AVSystem Removal: Profile #2

bloodrayne03 · October 10, 2007

I'll post the logs for this profile once I get back.

bloodrayne03 · October 10, 2007

I'll post the logs for this profile once I get back.

ComboFix 07-10-09.3 - Susan 2007-10-10 9:43:49.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.499 [GMT -6:00]

Running from: C:\Documents and Settings\Nathan\Desktop\Spyware tools\combofix.exe

.

((((((((((((((((((((((((( Files Created from 2007-09-10 to 2007-10-10 )))))))))))))))))))))))))))))))

.

2007-10-10 09:19 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-10-10 09:09 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2007-10-10 08:27 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-10-10 08:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-10-10 08:23 <DIR> d-------- C:\WINDOWS\LastGood

2007-10-09 21:02 <DIR> d-------- C:\mwav

2007-10-09 21:02 <DIR> d-------- C:\Downloads

2007-10-09 21:02 <DIR> d-------- C:\Bases

2007-10-09 20:56 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2007-10-09 20:56 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\SUPERAntiSpyware.com

2007-10-09 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2007-10-09 20:32 <DIR> d-------- C:\HJT

2007-10-09 17:10 <DIR> d-------- C:\Program Files\RogueRemover FREE

2007-10-09 17:03 <DIR> d-------- C:\Program Files\XoftSpySE

2007-10-09 16:57 <DIR> d-------- C:\Program Files\Enigma Software Group

2007-10-09 16:47 <DIR> d-------- C:\Documents and Settings\Susan\Application Data\Symantec

2007-10-09 16:47 <DIR> d-------- C:\Documents and Settings\Susan\Application Data\InstallShield

2007-10-09 16:47 <DIR> d--h----- C:\Documents and Settings\Susan\Application Data\Gtek

2007-10-09 16:19 16,384 --a------ C:\WINDOWS\xlavra.exe

2007-10-09 16:15 737,280 --a------ C:\WINDOWS\iun6002.exe

2007-10-09 16:08 7,849 --a------ C:\WINDOWS\system32\sulimo.dat

2007-10-05 13:10 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll

2007-10-05 13:05 <DIR> d-------- C:\Program Files\Sierra

2007-10-04 20:59 <DIR> d-------- C:\Program Files\Skype

2007-10-04 20:59 <DIR> d-------- C:\Program Files\Common Files\Skype

2007-10-04 20:59 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\Skype

2007-10-04 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype

2007-10-03 17:58 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\Template

2007-10-03 17:58 146 --a------ C:\Documents and Settings\Nathan\Application Data\wklnhst.dat

2007-10-02 15:40 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys

2007-09-30 19:10 <DIR> d-------- C:\Program Files\MagicDisc

2007-09-30 14:24 <DIR> d-------- C:\Program Files\thriXXX

2007-09-29 09:51 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\AdobeUM

2007-09-27 17:11 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe

2007-09-27 17:11 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys

2007-09-27 17:10 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe

2007-09-27 15:35 <DIR> d-------- C:\Program Files\Call of Duty

2007-09-27 08:00 179 --a------ C:\handle.dat

2007-09-27 05:47 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\Sonic

2007-09-27 05:47 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\Leadertech

2007-09-26 16:19 <DIR> d-------- C:\Program Files\PeerGuardian2

2007-09-26 15:49 <DIR> d-------- C:\Program Files\uTorrent

2007-09-26 15:49 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\uTorrent

2007-09-25 21:36 <DIR> d-------- C:\Program Files\StepMania

2007-09-23 10:25 <DIR> d-------- C:\Documents and Settings\Elizabeth\Application Data\Symantec

2007-09-23 10:25 <DIR> d-------- C:\Documents and Settings\Elizabeth\Application Data\InstallShield

2007-09-23 10:25 <DIR> d--h----- C:\Documents and Settings\Elizabeth\Application Data\Gtek

2007-09-23 09:35 <DIR> d-------- C:\Documents and Settings\Adam\Application Data\Nexon

2007-09-22 23:15 <DIR> d-------- C:\Program Files\MSXML 4.0

2007-09-22 22:33 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\Viewpoint

2007-09-22 21:57 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\SecondLife

2007-09-22 08:37 23,040 --------- C:\WINDOWS\kb913800.exe

2007-09-22 08:34 <DIR> d-------- C:\Documents and Settings\Adam\Application Data\Symantec

2007-09-22 08:34 <DIR> d-------- C:\Documents and Settings\Adam\Application Data\InstallShield

2007-09-22 08:34 <DIR> d--h----- C:\Documents and Settings\Adam\Application Data\Gtek

2007-09-21 18:48 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\Ventrilo

2007-09-21 18:46 <DIR> d-------- C:\Program Files\Ventrilo

2007-09-21 18:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-09-21 18:04 <DIR> d-------- C:\WINDOWS\system32\LogFiles

2007-09-21 16:39 <DIR> d-------- C:\Program Files\World of Warcraft

2007-09-21 16:39 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment

2007-09-21 16:32 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\Nexon

2007-09-21 16:31 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys

2007-09-21 16:29 <DIR> d-------- C:\Nexon

2007-09-21 16:03 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE

2007-09-21 16:03 <DIR> d-------- C:\Program Files\MSN Messenger

2007-09-21 16:03 <DIR> d-------- C:\Documents and Settings\Nathan\Contacts

2007-09-21 15:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP

2007-09-21 15:48 <DIR> d-------- C:\Program Files\Common Files\HP

2007-09-21 15:47 <DIR> d-------- C:\Program Files\Hewlett-Packard

2007-09-21 15:46 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard

2007-09-21 15:42 <DIR> d-------- C:\Program Files\HP

2007-09-21 15:42 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys

2007-09-21 15:40 112,411 --a------ C:\WINDOWS\hpoins07.dat

2007-09-21 15:40 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys

2007-09-21 15:40 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys

2007-09-21 15:40 21,124 --------- C:\WINDOWS\hpomdl07.dat

2007-09-21 15:39 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\HP

2007-09-21 15:39 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys

2007-09-21 15:39 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys

2007-09-21 15:14 <DIR> d---s---- C:\Documents and Settings\Nathan\UserData

2007-09-21 15:04 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec

2007-09-21 15:04 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\InstallShield

2007-09-21 15:04 <DIR> d--h----- C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek

2007-09-21 15:04 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\Symantec

2007-09-21 15:04 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\InstallShield

2007-09-21 15:04 <DIR> d--h----- C:\Documents and Settings\Nathan\Application Data\Gtek

2007-09-21 14:58 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2007-09-21 14:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec

2007-09-21 14:56 <DIR> d-------- C:\Program Files\EarthLink Setup

2007-09-21 14:55 <DIR> d-------- C:\Program Files\Dell Support

2007-09-21 14:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GTek

2007-09-21 14:55 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\GTek

2007-09-21 14:54 <DIR> d-------- C:\Program Files\Yahoo!

2007-09-21 14:54 <DIR> d-------- C:\Program Files\Sonic

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-10-03 19:47 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF

2007-10-03 19:47 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL

2007-10-03 19:47 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS

2007-10-03 19:47 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT

2007-09-29 03:17 11,973 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2007-09-21 20:50 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys

2007-09-20 13:49 7,763 ----a-w C:\WINDOWS\system32\drivers\1028_Dell_DIM_DIME521.mrk

2007-08-27 23:13 97,672 ----a-w C:\WINDOWS\system32\drivers\symfw.sys

2007-08-27 23:13 537,992 ----a-w C:\WINDOWS\system32\SymNeti.dll

2007-08-27 23:13 31,624 ----a-w C:\WINDOWS\system32\drivers\symids.sys

2007-08-27 23:13 28,040 ----a-w C:\WINDOWS\system32\drivers\symndis.sys

2007-08-27 23:13 23,944 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys

2007-08-27 23:13 189,320 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys

2007-08-27 23:13 161,160 ----a-w C:\WINDOWS\system32\SymRedir.dll

2007-08-27 23:13 12,680 ----a-w C:\WINDOWS\system32\drivers\symdns.sys

2007-07-31 01:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll

2007-07-31 01:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-07-31 01:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-07-31 01:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll

2007-07-31 01:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-07-31 01:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe

2007-07-31 01:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-07-31 01:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-07-31 01:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll

2007-07-31 01:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-07-31 01:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll

2007-07-31 01:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-07-31 01:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll

2007-07-31 01:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-07-31 01:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll

2005-05-12 05:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 13:01]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-10 17:36]

"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 02:12]

"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 02:00 C:\WINDOWS\stsystra.exe]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19]

"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2007-01-16 11:26]

"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 04:20]

"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 15:50]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 15:50]

"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-21 14:50]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-28 20:57]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]

Dell Network Assistant.lnk - C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2007-09-21 14:48:48]

Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-09-21 14:48:33]

HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]

HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 00:49:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{827D3881-317C-442A-B4ED-F576CBA700BB}"= C:\WINDOWS\SYSTEM32\GWSEH.dll [2004-09-23 06:21 155648]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=C:\WINDOWS\system32\sulimo.dat

R3 pgfilter;pgfilter;\??\C:\Program Files\PeerGuardian2\pgfilter.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]

AutoRun\command - E:\setup.exe

*Newly Created Service* - AVG_ANTI-SPYWARE_DRIVER

*Newly Created Service* - AVG_ANTI-SPYWARE_GUARD

*Newly Created Service* - CATCHME

*Newly Created Service* - COMHOST

.

Contents of the 'Scheduled Tasks' folder

"2007-10-06 04:29:50 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Nathan.job"

.

**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-10-10 09:46:28

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2007-10-10 9:47:41

C:\ComboFix2.txt ... 2007-10-10 09:25

.

--- E O F ---

bloodrayne03 · October 10, 2007

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:49:19 AM, on 10/10/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Dell Network Assistant\hnm_svc.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

C:\WINDOWS\explorer.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Messenger\msmsgs.exe

C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://secure.comodo.net/CPS

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [urlLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-21-3746299716-2376927081-3986171330-1005\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'Nathan')

O4 - HKUS\S-1-5-21-3746299716-2376927081-3986171330-1005\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'Nathan')

O4 - HKUS\S-1-5-21-3746299716-2376927081-3986171330-1005\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe (User 'Nathan')

O4 - HKUS\S-1-5-21-3746299716-2376927081-3986171330-1005\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User 'Nathan')

O4 - HKUS\S-1-5-21-3746299716-2376927081-3986171330-1005\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'Nathan')

O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Dell Network Assistant.lnk = ?

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe

O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--

End of file - 9899 bytes

JeanInMontana · October 14, 2007

OK I'm home. What is the status with these accounts? I see the one bad file is in the last HJT log. Was that posted before we had the other account all clean? It has been 4 days if these accounts are not clean we need to start from the beginning.

If you haven't already, please get these programs, update and run a complete scan removing all items found.

Spybot Search & Destroy Be sure to use the immunize feature.

AVG AntiSpyware Be sure to "take action"

Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum.

Post the logs from the Panda and AVG scans please, along with a log from this program HiJack This!

You will post three logs. 1. AVG scan. 2. Panda Active Scan. 3. HiJack This scan. You will finish the AVG first so go ahead and post that log, then move on to Panda and so forth.

I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures.

bloodrayne03 · October 14, 2007

The other accounts havn't been logged into since I checked on them a day or two after running the logs. I'll post the scans and tell you how they're doing in just a sec.

EDIT: Ok, well this one acts fine, and I can still access the Control Panel and all it's functions.

bloodrayne03 · October 14, 2007

Erm... Well, it didn't give me a report to post, but it found "25 objects, (32 traces)" and deleted all of the below. I'll post the names and move on to Panda.

TrackingCookie.247realmedia

TrackingCookie.2o7

TrackingCookie.Adbrite

TrackingCookie.Adrevolver

TrackingCookie.Pointroll

TrackingCookie.Advertising

TrackingCookie.Tacoda

TrackingCookie.Atdmt

TrackingCookie.Msn

TrackingCookie.Bluestreak

TrackingCookie.Doubleclick

TrackingCookie.Fastclick

TrackingCookie.Mediaplex

TrackingCookie.Overture

TrackingCookie.Questionmarket

TrackingCookie.Realmedia

TrackingCookie.Valuead

TrackingCookie.Revsci

TrackingCookie.Live

TrackingCookie.Statcounter

TrackingCookie.Trafficmp

TrackingCookie.Tribalfusion

TrackingCookie.Burstbeacon

TrackingCookie.Burstnet

TrackingCookie.Realtracker

bloodrayne03 · October 14, 2007

Panda:

Incident Status Location

Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Nathan\Cookies\nathan@adrevolver[1].txt

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Nathan\Cookies\nathan@atwola[1].txt

Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Nathan\Cookies\nathan@azjmp[2].txt

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Nathan\Desktop\Spyware tools\combofix.exe[nircmd.exe]

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Nathan\Desktop\Spyware tools\combofix.exe[nircmd.cfexe]

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Susan\Cookies\susan@2o7[2].txt

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Susan\Cookies\susan@atdmt[2].txt

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Susan\Cookies\susan@doubleclick[1].txt

Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Susan\Cookies\susan@questionmarket[2].txt

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe

bloodrayne03 · October 14, 2007

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:56:21 PM, on 10/14/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Dell Network Assistant\hnm_svc.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\Program Files\MSN Messenger\usnsvc.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://secure.comodo.net/CPS

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll