Jump to content

help me remove Worm.Win32.NetSky


junior40
 Share

Recommended Posts

i did what you said and hopefully i did this right...

SDFix: Version 1.116

Run by JR on Tue 12/04/2007 at 05:15 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\PROGRA~1\SDFix

Safe Mode:

Checking Services:

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Restoring Default HomePage Value

Restoring Default Desktop Components Value

Rebooting...

Normal Mode:

Checking Files:

Trojan Files Found:

C:\Documents and Settings\JR\Favorites\Error Cleaner.url - Deleted

C:\Documents and Settings\JR\Favorites\Privacy Protector.url - Deleted

C:\Documents and Settings\JR\Favorites\Spyware&Malware Protection.url - Deleted

C:\WINDOWS\privacy_danger\index.htm - Deleted

C:\WINDOWS\privacy_danger\images\capt.gif - Deleted

C:\WINDOWS\privacy_danger\images\danger.jpg - Deleted

C:\WINDOWS\privacy_danger\images\down.gif - Deleted

C:\WINDOWS\privacy_danger\images\spacer.gif - Deleted

C:\Program Files\RichVideoCodec\install.ico - Deleted

C:\Program Files\RichVideoCodec\RichVideoCodec.ocx - Deleted

C:\Program Files\RichVideoCodec\Uninstall.exe - Deleted

C:\Program Files\Setup.exe - Deleted

C:\DOCUME~1\JR\LOCALS~1\Temp\ac8zt2.dat - Deleted

C:\WINDOWS\nethop.exe - Deleted

C:\WINDOWS\rmvgor.dll - Deleted

Folder C:\Program Files\RichVideoCodec - Removed

Folder C:\WINDOWS\privacy_danger - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS

No streams found.

C:\WINDOWS\system32

No streams found.

C:\WINDOWS\system32\svchost.exe

No streams found.

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-04 17:26:51

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]

"s0"=dword:8fc34bda

"s1"=dword:0a216748

"s2"=dword:5f9e1643

"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:8e,0a,2b,96,b5,9d,f2,82,17,25,65,5b,22,70,d5,16,42,46,3e,a5,d7,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:8e,0a,2b,96,b5,9d,f2,82,17,25,65,5b,22,70,d5,16,42,46,3e,a5,d7,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]

"TracesProcessed"=dword:00000024

"TracesSuccessful"=dword:00000003

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services:

------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:

---------------

File Backups: - C:\PROGRA~1\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 14 Sep 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Tue 25 Oct 2005 1,544 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv19.bak"

Sun 2 Dec 2007 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"

Sun 2 Dec 2007 211 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"

Sun 24 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"

Tue 4 Dec 2007 0 A..H. --- "C:\Documents and Settings\JR\Local Settings\Temp\BIT30.tmp"

Tue 4 Dec 2007 0 A..H. --- "C:\Documents and Settings\JR\Local Settings\Temp\BIT31.tmp"

Tue 4 Dec 2007 85,946 A..H. --- "C:\Documents and Settings\JR\Local Settings\Temp\BIT695.tmp"

Tue 4 Dec 2007 0 A..H. --- "C:\Documents and Settings\JR\Local Settings\Temp\BIT6BD.tmp"

Tue 4 Dec 2007 85,946 A..H. --- "C:\Documents and Settings\JR\Local Settings\Temp\BIT6C4.tmp"

Tue 4 Dec 2007 0 A..H. --- "C:\Documents and Settings\JR\Local Settings\Temp\BIT6DA.tmp"

Tue 4 Dec 2007 0 A..H. --- "C:\Documents and Settings\JR\Local Settings\Temp\BIT6E1.tmp"

Tue 4 Dec 2007 0 A..H. --- "C:\Documents and Settings\JR\Local Settings\Temp\BIT6E2.tmp"

Tue 4 Dec 2007 0 A..H. --- "C:\Documents and Settings\JR\Local Settings\Temp\BIT6E3.tmp"

Tue 4 Dec 2007 0 A..H. --- "C:\Documents and Settings\JR\Local Settings\Temp\BIT6EF.tmp"

Tue 4 Dec 2007 0 A..H. --- "C:\Documents and Settings\JR\Local Settings\Temp\BIT6FE.tmp"

Sat 21 Jun 2003 377,344 A..H. --- "C:\Program Files\IsoBuster\IsoBuster\Help\AHlp.exe"

Tue 27 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0d4a7c846fe5e74c3056c3e240c1ffeb\BIT66.tmp"

Tue 14 Sep 2004 4,348 A..H. --- "C:\Documents and Settings\JR\My Documents\My Music\License Backup\drmv1key.bak"

Tue 25 Oct 2005 782 A..H. --- "C:\Documents and Settings\JR\My Documents\My Music\License Backup\drmv1lic.bak"

Sat 11 Dec 2004 400 A.SH. --- "C:\Documents and Settings\JR\My Documents\My Music\License Backup\drmv2key.bak"

Sun 24 Dec 2006 54,520 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\visualstudio\7.1\vs000223.tmp"

Mon 13 Aug 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"

Mon 13 Aug 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"

Finished!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:49:42 PM, on 12/4/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

D:\J.R.'s Music\iTunes Folder\iTunesHelper.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

C:\WINDOWS\system32\tbctray.exe

C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\HighJackThis\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\SiteAdv.dll

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\SiteAdv.dll

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [sNM] C:\Program Files\SpyNoMore\SNM.exe /startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "D:\J.R.'s Music\iTunes Folder\iTunesHelper.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL

O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://sln.lasalle.edu/iNotes6W.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 8408 bytes

on a good not that red bio hazard sign went away and its back to my old desktop wall paper again, don't know if i'm cured or not but i'll wait for the next steps B)

Link to post
Share on other sites

Its been 12 hours or so since I did those logs, and no signs of Popups. My desktop is back to normal, and my computer is running faster. Sometimes here and there it will be slow but thats normal. Also windows is telling me I don't have a antivirus program, it never said that before. I do though have Mcafee so i'm not sure if that works and it is deleting some trojans that pop up once in awhile(i never got those before) so maybe i might be still infected? On a good note it says its stopping and deleting them. So what would you recommend for an antivirus program?

Link to post
Share on other sites

OK... your using vague terms. I can't give you any intelligent answer. Exact messages with exact trojan names is what I need to see.

Let's do this. Get this http://www.ccleaner.com/download run a scan and cleanup everything it finds as garbage. Be sure you have deleted all the fixes we used. Vundo, SdFix, Combofix etc and run another Panda scan and post that log.

Link to post
Share on other sites

Panda scan

Incident Status Location

Adware:adware/exact.bargainbuddy Not disinfected Windows Registry

Adware:adware/seekmo Not disinfected Windows Registry

Adware:adware/pacimedia Not disinfected Windows Registry

Adware:adware/exact.searchbar Not disinfected Windows Registry

Adware:adware/wupd Not disinfected Windows Registry

Spyware:spyware/media-motor Not disinfected Windows Registry

Spyware:Spyware/New.net Not disinfected C:\Documents and Settings\JR\Desktop\fdvdcodecs.exe[NNCLXA638.EXE]

Potentially unwanted tool:Application/MyWay Not disinfected C:\Documents and Settings\JR\Desktop\fdvdcodecs.exe[s4BarSp.exe]

Adware:Adware/ClockSync Not disinfected C:\Documents and Settings\JR\Desktop\fdvdcodecs.exe[VVSNInst.exe]

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\JR\Desktop\SmitfraudFix\Process.exe

Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\JR\Desktop\SmitfraudFix\restart.exe

Virus:Generic Malware Not disinfected C:\Documents and Settings\JR\Desktop\spynomore.exe[snmIeGuard.dll]

Virus:Generic Malware Not disinfected C:\Documents and Settings\JR\Desktop\spynomore.exe[sNM.exe]

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\JR\SmitfraudFix\Process.exe

Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\JR\SmitfraudFix\restart.exe

Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\K-Lite Codec Pack\K-Lite Codec Pack\XviD-1.0.2-Setup.exe[gunist.exe]

Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\K-Lite Codec Pack\K-Lite Codec Pack\XviD-1.0.2-Setup.exe[gunist.exe][proxya.exe]

Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\Mozilla Firefox\SmitfraudFix\Process.exe

Potentially unwanted tool:Application/SuperFast Not disinfected C:\Program Files\Mozilla Firefox\SmitfraudFix\restart.exe

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

Potentially unwanted tool:Application/Processor Not disinfected D:\SmitfraudFix\Process.exe

Potentially unwanted tool:Application/SuperFast Not disinfected D:\SmitfraudFix\restart.exe

------------------------------------------------------------------------------------------

I havent seen those trojans come up again with the mcafee virus scan so i guess thats good, but if they do i'll post the names of them

Link to post
Share on other sites

here is another panda scan and a HJT log, and hopefully i deleted smitfraud

Incident Status Location

Adware:adware/exact.bargainbuddy Not disinfected Windows Registry

Adware:adware/seekmo Not disinfected Windows Registry

Adware:adware/pacimedia Not disinfected Windows Registry

Adware:adware/exact.searchbar Not disinfected Windows Registry

Adware:adware/wupd Not disinfected Windows Registry

Spyware:spyware/media-motor Not disinfected Windows Registry

Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[statse.webtrendslive.com/]

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[.atdmt.com/]

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[.doubleclick.net/]

Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[.adrevolver.com/]

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[.advertising.com/]

Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[.ads.pointroll.com/]

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[.tribalfusion.com/]

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[.realmedia.com/]

Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[.bluestreak.com/]

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[ad.yieldmanager.com/]

Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[.fastclick.net/]

Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[.apmebf.com/]

Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[.fastclick.net/]

Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[.casalemedia.com/]

Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[.revenue.net/]

Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[.casalemedia.com/]

Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[.mediaplex.com/]

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[.247realmedia.com/]

Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[.adserver.easyad.info/]

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[.serving-sys.com/]

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[.bs.serving-sys.com/]

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[.serving-sys.com/]

Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[.questionmarket.com/]

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[.com.com/]

Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[stat.onestat.com/]

Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[.zedo.com/]

Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[.trafficmp.com/]

Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[.perf.overture.com/]

Spyware:Cookie/Go Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[.go.com/]

Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\JR\Application Data\Mozilla\Firefox\Profiles\xb3r9a22.default\cookies.txt[.ehg-dig.hitbox.com/]

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\JR\Cookies\jr@advertising[1].txt

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\JR\Cookies\jr@advertising[2].txt

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\JR\Cookies\jr@atwola[1].txt

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\JR\Cookies\jr@atwola[2].txt

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\JR\Cookies\jr@doubleclick[1].txt

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\JR\Cookies\jr@doubleclick[2].txt

Spyware:Spyware/New.net Not disinfected C:\Documents and Settings\JR\Desktop\fdvdcodecs.exe[NNCLXA638.EXE]

Potentially unwanted tool:Application/MyWay Not disinfected C:\Documents and Settings\JR\Desktop\fdvdcodecs.exe[s4BarSp.exe]

Adware:Adware/ClockSync Not disinfected C:\Documents and Settings\JR\Desktop\fdvdcodecs.exe[VVSNInst.exe]

Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\K-Lite Codec Pack\K-Lite Codec Pack\XviD-1.0.2-Setup.exe[gunist.exe]

Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\K-Lite Codec Pack\K-Lite Codec Pack\XviD-1.0.2-Setup.exe[gunist.exe][proxya.exe]

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:40:21 PM, on 12/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\system32\tbctray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\AIM6\aim6.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\SiteAdvisor\SiteAdv.exe

C:\WINDOWS\system32\DllHost.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\HighJackThis\HiJackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\SiteAdv.dll

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\SiteAdv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [sNM] C:\Program Files\SpyNoMore\SNM.exe /startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "D:\J.R.'s Music\iTunes Folder\iTunesHelper.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL

O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://sln.lasalle.edu/iNotes6W.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 9124 bytes

Link to post
Share on other sites

Please download this file: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe' rel="external nofollow">

SDFix.exe

* Open the extracted SDFix folder and double click RunThis.bat to start the script.

* Type Y to begin the cleanup process.

* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.

* Press any Key and it will restart the PC.

* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

(Report.txt will also be copied to Clipboard ready for posting back on the forum).

* Finally paste the contents of the Report.txt back on the forum.

Reboot your system in Normal Mode. Then post the SDFix log and a new HJT log please.

Link to post
Share on other sites

SDFix: Version 1.118

Run by JR on Fri 12/14/2007 at 03:57 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\PROGRA~1\SDFix

Safe Mode:

Checking Services:

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Rebooting...

Normal Mode:

Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

C:\WINDOWS

No streams found.

C:\WINDOWS\system32

No streams found.

C:\WINDOWS\system32\svchost.exe

No streams found.

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-14 16:07:11

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]

"s0"=dword:8fc34bda

"s1"=dword:0a216748

"s2"=dword:5f9e1643

"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:8e,0a,2b,96,b5,9d,f2,82,17,25,65,5b,22,70,d5,16,42,46,3e,a5,d7,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:8e,0a,2b,96,b5,9d,f2,82,17,25,65,5b,22,70,d5,16,42,46,3e,a5,d7,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services:

------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:

---------------

Files with Hidden Attributes:

Tue 14 Sep 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Tue 25 Oct 2005 1,544 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv19.bak"

Sun 2 Dec 2007 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"

Sun 2 Dec 2007 211 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"

Sun 24 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"

Sat 21 Jun 2003 377,344 A..H. --- "C:\Program Files\IsoBuster\IsoBuster\Help\AHlp.exe"

Tue 27 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0d4a7c846fe5e74c3056c3e240c1ffeb\BIT66.tmp"

Tue 14 Sep 2004 4,348 A..H. --- "C:\Documents and Settings\JR\My Documents\My Music\License Backup\drmv1key.bak"

Tue 25 Oct 2005 782 A..H. --- "C:\Documents and Settings\JR\My Documents\My Music\License Backup\drmv1lic.bak"

Sat 11 Dec 2004 400 A.SH. --- "C:\Documents and Settings\JR\My Documents\My Music\License Backup\drmv2key.bak"

Sun 24 Dec 2006 54,520 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\visualstudio\7.1\vs000223.tmp"

Mon 13 Aug 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"

Mon 13 Aug 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"

Finished!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:28:15 PM, on 12/14/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\wscntfy.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

D:\J.R.'s Music\iTunes Folder\iTunesHelper.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

C:\WINDOWS\system32\tbctray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\HighJackThis\HiJackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\SiteAdv.dll

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\SiteAdv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [sNM] C:\Program Files\SpyNoMore\SNM.exe /startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "D:\J.R.'s Music\iTunes Folder\iTunesHelper.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL

O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://sln.lasalle.edu/iNotes6W.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 8920 bytes

Link to post
Share on other sites

Are you still having symptoms?

Your log looks clean. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK.

Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it.

Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenol. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.

A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.

Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.

SpywareBlaster from Javacool Software

WinPatrol by BillPStudios

SiteHound by FireTrust

RogueRemover

hpHosts

For an excellent list of reliable free firewalls and antivirus programs see here .

Link to post
Share on other sites

Ok we aren't quite done yet. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK.

Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it.

Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenol. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.

A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.

Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.

SpywareBlaster from Javacool Software

WinPatrol by BillPStudios

SiteHound by FireTrust

RogueRemover

hpHosts

For an excellent list of reliable free firewalls and antivirus programs see here.

Happy Holidays to you as well!!

Link to post
Share on other sites

  • 2 weeks later...

Since this topic is resolved I will close it.

Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.