Gamebox Malware

paulh45 · October 16, 2007

Hi everyone

I found this forum after searching the web for info on a pop-up generator downloaded, I'm fairly certain, in a Gamebox download which my son put on my pc. It's generating popups, but I'm having trouble finding out how to remove it.

Also, as I've been reading back through the forum I've been reminded of one issue which I'd appreciate some advice on. I'm still running a Sygate personal firewall though I know that Semantec bought them out. Can anyone recommend a good personal firewall to replace it - or is there no need?

Anyhoo, here's my HJT log. Thanks in advance!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:06:40, on 16/10/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\FolderSize\FolderSizeSvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Sony\HotKey Utility\HKserv.exe

C:\Program Files\sony\vaio power management\SPMgr.exe

C:\WINDOWS\System32\ezSP_Px.exe

C:\WINDOWS\system32\ICO.EXE

C:\PROGRA~1\sony\SONICS~1\SsAAD.exe

C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\PeerGuardian2\pg2.exe

C:\Program Files\Five Live Flash\FiveLiveFlash.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Sony\HotKey Utility\HKWnd.exe

C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\DllHost.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe

O4 - HKLM\..\Run: [sonyPowerCfg] C:\Program Files\sony\vaio power management\SPMgr.exe

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [ssAAD.exe] C:\PROGRA~1\sony\SONICS~1\SsAAD.exe

O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe

O4 - HKCU\..\Run: [Five Live Flash] "C:\Program Files\Five Live Flash\FiveLiveFlash.exe"

O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/

O15 - Trusted Zone: *.sony-europe.com

O15 - Trusted Zone: *.sonystyle-europe.com

O15 - Trusted Zone: *.vaio-link.com

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/1537d41ea5da85...ip/RdxIE601.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095155196528

O16 - DPF: {6DB731A3-B074-4118-8B1C-32511C65D836} (FotovistaPhotoUploader.ctrFpu) - http://www.mypixmania.com/uk/uk/tools/activex/fpu.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155853082290

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab

O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://flashcasino.ladbrokes.com/instant-p...en/FlashAX2.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{49D843F9-55EB-4CCF-8B5E-01173B3AEAEA}: NameServer = 193.0.249.6,193.0.249.70

O17 - HKLM\System\CCS\Services\Tcpip\..\{EC951D07-DAB8-495D-B0F2-F47259D2E2EB}: NameServer = 193.0.249.6 193.0.249.70

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\sony\vaio media music server\SSSvr.exe

O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe

O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe

O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe

O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe

O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe

--

End of file - 11730 bytes

JeanInMontana · October 16, 2007

Hi there Paulh45, and welcome to Malwarebytes.

If you haven't already, please get these programs, update and run a complete scan removing all items found.

Spybot Search & Destroy Be sure to use the immunize feature.

AVG AntiSpyware Be sure to "take action"

Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum.

Post the logs from the Panda and AVG scans please, along with a log from this program HiJack This!

You will post three logs. 1. AVG scan. 2. Panda Active Scan. 3. HiJack This scan. You will finish the AVG first so go ahead and post that log, then move on to Panda and so forth.

I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures.

JeanInMontana · October 18, 2007

Hi Paul. What gave you the idea AVG found two rootkits? You didn't take any action on the cookies it found or what Panda found. There is no point in scanning just for the sake of scanning.

Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Program Files\Trend Micro\HijackThis\backups\backup-20070718-084104-509-PowerReg Scheduler.exe

Did you remove something with HJT? This file shows something in the backup folder for HJT.

Now these below are rootkits but they don't show in the AVG. So I'm concerned you have taken action on your own. I can't proceed until I know what you may have done.

Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\lbxndbxodi.exe

Potentially unwanted tool:Application/InternetGameBox Not disinfected C:\WINDOWS\Temp\NSIS_Install_igb.exe

paulh45 · October 19, 2007

Hi Jean

sorry I didn't write that very clearly did I.

I ran the AVG, saved the report and THEN took the recommended action - I thought the report you wanted was of all the items it found. AVG DID NOT find any rootkits.

The Panda reprt followed the AVG report. I noticed it had identified two rootkits, but as per your instruction in your first mail, I took no action - preparing to be patient and persistent!

So I'll start again. I'll run the AVG first, take action again, and post the log.

all the best

Paul

paulh45 · October 19, 2007

VG Anti-Spyware - Scan Report

---------------------------------------------------------

+ Created at: 10:46:36 19/10/2007

+ Scan result:

C:\Documents and Settings\Paul Halfpenny\Cookies\paul_halfpenny@pandasoftware.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.

C:\Documents and Settings\Paul Halfpenny\Cookies\paul_halfpenny@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned.

::Report end

paulh45 · October 19, 2007

... and here is the Panda soft scan I ran today -

Incident Status Location

Adware:adware/wupd Not disinfected Windows Registry

Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Paul Halfpenny\Cookies\paul_halfpenny@anm.co[1].txt

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Paul Halfpenny\Cookies\paul_halfpenny@atwola[2].txt

Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Paul Halfpenny\Cookies\paul_halfpenny@entrepreneur[1].txt

Spyware:Cookie/AspinallsOnlineCasino Not disinfected C:\Documents and Settings\Paul Halfpenny\Cookies\paul_halfpenny@pacificpoker[1].txt

Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Paul Halfpenny\Cookies\paul_halfpenny@toplist[1].txt

Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Paul Halfpenny\Cookies\paul_halfpenny@www5.addfreestats[1].txt

Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Paul Halfpenny\Cookies\paul_halfpenny@www6.addfreestats[1].txt

Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Paul Halfpenny\Cookies\paul_halfpenny@xiti[1].txt

Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Program Files\Trend Micro\HijackThis\backups\backup-20070718-084104-509-PowerReg Scheduler.exe

Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\lbxndbxodi.exe

Potentially unwanted tool:Application/InternetGameBox Not disinfected C:\WINDOWS\Temp\NSIS_Install_igb.exe

Virus:Trj/Spammer.ADX Disinfected Personal Folders\Junk E-mail\Something hot\game.zip[game.exe]

JeanInMontana · October 19, 2007

We are still not on the same page with this. My first post said

update and run a complete scan removing all items found.

I guess I need to add for all programs used maybe? I am still wondering what that line is all about with the backup in HJT.

Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Program Files\Trend Micro\HijackThis\backups\backup-20070718-084104-509-PowerReg Scheduler.exe

Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\lbxndbxodi.exe

Potentially unwanted tool:Application/InternetGameBox Not disinfected C:\WINDOWS\Temp\NSIS_Install_igb.exe

Virus:Trj/Spammer.ADX Disinfected Personal Folders\Junk E-mail\Something hot\game.zip[game.exe]

Delete the backup item shown avove. Delete the item in your junk mail folder. If Internet GameBox is showing in Add/Remove programs, uninstall it. Run this program http://www.ccleaner.com/download/ remove everything it finds.

Now please get this:

Please download Navilog1 by IL-MAFIOSO:

http://perso.orange.fr/il.mafioso/Navifix/Navilog1.zip

* Extract its contents to the desktop.

* Double click on navilog1.exe to install it on your computer.

* When the installation is complete, the tool will start automatically.

* If it doesn't start automatically, please double click on Navilog1 shortcut on your desktop to run it.

* Press E for English from the language Menu.

* Type 1 in the next Menu to select Search and press Enter.

* Wait for the Scan to finish (It may take a reasonable amount of time)

* Press any key as requested .

* A new document will be produced: fixnavi.txt.

* Please copy/paste the contents of this report in your next reply.

The report is also saved in the root of the directory, "%SystemDrive%\fixnavi.txt". (usually C:\fixnavi.txt)

I also need to tell you, since this is a rootkit, you are in danger of identity theft and should contact all banking, credit card companies etc and change account details. Also while I do think we can remove the rootkit, there is always the possibility we won't get it all. The only absolute way to be sure is a reformat of the hard drive, which removes everything and you start over as if the PC were new. If you decide to proceed with the fixes. Follow the instructions above and post the log. If you decide a reformat is your best option please let me know so I can close this thread and move on.

paulh45 · October 19, 2007

Ok, thanks for your patience. I followed the tutorial for running the Panda scan and thought you simply wanted the resultant log. I wasn't sure about how to rectify the problems it identified.

I've followed your instructions - all except the lbxndbxodi.exe has been removed. The gamebox software which I think this relates to was taken off weeks ago. I can't find the lbxndbxodi.exe in the system32 folder - I've used the Seacrh function also.

I've dowloaded and installed ccleaner, run it and removed everything.

The log from Navilog is as follows:

Search Navipromo version 3.3.0 began on 19/10/2007 at 21:14:04.29

!!! Warning, this report may include legitimate files/programs !!!

!!! Post this report on the forum you are being helped !!!

!!! Don't continue with removal unless instructed by an authorized helper !!!

Fix running from C:\Program Files\navilog1

Updated on 17.10.2007 at 20h00 by IL-MAFIOSO

Microsoft Windows XP [Version 5.1.2600]

Version Internet Explorer : 7.0.5730.11

Done in normal mode

*** Searching for installed Software ***

*** Search folders in C:\WINDOWS ***

*** Search folders in C:\Program Files ***

*** Search folders in C:\Documents and Settings\All Users\Application Data ***

*** Search folders in C:\Documents and Settings\Paul Halfpenny\Application Data ***

*** Search folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS ***

*** Search with Catchme-rootkit/stealth malware detector by gmer ***

for more info : http://www.gmer.net

Hidden file(s) :

C:\WINDOWS\system32\ngrdhp.dat

C:\WINDOWS\system32\ngrdhp.exe

C:\WINDOWS\system32\ngrdhp_nav.dat

C:\WINDOWS\system32\ngrdhp_navps.dat

Hidden Process(es) :

C:\WINDOWS\system32\ngrdhp.exe

*** Search with GenericNaviSearch ***

!!! Possibility of legitimate files in the result !!!

!!! Must always be checked before manually deleting !!!

* Scan in C:\WINDOWS\system32 *

* Scan in C:\DOCUME~1\PAULHA~1\LOCALS~1\APPLIC~1 *

*** Search files ***

C:\WINDOWS\pack.epk found !

*** Search specific Registry keys ***

HKEY_CURRENT_USER\Software\Lanconfig found !

*** Complementary Search ***

(Search specific files)

1)Search known files:

2)Heuristic Search :

C:\WINDOWS\system32\ngrdhp.dat found !

3)Certificates Search :

Egroup certificate found !

*** Search completed on 19/10/2007 at 21:14:54.38 ***

JeanInMontana · October 20, 2007

OK what do you know about this file: Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Program Files\Trend Micro\HijackThis\backups\backup-20070718-084104-509-PowerReg Scheduler.exe

How did anything get into the backup files of HJT? Normally that only happens if something has been removed using the program.

There is no doubt GameBox is what gave you the rootkit. It is well documented as a source for Navipromo. That is the name of the infection you have, it is hard to find as it hides itself. Hurrah to ILLMAFIOSO for making this tool. On to the cleaning.

Double click on Navilog1 shortcut icon on your desktop to run it.

* Press E for English from the language Menu.

* Type 2 in the next Menu and press Enter.

* The tool will then advise you that it will restart your computer.

* Close all open windows and save personnal documents, if open, too.

* If your computer doesn't restart automatically, restart it manually.

* Choose your usual session.

* Wait for the *** Clean finished the ... *** message (It may take a reasonable amount of time)

* A new document will be produced.

* Please copy/paste the contents of this report in your next reply.

* Your desktop will now appear.

Note : In the event you lose your desktop, press CTRL+ALT+Delete and run Explorer.exe as a new task.

JeanInMontana · October 21, 2007

:angry: It has been brought to my attention I made a terrible misspelling of the Navipromo tool developer's name.

IL-MAFIOSO please forgive me and thank you for the advice and great tool!

Paul, we need that log please and I have instructions from the developer that is important.

paulh45 · October 21, 2007

Hi Jean

taking your questions in reverse order..

I ran Navilog as instructed, it restarted but the DOS shell closed as soon as it booted. I tried to run Navilog again, and it briefly boots before closing - it's displaying a message which includes the phrases

"Cannot open *.exe" and

"File - regnavil.reg not found - Registry was not cleaned"

However, I'm having no popups when I connect to the web - if that's reassuring?

Secondly, re the PowerReg Scheduler.exe in the HJT backups folder - I was having some problems a few months ago with (I thought) my Windows folder misreading its own size, by more than 10gig. I tried many different things to resolve the problem, and at the time I was unsure if there was a malware issue. I think I removed POwerReg on someone's recomendation. It turned out I was having a problem with the Windows Installer.

Thanks again.

JeanInMontana · October 21, 2007

OK that makes sense. CCleaner probably took it away also, but you can delete the backup folder items in HJT also. Then they won't confuse any tools in the future.

So, now, because of my blunder with the name of the developer, we have a new version made of the program. The file identified by Panda was not detected by the tool, and now it is. Everything happens for a reason. :angry: Please download the new version, delete the old and start with option 2 again. Follow those directions and we will go from there.

paulh45 · October 21, 2007

OK

I uninstalled Navilog 3.3.0 and downloaded (using the link from earlier in the thread) 3.3.1. I've installed it and run it and it still gives me the same message as I was getting earlier - *.exe not found, reg not cleaned etc.

Could this be because I was less than patient on Friday :angry: and deleted the pack.epk file?

JeanInMontana · October 22, 2007

You can destroy your system deleting things I need to see the log.

JeanInMontana · October 22, 2007

The tool has been updated again, please get the latest version and run again, post the log.

ipl_001 · October 22, 2007

Hi JeanInMontana, paulh45,

Last version of Navilog1 is Version 3.3.2 Updated 22/10/2007 (there was a bug in v 3.3.1)

JeanInMontana · October 22, 2007

Hi JeanInMontana, paulh45,
Last version of Navilog1 is Version 3.3.2 Updated 22/10/2007 (there was a bug in v 3.3.1)

I saw that. That's why I'm instructing a new download. Thanks.

paulh45 · October 23, 2007

HI Jean

The download is version 3.3.0 as you can see but it generated a log -

Navipromo Removal version 3.3.0 started on 21/10/2007 at 20:42:18.43

Fix running from C:\Program Files\navilog1

Updated on 17.10.2007 at 20h00 by IL-MAFIOSO

Microsoft Windows XP [Version 5.1.2600]

Internet Explorer : 7.0.5730.11

Automatic removal

*** Creating backups for files found by Catchme

Copy to "C:\Program Files\navilog1\Backupnavi"

*** Deleting files found with Catchme ***

C:\WINDOWS\system32\ngrdhp.dat deleted !

C:\WINDOWS\system32\ngrdhp.exe deleted !

C:\WINDOWS\system32\ngrdhp_nav.dat deleted !

C:\WINDOWS\system32\ngrdhp_navps.dat deleted !

** Second pass with Catchme results **

C:\WINDOWS\prefetch\ngrdhp*.pf found !

Copy C:\WINDOWS\prefetch\ngrdhp*.pf done !

C:\WINDOWS\prefetch\ngrdhp*.pf deleted !

*** Deleting with Backups GenericNaviSearch results ***

* Deletion in C:\WINDOWS\System32 *

* Deletion in C:\DOCUME~1\PAULHA~1\LOCALS~1\APPLIC~1 *

*** Deleting folders in C:\WINDOWS ***

*** Deleting folders in C:\Program Files ***

*** Deleting folders in C:\Documents and Settings\All Users\Application Data ***

*** Deleting folders in C:\Documents and Settings\Paul Halfpenny\Application Data ***

*** Deleting folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS ***

*** Deleting files ***

*** Deleting temporary files ***

Cleaning of C:\WINDOWS\Temp done !

Cleaning of C:\Documents and Settings\Paul Halfpenny\Local Settings\Temp done !

*** Complementary Search ***

(Search specific files)

1)Search known files:

2)Heuristic search and deletion with backups :

*** Copy Registry to Backupnavi folder ***

Backing up Registry done !

*** Cleaning Registry ***

Registry cleaned

*** Certificates ***

Egroup Certificate deleted !

*** Creating backups for files found by Catchme

Copy to "C:\Program Files\navilog1\Backupnavi"

*** Deleting files found with Catchme ***

C:\WINDOWS\system32\ngrdhp.dat deleted !

C:\WINDOWS\system32\ngrdhp.exe deleted !

C:\WINDOWS\system32\ngrdhp_nav.dat deleted !

C:\WINDOWS\system32\ngrdhp_navps.dat deleted !

*** Deleting with Backups GenericNaviSearch results ***

* Deletion in C:\WINDOWS\System32 *

* Deletion in C:\DOCUME~1\PAULHA~1\LOCALS~1\APPLIC~1 *

*** Deleting folders in C:\WINDOWS ***

*** Deleting folders in C:\Program Files ***

*** Deleting folders in C:\Documents and Settings\All Users\Application Data ***

*** Deleting folders in C:\Documents and Settings\Paul Halfpenny\Application Data ***

*** Deleting folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS ***

*** Deleting files ***

*** Deleting temporary files ***

Cleaning of C:\WINDOWS\Temp done !

Cleaning of C:\Documents and Settings\Paul Halfpenny\Local Settings\Temp done !

*** Complementary Search ***

(Search specific files)

1)Search known files:

2)Heuristic search and deletion with backups :

*** Copy Registry to Backupnavi folder ***

Backing up Registry done !

*** Cleaning Registry ***

Error : File regnavi1.reg not found !

Registry was not cleaned !

*** Certificates ***

Egroup Certificate not found !

*** Creating backups for files found by Catchme

Copy to "C:\Program Files\navilog1\Backupnavi"

*** Deleting files found with Catchme ***

C:\WINDOWS\system32\ngrdhp.dat deleted !

C:\WINDOWS\system32\ngrdhp.exe deleted !

C:\WINDOWS\system32\ngrdhp_nav.dat deleted !

C:\WINDOWS\system32\ngrdhp_navps.dat deleted !

*** Deleting with Backups GenericNaviSearch results ***

* Deletion in C:\WINDOWS\System32 *

* Deletion in C:\DOCUME~1\PAULHA~1\LOCALS~1\APPLIC~1 *

*** Deleting folders in C:\WINDOWS ***

*** Deleting folders in C:\Program Files ***

*** Deleting folders in C:\Documents and Settings\All Users\Application Data ***

*** Deleting folders in C:\Documents and Settings\Paul Halfpenny\Application Data ***

*** Deleting folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS ***

*** Deleting files ***

*** Deleting temporary files ***

Cleaning of C:\WINDOWS\Temp done !

Cleaning of C:\Documents and Settings\Paul Halfpenny\Local Settings\Temp done !

*** Complementary Search ***

(Search specific files)

1)Search known files:

2)Heuristic search and deletion with backups :

*** Copy Registry to Backupnavi folder ***

Backing up Registry done !

*** Cleaning Registry ***

Error : File regnavi1.reg not found !

Registry was not cleaned !

*** Certificates ***

Egroup Certificate not found !

*** Creating backups for files found by Catchme

Copy to "C:\Program Files\navilog1\Backupnavi"

*** Deleting files found with Catchme ***

C:\WINDOWS\system32\ngrdhp.dat deleted !

C:\WINDOWS\system32\ngrdhp.exe deleted !

C:\WINDOWS\system32\ngrdhp_nav.dat deleted !

C:\WINDOWS\system32\ngrdhp_navps.dat deleted !

*** Deleting with Backups GenericNaviSearch results ***

* Deletion in C:\WINDOWS\System32 *

* Deletion in C:\DOCUME~1\PAULHA~1\LOCALS~1\APPLIC~1 *

*** Deleting folders in C:\WINDOWS ***

*** Deleting folders in C:\Program Files ***

*** Deleting folders in C:\Documents and Settings\All Users\Application Data ***

*** Deleting folders in C:\Documents and Settings\Paul Halfpenny\Application Data ***

*** Deleting folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS ***

*** Deleting files ***

*** Deleting temporary files ***

Cleaning of C:\WINDOWS\Temp done !

Cleaning of C:\Documents and Settings\Paul Halfpenny\Local Settings\Temp done !

*** Complementary Search ***

(Search specific files)

1)Search known files:

2)Heuristic search and deletion with backups :

*** Copy Registry to Backupnavi folder ***

Backing up Registry done !

*** Cleaning Registry ***

Error : File regnavi1.reg not found !

Registry was not cleaned !

*** Certificates ***

Egroup Certificate not found !

*** Creating backups for files found by Catchme

Copy to "C:\Program Files\navilog1\Backupnavi"

*** Deleting files found with Catchme ***

C:\WINDOWS\system32\ngrdhp.dat deleted !

C:\WINDOWS\system32\ngrdhp.exe deleted !

C:\WINDOWS\system32\ngrdhp_nav.dat deleted !

C:\WINDOWS\system32\ngrdhp_navps.dat deleted !

*** Deleting with Backups GenericNaviSearch results ***

* Deletion in C:\WINDOWS\System32 *

* Deletion in C:\DOCUME~1\PAULHA~1\LOCALS~1\APPLIC~1 *

*** Deleting folders in C:\WINDOWS ***

*** Deleting folders in C:\Program Files ***

*** Deleting folders in C:\Documents and Settings\All Users\Application Data ***

*** Deleting folders in C:\Documents and Settings\Paul Halfpenny\Application Data ***

*** Deleting folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS ***

*** Deleting files ***

*** Deleting temporary files ***

Cleaning of C:\WINDOWS\Temp done !

Cleaning of C:\Documents and Settings\Paul Halfpenny\Local Settings\Temp done !

*** Complementary Search ***

(Search specific files)

1)Search known files:

2)Heuristic search and deletion with backups :

*** Copy Registry to Backupnavi folder ***

Backing up Registry done !

*** Cleaning Registry ***

Error : File regnavi1.reg not found !

Registry was not cleaned !

*** Certificates ***

Egroup Certificate not found !

*** Creating backups for files found by Catchme

Copy to "C:\Program Files\navilog1\Backupnavi"

*** Deleting files found with Catchme ***

C:\WINDOWS\system32\ngrdhp.dat deleted !

C:\WINDOWS\system32\ngrdhp.exe deleted !

C:\WINDOWS\system32\ngrdhp_nav.dat deleted !

C:\WINDOWS\system32\ngrdhp_navps.dat deleted !

*** Deleting with Backups GenericNaviSearch results ***

* Deletion in C:\WINDOWS\System32 *

* Deletion in C:\DOCUME~1\PAULHA~1\LOCALS~1\APPLIC~1 *

*** Deleting folders in C:\WINDOWS ***

*** Deleting folders in C:\Program Files ***

*** Deleting folders in C:\Documents and Settings\All Users\Application Data ***

*** Deleting folders in C:\Documents and Settings\Paul Halfpenny\Application Data ***

*** Deleting folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS ***

*** Deleting files ***

*** Deleting temporary files ***

Cleaning of C:\WINDOWS\Temp done !

Cleaning of C:\Documents and Settings\Paul Halfpenny\Local Settings\Temp done !

*** Complementary Search ***

(Search specific files)

1)Search known files:

2)Heuristic search and deletion with backups :

*** Copy Registry to Backupnavi folder ***

Backing up Registry done !

*** Cleaning Registry ***

Error : File regnavi1.reg not found !

Registry was not cleaned !

*** Certificates ***

Egroup Certificate not found !

*** Creating backups for files found by Catchme

Copy to "C:\Program Files\navilog1\Backupnavi"

*** Deleting files found with Catchme ***

C:\WINDOWS\system32\ngrdhp.dat deleted !

C:\WINDOWS\system32\ngrdhp.exe deleted !

C:\WINDOWS\system32\ngrdhp_nav.dat deleted !

C:\WINDOWS\system32\ngrdhp_navps.dat deleted !

*** Deleting with Backups GenericNaviSearch results ***

* Deletion in C:\WINDOWS\System32 *

* Deletion in C:\DOCUME~1\PAULHA~1\LOCALS~1\APPLIC~1 *

*** Deleting folders in C:\WINDOWS ***

*** Deleting folders in C:\Program Files ***

*** Deleting folders in C:\Documents and Settings\All Users\Application Data ***

*** Deleting folders in C:\Documents and Settings\Paul Halfpenny\Application Data ***

*** Deleting folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS ***

*** Deleting files ***

*** Deleting temporary files ***

Cleaning of C:\WINDOWS\Temp done !

Cleaning of C:\Documents and Settings\Paul Halfpenny\Local Settings\Temp done !

*** Complementary Search ***

(Search specific files)

1)Search known files:

2)Heuristic search and deletion with backups :

*** Copy Registry to Backupnavi folder ***

Backing up Registry done !

*** Cleaning Registry ***

Error : File regnavi1.reg not found !

Registry was not cleaned !

*** Certificates ***

Egroup Certificate not found !

*** Creating backups for files found by Catchme

Copy to "C:\Program Files\navilog1\Backupnavi"

*** Deleting files found with Catchme ***

C:\WINDOWS\system32\ngrdhp.dat deleted !

C:\WINDOWS\system32\ngrdhp.exe deleted !

C:\WINDOWS\system32\ngrdhp_nav.dat deleted !

C:\WINDOWS\system32\ngrdhp_navps.dat deleted !

*** Deleting with Backups GenericNaviSearch results ***

* Deletion in C:\WINDOWS\System32 *

* Deletion in C:\DOCUME~1\PAULHA~1\LOCALS~1\APPLIC~1 *

*** Deleting folders in C:\WINDOWS ***

*** Deleting folders in C:\Program Files ***

*** Deleting folders in C:\Documents and Settings\All Users\Application Data ***

*** Deleting folders in C:\Documents and Settings\Paul Halfpenny\Application Data ***

*** Deleting folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS ***

*** Deleting files ***

*** Deleting temporary files ***

Cleaning of C:\WINDOWS\Temp done !

Cleaning of C:\Documents and Settings\Paul Halfpenny\Local Settings\Temp done !

*** Complementary Search ***

(Search specific files)

1)Search known files:

2)Heuristic search and deletion with backups :

*** Copy Registry to Backupnavi folder ***

Backing up Registry done !

*** Cleaning Registry ***

Error : File regnavi1.reg not found !

Registry was not cleaned !

*** Certificates ***

Egroup Certificate not found !

*** Creating backups for files found by Catchme

Copy to "C:\Program Files\navilog1\Backupnavi"

*** Deleting files found with Catchme ***

C:\WINDOWS\system32\ngrdhp.dat deleted !

C:\WINDOWS\system32\ngrdhp.exe deleted !

C:\WINDOWS\system32\ngrdhp_nav.dat deleted !

C:\WINDOWS\system32\ngrdhp_navps.dat deleted !

*** Deleting with Backups GenericNaviSearch results ***

* Deletion in C:\WINDOWS\System32 *

* Deletion in C:\DOCUME~1\PAULHA~1\LOCALS~1\APPLIC~1 *

*** Deleting folders in C:\WINDOWS ***

*** Deleting folders in C:\Program Files ***

*** Deleting folders in C:\Documents and Settings\All Users\Application Data ***

*** Deleting folders in C:\Documents and Settings\Paul Halfpenny\Application Data ***

*** Deleting folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS ***

*** Deleting files ***

*** Deleting temporary files ***

Cleaning of C:\WINDOWS\Temp done !

Cleaning of C:\Documents and Settings\Paul Halfpenny\Local Settings\Temp done !

*** Complementary Search ***

(Search specific files)

1)Search known files:

2)Heuristic search and deletion with backups :

*** Copy Registry to Backupnavi folder ***

Backing up Registry done !

*** Cleaning Registry ***

Error : File regnavi1.reg not found !

Registry was not cleaned !

*** Certificates ***

Egroup Certificate not found !

*** Creating backups for files found by Catchme

Copy to "C:\Program Files\navilog1\Backupnavi"

*** Deleting files found with Catchme ***

C:\WINDOWS\system32\ngrdhp.dat deleted !

C:\WINDOWS\system32\ngrdhp.exe deleted !

C:\WINDOWS\system32\ngrdhp_nav.dat deleted !

C:\WINDOWS\system32\ngrdhp_navps.dat deleted !

*** Deleting with Backups GenericNaviSearch results ***

* Deletion in C:\WINDOWS\System32 *

* Deletion in C:\DOCUME~1\PAULHA~1\LOCALS~1\APPLIC~1 *

*** Deleting folders in C:\WINDOWS ***

*** Deleting folders in C:\Program Files ***

*** Deleting folders in C:\Documents and Settings\All Users\Application Data ***

*** Deleting folders in C:\Documents and Settings\Paul Halfpenny\Application Data ***

*** Deleting folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS ***

*** Deleting files ***

*** Deleting temporary files ***

Cleaning of C:\WINDOWS\Temp done !

Cleaning of C:\Documents and Settings\Paul Halfpenny\Local Settings\Temp done !

*** Complementary Search ***

(Search specific files)

1)Search known files:

2)Heuristic search and deletion with backups :

*** Copy Registry to Backupnavi folder ***

Backing up Registry done !

*** Cleaning Registry ***

Error : File regnavi1.reg not found !

Registry was not cleaned !

*** Certificates ***

Egroup Certificate not found !

*** Creating backups for files found by Catchme

Copy to "C:\Program Files\navilog1\Backupnavi"

*** Deleting files found with Catchme ***

C:\WINDOWS\system32\ngrdhp.dat deleted !

C:\WINDOWS\system32\ngrdhp.exe deleted !

C:\WINDOWS\system32\ngrdhp_nav.dat deleted !

C:\WINDOWS\system32\ngrdhp_navps.dat deleted !

*** Deleting with Backups GenericNaviSearch results ***

* Deletion in C:\WINDOWS\System32 *

* Deletion in C:\DOCUME~1\PAULHA~1\LOCALS~1\APPLIC~1 *

*** Deleting folders in C:\WINDOWS ***

*** Deleting folders in C:\Program Files ***

*** Deleting folders in C:\Documents and Settings\All Users\Application Data ***

*** Deleting folders in C:\Documents and Settings\Paul Halfpenny\Application Data ***

*** Deleting folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS ***

*** Deleting files ***

*** Deleting temporary files ***

Cleaning of C:\WINDOWS\Temp done !

Cleaning of C:\Documents and Settings\Paul Halfpenny\Local Settings\Temp done !

*** Complementary Search ***

(Search specific files)

1)Search known files:

2)Heuristic search and deletion with backups :

*** Copy Registry to Backupnavi folder ***

Backing up Registry done !

*** Cleaning Registry ***

Error : File regnavi1.reg not found !

Registry was not cleaned !

*** Certificates ***

Egroup Certificate not found !

*** Creating backups for files found by Catchme

Copy to "C:\Program Files\navilog1\Backupnavi"

Copy C:\WINDOWS\system32\ngrdhp.dat done !

Copy C:\WINDOWS\system32\ngrdhp.exe done !

Copy C:\WINDOWS\system32\ngrdhp_nav.dat done !

Copy C:\WINDOWS\system32\ngrdhp_navps.dat done !

*** Deleting files found with Catchme ***

C:\WINDOWS\system32\ngrdhp.dat deleted !

C:\WINDOWS\system32\ngrdhp.exe deleted !

C:\WINDOWS\system32\ngrdhp_nav.dat deleted !

C:\WINDOWS\system32\ngrdhp_navps.dat deleted !

*** Deleting with Backups GenericNaviSearch results ***

* Deletion in C:\WINDOWS\System32 *

* Deletion in C:\DOCUME~1\PAULHA~1\LOCALS~1\APPLIC~1 *

*** Deleting folders in C:\WINDOWS ***

*** Deleting folders in C:\Program Files ***

*** Deleting folders in C:\Documents and Settings\All Users\Application Data ***

*** Deleting folders in C:\Documents and Settings\Paul Halfpenny\Application Data ***

*** Deleting folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS ***

*** Deleting files ***

*** Deleting temporary files ***

Cleaning of C:\WINDOWS\Temp done !

Cleaning of C:\Documents and Settings\Paul Halfpenny\Local Settings\Temp done !

*** Complementary Search ***

(Search specific files)

1)Search known files:

2)Heuristic search and deletion with backups :

*** Copy Registry to Backupnavi folder ***

Backing up Registry done !

*** Cleaning Registry ***

Error : File regnavi1.reg not found !

Registry was not cleaned !

*** Certificates ***

Egroup Certificate not found !

*** Cleaning stage complete on 23/10/2007 at 9:29:58.88 ***

JeanInMontana · October 23, 2007

I'm asking for a link to the new version Paul.

Here is the newest version Paul, please scan with it and post the log, and a new HJT log. http://perso.orange.fr/il.mafioso/Navifix/Navilog1.exe

Paul also be sure to uninstall/delete the old version of Navifix before you download the new version.

Edited October 23, 2007 by JeanInMontana
add info

paulh45 · October 23, 2007

Hi here's the Navilog log

Search Navipromo version 3.3.2 began on 23/10/2007 at 19:43:11.75

!!! Warning, this report may include legitimate files/programs !!!

!!! Post this report on the forum you are being helped !!!

!!! Don't continue with removal unless instructed by an authorized helper !!!

Fix running from C:\Program Files\navilog1

Updated on 22.10.2007 at 19h00 by IL-MAFIOSO

Microsoft Windows XP [Version 5.1.2600]

Version Internet Explorer : 7.0.5730.11

Done in normal mode

*** Searching for installed Software ***

*** Search folders in C:\WINDOWS ***

*** Search folders in C:\Program Files ***

*** Search folders in C:\Documents and Settings\All Users\Application Data ***

*** Search folders in C:\Documents and Settings\Paul Halfpenny\Application Data ***

*** Search folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS ***

*** Search with Catchme-rootkit/stealth malware detector by gmer ***

for more info : http://www.gmer.net

No file found in :

- C:\WINDOWS\system32

- C:\DOCUME~1\PAULHA~1\LOCALS~1\APPLIC~1

*** Search with GenericNaviSearch ***

!!! Possibility of legitimate files in the result !!!

!!! Must always be checked before manually deleting !!!

* Scan in C:\WINDOWS\system32 *

* Scan in C:\DOCUME~1\PAULHA~1\LOCALS~1\APPLIC~1 *

*** Search files ***

*** Search specific Registry keys ***

*** Complementary Search ***

(Search specific files)

1)Search known files:

2)Heuristic Search :

3)Certificates Search :

Egroup certificate not found !

*** Search completed on 23/10/2007 at 19:43:53.60 ***

paulh45 · October 23, 2007

And the HJT log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:46:46, on 23/10/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\FolderSize\FolderSizeSvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Sony\HotKey Utility\HKserv.exe

C:\Program Files\sony\vaio power management\SPMgr.exe

C:\WINDOWS\System32\ezSP_Px.exe

C:\WINDOWS\system32\ICO.EXE

C:\PROGRA~1\sony\SONICS~1\SsAAD.exe

C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Sony\HotKey Utility\HKWnd.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

C:\Program Files\PeerGuardian2\pg2.exe

C:\Program Files\Five Live Flash\FiveLiveFlash.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\WINDOWS\system32\DllHost.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe

O4 - HKLM\..\Run: [sonyPowerCfg] C:\Program Files\sony\vaio power management\SPMgr.exe

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [ssAAD.exe] C:\PROGRA~1\sony\SONICS~1\SsAAD.exe

O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized