    "2007-03-23 11:17:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2008-01-05 17:48:12 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
    - C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
    "2008-01-03 02:52:41 C:\WINDOWS\Tasks\Norton Security Scan.job"
    - C:\Program Files\Norton Security Scan\Nss.exe
    "2006-12-10 00:51:18 C:\WINDOWS\Tasks\Symantec NetDetect.job"
    - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-18 16:53:36
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-01-18 16:56:43 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-01-18 21:56:40
     
  5. Niobis

    Niobis Active member

    Joined:
    Jan 30, 2005
    Messages:
    2,326
    Likes Received:
    0
    Trophy Points:
    66
    Open Notepad.
    Copy all the text in bold, then paste it into Notepad.

    Folder::
    C:\VundoFix Backups

    File::
    C:\WINDOWS\system32\ctfmon .exe
    C:\WINDOWS\system32\NeroCheck .exe

    RenV::
    C:\Program Files\Common Files\Real\Update_OB\realsched .exe
    C:\Program Files\Common Files\Symantec Shared\ccApp .exe
    C:\Program Files\Common Files\Symantec Shared\CfgWiz .exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
    C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr .exe
    C:\Program Files\iTunes\iTunesHelper .exe
    C:\Program Files\Java\jre1.6.0\bin\jusched .exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\Spyware Doctor\SDTrayApp .exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
    C:\Program Files\SymNetDrv\SNDMon .exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
    C:\WINDOWS\system32\ctfmon .exe
    C:\WINDOWS\system32\NeroCheck .exe



    Name the file CFScript.txt and save it to your desktop.
    Click, drag and drop the CFScript.txt onto the ComboFix.exe icon.
    ComboFix will now run a scan on your system. It may reboot your system when it finishes.
    When finished, it will produce a log for you.
    Please post that log along with a new HijackThis log.
     
  6. sparky322

    sparky322 Member

    Joined:
    Jan 12, 2008
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    11
    Here is the combofix log:

    ComboFix 08-01-18.1 - Owner 2008-01-19 15:51:35.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.129 [GMT -5:00]
    Running from: C:\Documents and Settings\Owner\My Documents\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE
    C:\WINDOWS\system32\ctfmon .exe
    C:\WINDOWS\system32\NeroCheck .exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\VundoFix Backups
    C:\VundoFix Backups\addmorefiles.txt
    C:\VundoFix Backups\byvtu.dll .bad
    C:\VundoFix Backups\chjufjuc.ini.bad
    C:\VundoFix Backups\drgjjhtr.ini.bad
    C:\VundoFix Backups\ttxdtgxl.ini.bad

    .
    ((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
    .

    2008-01-18 20:11 . 2008-01-18 20:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-01-18 20:11 . 2008-01-18 20:11 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-01-17 16:44 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2008-01-15 17:43 . 2008-01-15 17:43 <DIR> d-------- C:\Program Files\Kaspersky Lab
    2008-01-15 16:59 . 2008-01-16 16:30 1,625,376 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2008-01-15 16:59 . 2008-01-16 16:30 39,712 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
    2008-01-15 16:59 . 2008-01-16 16:30 22,844 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
    2008-01-15 16:59 . 2008-01-16 16:30 4,796 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
    2008-01-15 16:53 . 2008-01-15 16:53 <DIR> d-------- C:\KAV
    2008-01-15 16:43 . 2008-01-15 16:43 <DIR> d-------- C:\Program Files\CCleaner
    2008-01-12 15:47 . 2008-01-16 16:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
    2008-01-12 15:44 . 2008-01-12 15:44 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
    2008-01-12 15:44 . 2008-01-12 15:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2008-01-12 15:44 . 2008-01-12 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
    2008-01-12 15:23 . 2008-01-16 20:08 <DIR> d-------- C:\HijackThis
    2008-01-12 13:23 . 2008-01-12 13:23 <DIR> d-------- C:\Program Files\Trend Micro
    2008-01-12 13:01 . 2007-08-01 16:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2008-01-12 13:00 . 2008-01-12 13:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\HouseCall 6.6
    2008-01-12 11:35 . 2008-01-12 11:35 <DIR> d-------- C:\Program Files\Lavasoft
    2008-01-12 11:35 . 2008-01-12 11:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-01-12 11:34 . 2008-01-12 11:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-01-04 04:50 . 2008-01-04 04:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TrojanHunter
    2008-01-03 19:34 . 2008-01-05 13:07 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
    2008-01-02 23:25 . 2008-01-19 15:51 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-01-02 23:25 . 2008-01-02 23:25 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
    2008-01-02 23:25 . 2008-01-02 23:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-01-02 21:55 . 2008-01-19 15:51 <DIR> d-------- C:\Program Files\Spyware Doctor
    2008-01-02 21:55 . 2008-01-03 16:19 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-01-02 21:55 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
    2008-01-02 21:52 . 2008-01-02 23:19 <DIR> d-------- C:\Program Files\Norton Security Scan
    2008-01-02 21:35 . 2008-01-09 15:44 13,312 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
    2008-01-02 21:35 . 2008-01-09 15:44 13,312 --a------ C:\WINDOWS\system32\ctfmon.exe
    2007-12-26 15:55 . 2008-01-09 15:43 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
    2007-12-24 12:59 . 2008-01-19 15:51 <DIR> d-------- C:\Program Files\iTunes
    2007-12-24 12:59 . 2007-12-24 12:59 <DIR> d-------- C:\Program Files\iPod
    2007-12-24 12:52 . 2008-01-19 15:51 <DIR> d-------- C:\Program Files\QuickTime
    2007-12-24 12:47 . 2007-12-24 12:47 <DIR> d-------- C:\Program Files\Apple Software Update
    2007-12-24 12:47 . 2007-12-24 12:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
    2007-12-24 11:39 . 2007-12-24 11:39 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\Apple Computer
    2007-12-24 11:35 . 2004-06-23 13:39 <DIR> d--h----- C:\Documents and Settings\Katie\WLANProfiles
    2007-12-24 11:35 . 2004-06-23 13:17 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\Symantec
    2007-12-24 11:35 . 2004-06-23 14:18 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\CyberLink

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-19 20:51 --------- d-----w C:\Program Files\SymNetDrv
    2008-01-19 20:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-01-17 01:21 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
    2008-01-16 01:05 --------- d-----w C:\Program Files\OpenOffice.org 2.2
    2008-01-13 05:39 --------- d-----w C:\Program Files\Yahoo!
    2008-01-12 16:42 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
    2008-01-12 16:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
    2007-12-04 22:42 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
    2007-12-02 03:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\Move Networks
    .

    ((((((((((((((((((((((((((((( snapshot@2008-01-18_16.54.26.22 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-01-17 21:44:49 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
    + 2008-01-19 20:51:10 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
    - 2008-01-17 21:44:49 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
    + 2008-01-19 20:51:11 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
    - 2008-01-17 21:44:49 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
    + 2008-01-19 20:51:11 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
    - 2008-01-17 21:44:50 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
    + 2008-01-19 20:51:12 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
    - 2008-01-17 21:44:50 3,612,672 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
    + 2008-01-19 20:51:12 3,665,920 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
    - 2008-01-17 21:44:50 204,800 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
    + 2008-01-19 20:51:13 204,800 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
    - 2008-01-17 21:44:59 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
    + 2008-01-19 20:51:23 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2008-01-09 15:44 13312]
    "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [ ]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-01-04 17:45 1318912]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
    "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [ ]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-04 17:44 71280]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2008-01-09 15:43 155648]
    "PRONoMgr.exe"="C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2008-01-09 15:43 86016]
    "mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2008-01-04 17:44 53248]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-04 17:45 185632]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [ ]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-12 12:42 267048]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-12 15:44 219136]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
    C:\WINDOWS\System32\LgNotify.dll 2003-12-16 18:49 110592 C:\WINDOWS\system32\LgNotify.dll

    R0 rmedia;Ricoh MediaCard Driver;C:\WINDOWS\System32\DRIVERS\rmedia.sys [2003-10-20 21:09]
    R0 sonyhcb;Sony Digital Imaging Base;C:\WINDOWS\System32\DRIVERS\sonyhcb.sys [2001-11-05 09:23]
    S3 sonyhcs;Sony Digital Imaging Video;C:\WINDOWS\System32\DRIVERS\sonyhcs.sys [2001-11-05 09:23]

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-03-23 11:17:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2008-01-19 01:08:17 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
    - C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
    "2008-01-03 02:52:41 C:\WINDOWS\Tasks\Norton Security Scan.job"
    - C:\Program Files\Norton Security Scan\Nss.exe
    "2006-12-10 00:51:18 C:\WINDOWS\Tasks\Symantec NetDetect.job"
    - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-19 15:53:29
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-01-19 15:54:01
    ComboFix-quarantined-files.txt 2008-01-19 20:53:45
    ComboFix2.txt 2008-01-18 21:56:43


    And here is the new hijack this log:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:07:45 PM, on 1/19/2008
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\WINDOWS\System32\1XConfig.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\HijackThis\Not Hijack.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    --
    End of file - 5958 bytes
    Thanks again for the help let me know what else I need to do.
     
  7. Niobis

    Niobis Active member

    Joined:
    Jan 30, 2005
    Messages:
    2,326
    Likes Received:
    0
    Trophy Points:
    66
    Fix this entry with HijackThis:
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime

    Since the Vundo had infected some programs, they need to be reinstalled. Uninstall the following programs:

    iTunes
    SUPERAntiSpyware
    Spyware Doctor
    MUSICMATCH
    QuickTime
    Java (all versions and updates)
    Norton Antivirus

    Download and run the Norton Removal Tool. You can get it here.

    Restart.
    Reinstall iTunes, SUPERAnitSpyware, MUSICMATCH and QuickTime.

    Download and install Java Runtime Environment 6 Update 4 from here.

    Rename Not Hijack.exe back to HijackThis.exe
    Run a new scan and post the fresh log.

    You also need to update Windows to ServicePack2, but I want to make sure the problems are completely gone before we update.
    How are things acting? Still getting popups?
     
  8. sparky322

    sparky322 Member

    Joined:
    Jan 12, 2008
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    11
    not getting any more pop ups since we were able to manually delete that one file so that is good. I was wondering however if I uninstall itunes will that cause me to have to set up all the music on it again? I know it might sound minuscule but that thing is a pain in the ass. Well just wanted to ask before I went and did that. Thanks again for all the help
     
  9. Niobis

    Niobis Active member

    Joined:
    Jan 30, 2005
    Messages:
    2,326
    Likes Received:
    0
    Trophy Points:
    66
    Yes, all your music in the iTunes library would be gone. Instead of a clean install, do not uninstall first, just reinstall. Your music should be saved that way.
     
  10. sparky322

    sparky322 Member

    Joined:
    Jan 12, 2008
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    11
    Ok I followed your instructions and reinstalled the things you said. I just reinstalled itunes and I didnt lose my library (thanks for that). Here is the latest logfile I had a question about that yahoo pager line with quiet at the end of it, whats that (O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet) I dont have yahoo messenger anymore and was wondering if it was something bad. Thanks again for everything you've been a real help!
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:23:51 PM, on 1/20/2008
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\1XConfig.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\HijackThis\HijackThis.exe.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

    --
    End of file - 4959 bytes
     
  11. Niobis

    Niobis Active member

    Joined:
    Jan 30, 2005
    Messages:
    2,326
    Likes Received:
    0
    Trophy Points:
    66
    Great job, your log is clean now. :)

    As for the entry you asked about, it's Yahoo's startup entry. It's legit. You said you don't have Yahoo! Messenger any more, so go ahead and fix that entry with HijackThis.

    You can also fix the following entries. They are not needed at startup and can be started manually when needed.

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe

    Then, go here to download and install ServicePack2. This is very important! There are many needed security updates in ServicePack2.

    You also need to update to Internet Explorer 7, again for security purposes. You can get it here.

    I also recommend getting a firewall. The Windows firewall can only block incoming connection, not outgoing.

    Here are a few free firewalls.
    Zone Alarm Free
    Agnitum Outpost Firewall
    Kerio Personal Firewall

    You're welcome. I'm glad I could help.
    If you have any more questions feel free to ask.
     

Share This Page