Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Everytime I open the internet, I received unwanted and annoying web sites like centennialapplication.com" and "rebateprocessortools.com", I tried with the Norton antivirus, phishing filter, pop up blocker, Spybot-search & destroy, norton firewall, spyware protection, I look in the "regedit" to deleted them, but they still there, spybot always detect "virtumonde", "starcounter", "doubleclick" and deleted them but their always back, any suggestion to finally delete them for good?
4321
a good place to start would be to run ALL of the good free listed programs in the link at the bottom of my post. You may also have to turn off system restore if the problems show that's there they are.
Norton is definately not my choice. Try D/Ling Avast free and let it do a bootscan and move all infections to the chest.You may also want to google for virtumonde removal and do that too.
Run this free online scan and delete all it finds:
http://www.spywareinfo.com/xscan.phpSome HELP in posting on Cnet plus free progs and instructions Glad to Help!
0 
Please post your Hijackthis Log. Your system is still infected!
If you dont have Hijackthis, then
Download the "HijackThis" Installer from this link:http://www.trendsecure.com/portal/e...
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
0
Thanks, for your response , here is the required report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:06 PM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [b012a549] rundll32.exe "C:\WINDOWS\system32\xdcylqpv.dll",b
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [BMb32196d5] Rundll32.exe "C:\WINDOWS\system32\fwigbjxv.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll (file missing)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll (file missing)
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: Microsoft Office Groove Audit Service - Unknown owner - C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Microsoft Office Diagnostics Service (odserv) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.exe (file missing)
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe--
End of file - 9260 bytes
PLEASE LET ME KNOW4321
0
hi, Adii, thanks for your advice, I run and posted the Hijackthis.log, and reviewing it I found that the line 4 shows "lsass.exe", this a "OPTIX Pro virus", beside I found some dll. files that look suspicious, because I couldn't find any connection:
O4 - HKLM\..\Run: [b012a549] rundll32.exe "C:\WINDOWS\system32\xdcylqpv.dll",b
O4 - HKLM\..\Run: [BMb32196d5] Rundll32.exe "C:\WINDOWS\system32\fwigbjxv.dll",s
so, How can I eliminate the virus and how to know if the dll. files are essentials or another form of malware, spyware or virus?4321
0
Hi cedrix2001,
Your system is infected. But you dont fix any Hijackthis entry without my instruction.
Keep folling my further steps to clean your system properly."Be carefull using ComboFix tool. If used the wrong way you could crash your computer. Then dont blame me or Combofix."
1. Download ComboFix tool from this link:
http://www.forospyware.com/sUBs/Com...
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.Thanks!!
0
Thanks again, here is the combofix report:
ComboFix 08-03-18.1 - Jorge Cruz 2008-03-20 10:46:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1480 [GMT -8:00]
Running from: C:\Program Files\ComboFix.exe[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\WINDOWS\BMb32196d5.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bmapkiao.dll
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\dfshpjhn.dll
C:\WINDOWS\system32\dysarilq.dll
C:\WINDOWS\system32\eabokcxr.dll
C:\WINDOWS\system32\efcaxuu.dll
C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\hjocsmxn.dll
C:\WINDOWS\system32\jjkkj.ini
C:\WINDOWS\system32\jjkkj.ini2
C:\WINDOWS\system32\jkkjj.dll
C:\WINDOWS\system32\lvkpdkmb.dll
C:\WINDOWS\system32\lxibtuqg.dll
C:\WINDOWS\system32\nqeuehep.dll
C:\WINDOWS\system32\nxdgynpy.dll
C:\WINDOWS\system32\odgnexsb.dll
C:\WINDOWS\system32\qlirasyd.ini
C:\WINDOWS\system32\tuvussr.dll
C:\WINDOWS\system32\urqrspn.dll
C:\WINDOWS\system32\wybeg.ini
C:\WINDOWS\system32\wybeg.ini2
C:\WINDOWS\system32\yinmtwqg.dll
C:\WINDOWS\system32\ypnygdxn.ini
C:\WINDOWS\system32\yqihjvqu.dll.
((((((((((((((((((((((((( Files Created from 2008-02-20 to 2008-03-20 )))))))))))))))))))))))))))))))
.2008-03-20 10:43 . 2008-03-20 10:43 1,599,141 --a------ C:\Program Files\ComboFix.exe
2008-03-19 20:42 . 2008-03-19 20:42 474 ---hs---- C:\WINDOWS\system32\atucwvtd.ini
2008-03-19 20:19 . 2008-03-19 20:31 414 ---hs---- C:\WINDOWS\system32\xywlayxe.ini
2008-03-19 20:04 . 2008-03-19 20:04 294 ---hs---- C:\WINDOWS\system32\oawngcpa.ini
2008-03-18 21:23 . 2008-03-18 21:23 401,720 --a------ C:\Program Files\HiJackThis.exe
2008-03-17 23:12 . 2008-03-17 23:12 <DIR> d-------- C:\Program Files\Advanced Registry Optimizer
2008-03-17 23:12 . 2008-03-17 23:12 <DIR> d-------- C:\Documents and Settings\Jorge Cruz\Application Data\Sammsoft
2008-03-17 22:00 . 2008-03-19 19:36 1,074 ---hs---- C:\WINDOWS\system32\vpqlycdx.ini
2008-03-16 23:52 . 2008-03-16 23:52 271 --a------ C:\WINDOWS\SysMech7.INI
2008-03-15 21:57 . 2008-03-17 16:46 594 ---hs---- C:\WINDOWS\system32\xylisxpp.ini
2008-03-14 21:51 . 2008-03-14 21:51 294 ---hs---- C:\WINDOWS\system32\wwejqfec.ini
2008-03-14 21:49 . 2008-03-14 22:08 <DIR> d-------- C:\Program Files\Microsoft Money 2005
2008-03-12 22:03 . 2008-03-15 11:14 <DIR> d-------- C:\Program Files\American Airlines DealFinder
2008-03-11 20:16 . 2008-03-11 20:16 714 ---hs---- C:\WINDOWS\system32\rgjrsbaq.ini
2008-03-10 20:17 . 2008-03-11 16:40 654 ---hs---- C:\WINDOWS\system32\rhknbcha.ini
2008-03-09 20:08 . 2008-03-10 20:08 534 ---hs---- C:\WINDOWS\system32\gqfionni.ini
2008-03-08 18:20 . 2008-03-08 18:21 <DIR> d-------- C:\WINDOWS\system32\DRM
2008-03-08 17:51 . 2008-03-08 18:15 127 --a------ C:\WINDOWS\wininit.ini
2008-03-07 22:15 . 2008-03-07 22:35 354 --ahs---- C:\WINDOWS\system32\yygwpluv.ini
2008-03-07 14:03 . 2008-03-07 14:03 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll
2008-03-07 14:03 . 2008-03-07 14:03 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll
2008-03-07 13:40 . 2008-03-07 13:40 13,035 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
2008-03-07 13:40 . 2008-03-07 13:40 1,358 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf
2008-03-07 13:39 . 2008-03-07 13:39 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2008-03-07 13:39 . 2008-03-07 13:39 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2008-03-07 13:39 . 2008-03-07 13:39 39,984 --a------ C:\WINDOWS\system32\drivers\symids.sys
2008-03-07 13:39 . 2008-03-07 13:39 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2008-03-07 13:39 . 2008-03-07 13:39 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2008-03-07 13:39 . 2008-03-07 13:39 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2008-03-07 13:39 . 2008-03-07 13:39 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2008-03-06 22:13 . 2008-03-06 22:13 294 --ahs---- C:\WINDOWS\system32\fngyrtxr.ini
2008-03-05 22:13 . 2008-03-05 22:13 594 --ahs---- C:\WINDOWS\system32\rodqmaoc.ini
2008-03-04 21:20 . 2008-03-05 22:10 534 --ahs---- C:\WINDOWS\system32\ogxjcmql.ini
2008-03-03 21:08 . 2008-03-04 21:15 414 --ahs---- C:\WINDOWS\system32\algbvlbc.ini
2008-03-03 20:08 . 2008-03-03 20:08 294 --ahs---- C:\WINDOWS\system32\hdudljhl.ini
2008-03-02 09:59 . 2008-03-02 10:09 354 --ahs---- C:\WINDOWS\system32\etobfdig.ini
2008-03-01 10:19 . 2008-03-01 12:36 354 --ahs---- C:\WINDOWS\system32\vovqsyuq.ini
2008-02-29 21:17 . 2008-02-29 21:17 294 --ahs---- C:\WINDOWS\system32\vksbsema.ini
2008-02-28 21:12 . 2008-02-29 20:23 474 --ahs---- C:\WINDOWS\system32\fywqdslx.ini
2008-02-28 20:51 . 2008-02-28 21:05 354 --ahs---- C:\WINDOWS\system32\rcplravy.ini
2008-02-27 20:28 . 2008-02-27 20:28 294 --ahs---- C:\WINDOWS\system32\hcoatddd.ini
2008-02-26 20:24 . 2008-02-26 22:41 594 --ahs---- C:\WINDOWS\system32\yobjwagi.ini
2008-02-25 20:12 . 2008-02-26 20:18 414 --ahs---- C:\WINDOWS\system32\vhyphwnl.ini
2008-02-24 20:08 . 2008-02-24 20:08 294 --ahs---- C:\WINDOWS\system32\jjynriga.ini
2008-02-24 18:26 . 2008-02-26 20:19 48 ---hs---- C:\WINDOWS\S3AE3FE20.tmp
2008-02-24 12:39 . 2008-02-26 22:21 <DIR> d-------- C:\Program Files\AskTBar
2008-02-24 12:10 . 2008-02-24 12:10 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-02-23 17:33 . 2008-02-23 17:33 <DIR> d-------- C:\Program Files\iTunes
2008-02-23 17:33 . 2008-03-15 22:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-23 17:33 . 2008-02-23 17:33 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-23 17:32 . 2008-02-23 17:32 <DIR> d-------- C:\Program Files\QuickTime.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-20 19:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-19 05:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-19 05:53 --------- d-----w C:\Program Files\Microsoft Works
2008-03-19 05:53 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-19 05:24 9,261 ----a-w C:\Program Files\hijackthis.log
2008-03-18 06:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-18 06:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-03-18 06:21 --------- d-----w C:\Program Files\Yahoo!
2008-03-15 20:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-15 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-03-11 02:25 --------- d-----w C:\Program Files\Symantec
2008-03-02 18:30 --------- d-----w C:\Documents and Settings\Jorge Cruz\Application Data\LimeWire
2008-02-28 06:10 --------- d-----w C:\Documents and Settings\Jorge Cruz\Application Data\iolo
2008-02-24 01:40 --------- d-----w C:\Documents and Settings\Jorge Cruz\Application Data\Apple Computer
2008-02-24 01:33 --------- d-----w C:\Program Files\iPod
2008-02-21 01:33 --------- d-----w C:\Documents and Settings\Jorge Cruz\Application Data\Vso
2008-02-18 02:11 --------- d-----w C:\Program Files\eGames
2008-02-17 07:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2008-02-17 07:05 --------- d-----w C:\Program Files\Elaborate Bytes
2008-02-17 07:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-02-15 05:22 --------- d-----w C:\Documents and Settings\Jorge Cruz\Application Data\dvdcss
2008-02-15 04:56 --------- d-----w C:\Program Files\MadZ Clone DVD Pro
2008-02-15 04:43 81,920 ----a-w C:\Documents and Settings\Jorge Cruz\Application Data\ezpinst.exe
2008-02-15 04:43 47,360 ----a-w C:\Documents and Settings\Jorge Cruz\Application Data\pcouffin.sys
2008-02-14 04:37 --------- d-----w C:\Program Files\DVD Decrypter
2008-02-13 05:30 --------- d-----w C:\Program Files\Active Data Recovery Services
2008-02-13 05:13 --------- d-----w C:\Program Files\Movie Splitter
2008-02-13 05:12 --------- d-----w C:\Program Files\Free WMA to MP3 Converter
2008-02-11 03:36 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-10 20:01 --------- d-----w C:\Program Files\2nd Story Software
2008-02-10 09:15 --------- d-----w C:\Program Files\CDKeyFinder
2008-02-10 04:38 --------- d-----w C:\Program Files\Common Files\L&H
2008-02-10 02:23 --------- d-----w C:\Program Files\Evidence Eliminator
2008-02-02 03:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-28 23:46 --------- d-----w C:\Program Files\Java
2008-01-28 06:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pinnacle Studio
2008-01-28 06:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pinnacle
2008-01-28 06:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-28 06:51 --------- d-----w C:\Program Files\Pinnacle
2008-01-28 06:35 --------- d-----w C:\Documents and Settings\Jorge Cruz\Application Data\InstallShield
2008-01-27 00:21 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\iolo
2008-01-26 20:23 --------- d-----w C:\Program Files\Bonjour
2008-01-26 05:12 --------- d-----w C:\Program Files\DIFX
2008-01-26 05:10 --------- d-----w C:\Program Files\Analog Devices
2008-01-26 03:21 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-01-26 03:21 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-26 03:21 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-25 06:10 --------- d-----w C:\Program Files\Nsasoft
2008-01-25 05:49 --------- d-----w C:\Program Files\MSBuild
2008-01-25 05:48 --------- d-----w C:\Program Files\Microsoft.NET
2008-01-25 05:45 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-01-25 05:39 --------- d-----w C:\Program Files\VNITANKY42B
2008-01-23 05:31 --------- d-----w C:\Program Files\MSXML 4.0
2008-01-21 21:41 --------- d-----w C:\Documents and Settings\Jorge Cruz\Application Data\NeroDigitalâ„¢
2008-01-21 21:09 --------- d-----w C:\Documents and Settings\Jorge Cruz\Application Data\Nero
2008-01-21 21:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-01-21 20:00 --------- d-----w C:\Documents and Settings\Jorge Cruz\Application Data\Yahoo!
2008-01-21 19:39 --------- d-----w C:\Documents and Settings\Jorge Cruz\Application Data\CyberLink
2008-01-21 19:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-01-21 19:35 --------- d-----w C:\Program Files\CyberLink
2008-01-21 19:27 65 ----a-w C:\Program Files\Common Files\appop.log
2008-01-21 19:27 --------- d-----w C:\Program Files\InterVideo
2008-01-21 19:26 --------- d-----w C:\Documents and Settings\Jorge Cruz\Application Data\InterVideo
2008-01-21 19:25 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-21 05:20 --------- d-----w C:\Program Files\DVDFab Platinum 4
2008-01-21 05:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2008-01-21 04:15 87,608 ----a-w C:\Documents and Settings\Jorge Cruz\Application Data\inst.exe
2008-01-21 04:15 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-01-21 02:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-21 01:21 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-21 00:17 --------- d-----w C:\Program Files\Tansee iPod Transfer
2008-01-20 21:47 --------- d-----w C:\Program Files\AoA MP4 Converter
2008-01-20 20:49 --------- d-----w C:\Program Files\Sys
2008-01-20 20:49 --------- d-----w C:\Program Files\SoundMAX Synthesizer
2008-01-20 20:49 --------- d-----w C:\Program Files\SMAXWDM
2008-01-20 20:49 --------- d-----w C:\Program Files\SM_Sensa
2008-01-20 20:49 --------- d-----w C:\Program Files\SM_Panel
2008-01-20 20:49 --------- d-----w C:\Program Files\Redist
2008-01-20 20:49 --------- d-----w C:\Program Files\NT40
2008-01-20 20:49 --------- d-----w C:\Program Files\Migrate
2008-01-20 20:49 --------- d-----w C:\Program Files\Linux
2008-01-20 07:56 --------- d-----w C:\Program Files\iolo
2008-01-20 07:56 --------- d-----w C:\Documents and Settings\LocalService\Application Data\iolo
2008-01-20 07:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
2008-01-20 07:42 --------- d-----w C:\Program Files\LimeWire
2008-01-20 07:41 --------- d-----w C:\Program Files\Common Files\Java
2008-01-20 07:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-20 07:22 --------- d-----w C:\Program Files\Common Files\Apple
2008-01-20 07:22 --------- d-----w C:\Program Files\Apple Software Update
2008-01-20 07:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-20 06:52 --------- d-----w C:\Program Files\Hewlett-Packard
2008-01-20 06:52 --------- d-----w C:\Documents and Settings\Jorge Cruz\Application Data\Hewlett-Packard
2008-01-20 06:47 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-01-20 04:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2008-01-20 04:07 --------- d-----w C:\Program Files\SlySoft
2003-08-30 00:09 55 ----a-r C:\Program Files\data.tag
2003-08-29 23:14 65,108 ----a-r C:\Program Files\data1.hdr
2003-08-29 23:14 495 ----a-r C:\Program Files\layout.bin
2003-07-02 23:54 241,004 ----a-r C:\Program Files\setup.inx
2003-06-23 23:28 401 ----a-r C:\Program Files\Setup.ini
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C5CF149-D897-461F-A68D-F41502D2F1A2}]
C:\WINDOWS\system32\gebca.dll[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:07 15360]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [ ]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 08:41 223984]
"AROReminder"="C:\Program Files\Advanced Registry Optimizer\aro.exe" [2007-07-23 09:34 2084480][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-10-26 15:42 509224]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-10-05 04:25 868352]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [2008-03-13 10:19 759656]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-13 23:11 771704]
"nwiz"="nwiz.exe" [2007-05-11 06:03 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 06:03 8429568]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 08:41 223984][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvussr]
tuvussr.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amva]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avpa]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b012a549]
C:\WINDOWS\system32\nxdgynpy.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchList]
--a------ 2007-03-21 15:41 145496 C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=R0 ivicd;Ivi CDVD Filter Driver;C:\WINDOWS\system32\drivers\ivicd.sys [2005-01-12 06:29]
R2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-03-13 10:11]
R2 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-03-13 10:11]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-03 17:07]
R3 WlanUIG;2Wire 802.11g USB Driver;C:\WINDOWS\system32\DRIVERS\WlanUIG.sys [2004-05-16 16:46]
S3 iviudf;iviudf;C:\WINDOWS\system32\drivers\IviUdf.sys [2005-06-23 02:09]*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 18:47:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-25 06:52:06 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1200811945.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-03-18 04:00:21 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Jorge Cruz.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-20 11:03:59
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
r Running Proce
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
.
**************************************************************************
.
Completion time: 2008-03-20 11:06:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-20 19:05:57
.
2008-03-20 06:51:02 --- E O F ---AND THIS THE HijackThis REPORT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:00 AM, on 3/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Documents and Settings\Jorge Cruz\My Documents\HiJackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8C5CF149-D897-461F-A68D-F41502D2F1A2} - C:\WINDOWS\system32\gebca.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: tuvussr - tuvussr.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe--
End of file - 8476 bytesTHANKS,
4321
0
Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:
O2 - BHO: (no name) - {8C5CF149-D897-461F-A68D-F41502D2F1A2} - C:\WINDOWS\system32\gebca.dll (file missing)
O20 - Winlogon Notify: tuvussr - tuvussr.dll (file missing)
Close all browsers and other windows except for HijackThis!, and click "Fix checked".* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text b/w Start and End lines below into notepad:------------------
File::
C:\WINDOWS\system32\gebca.dllRegistry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C5CF149-D897-461F-A68D-F41502D2F1A2}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvussr]----------------
Save this as txtfile CFScriptThen drag the CFScript file into ComboFix.exe
This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. How is it running now please?
Thanks,
* Do Safe Computing *
0
Hi, I followed the instructions, but at the time of drag the new notepad in combofix, I have the following message:
CFScript Name Error
"Were you Trying to run SFScript?
The name CFScript appears to be incorrectly spelt."
What I did wrong?
I deleted the two lines in Hijackthis, than I copy and pasted the info on notepad, this is the file created:
File::
C:\WINDOWS\system32\gebca.dllRegistry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C5CF149-D897-461F-A68D-F41502D2F1A2}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvussr]4321
0
Read my last post again. You did not save the file with the name which i said.
It is notepad file name error. check notepad file name again. So do again but save the notepad file with this name "SFScript" exactly.
Then drag and drop this SFScript file into combofix program icon.Hope you can do now.!
Let me know!!!
0
Ok, computer is running much better, here is the combo fix log:
ComboFix 08-03-18.1 - Jorge Cruz 2008-03-22 17:22:21.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1487 [GMT -8:00]
Running from: C:\Program Files\antivirus fix\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jorge Cruz\My Documents\CFScript.txt
* Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE ::
C:\WINDOWS\system32\gebca.dll
.((((((((((((((((((((((((( Files Created from 2008-02-23 to 2008-03-23 )))))))))))))))))))))))))))))))
.2008-03-22 16:33 . 2008-03-22 16:33 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-21 17:20 . 2008-03-21 17:33 <DIR> d-------- C:\Program Files\antivirus fix
2008-03-19 20:42 . 2008-03-19 20:42 474 ---hs---- C:\WINDOWS\system32\atucwvtd.ini
2008-03-19 20:19 . 2008-03-19 20:31 414 ---hs---- C:\WINDOWS\system32\xywlayxe.ini
2008-03-19 20:04 . 2008-03-19 20:04 294 ---hs---- C:\WINDOWS\system32\oawngcpa.ini
2008-03-17 23:12 . 2008-03-17 23:12 <DIR> d-------- C:\Program Files\Advanced Registry Optimizer
2008-03-17 23:12 . 2008-03-17 23:12 <DIR> d-------- C:\Documents and Settings\Jorge Cruz\Application Data\Sammsoft
2008-03-17 22:00 . 2008-03-19 19:36 1,074 ---hs---- C:\WINDOWS\system32\vpqlycdx.ini
2008-03-16 23:52 . 2008-03-16 23:52 271 --a------ C:\WINDOWS\SysMech7.INI
2008-03-15 21:57 . 2008-03-17 16:46 594 ---hs---- C:\WINDOWS\system32\xylisxpp.ini
2008-03-14 21:51 . 2008-03-14 21:51 294 ---hs---- C:\WINDOWS\system32\wwejqfec.ini
2008-03-14 21:49 . 2008-03-14 22:08 <DIR> d-------- C:\Program Files\Microsoft Money 2005
2008-03-12 22:03 . 2008-03-15 11:14 <DIR> d-------- C:\Program Files\American Airlines DealFinder
2008-03-11 20:16 . 2008-03-11 20:16 714 ---hs---- C:\WINDOWS\system32\rgjrsbaq.ini
2008-03-10 20:17 . 2008-03-11 16:40 654 ---hs---- C:\WINDOWS\system32\rhknbcha.ini
2008-03-09 20:08 . 2008-03-10 20:08 534 ---hs---- C:\WINDOWS\system32\gqfionni.ini
2008-03-08 18:20 . 2008-03-08 18:21 <DIR> d-------- C:\WINDOWS\system32\DRM
2008-03-08 17:51 . 2008-03-08 18:15 127 --a------ C:\WINDOWS\wininit.ini
2008-03-07 22:15 . 2008-03-07 22:35 354 --ahs---- C:\WINDOWS\system32\yygwpluv.ini
2008-03-07 14:03 . 2008-03-07 14:03 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll
2008-03-07 14:03 . 2008-03-07 14:03 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll
2008-03-07 13:40 . 2008-03-07 13:40 13,035 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
2008-03-07 13:40 . 2008-03-07 13:40 1,358 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf
2008-03-07 13:39 . 2008-03-07 13:39 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2008-03-07 13:39 . 2008-03-07 13:39 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2008-03-07 13:39 . 2008-03-07 13:39 39,984 --a------ C:\WINDOWS\system32\drivers\symids.sys
2008-03-07 13:39 . 2008-03-07 13:39 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2008-03-07 13:39 . 2008-03-07 13:39 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2008-03-07 13:39 . 2008-03-07 13:39 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2008-03-07 13:39 . 2008-03-07 13:39 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2008-03-06 22:13 . 2008-03-06 22:13 294 --ahs---- C:\WINDOWS\system32\fngyrtxr.ini
2008-03-05 22:13 . 2008-03-05 22:13 594 --ahs---- C:\WINDOWS\system32\rodqmaoc.ini
2008-03-04 21:20 . 2008-03-05 22:10 534 --ahs---- C:\WINDOWS\system32\ogxjcmql.ini
2008-03-03 21:08 . 2008-03-04 21:15 414 --ahs---- C:\WINDOWS\system32\algbvlbc.ini
2008-03-03 20:08 . 2008-03-03 20:08 294 --ahs---- C:\WINDOWS\system32\hdudljhl.ini
2008-03-02 09:59 . 2008-03-02 10:09 354 --ahs---- C:\WINDOWS\system32\etobfdig.ini
2008-03-01 10:19 . 2008-03-01 12:36 354 --ahs---- C:\WINDOWS\system32\vovqsyuq.ini
2008-02-29 21:17 . 2008-02-29 21:17 294 --ahs---- C:\WINDOWS\system32\vksbsema.ini
2008-02-28 21:12 . 2008-02-29 20:23 474 --ahs---- C:\WINDOWS\system32\fywqdslx.ini
2008-02-28 20:51 . 2008-02-28 21:05 354 --ahs---- C:\WINDOWS\system32\rcplravy.ini
2008-02-27 20:28 . 2008-02-27 20:28 294 --ahs---- C:\WINDOWS\system32\hcoatddd.ini
2008-02-26 20:24 . 2008-02-26 22:41 594 --ahs---- C:\WINDOWS\system32\yobjwagi.ini
2008-02-25 20:12 . 2008-02-26 20:18 414 --ahs---- C:\WINDOWS\system32\vhyphwnl.ini
2008-02-24 20:08 . 2008-02-24 20:08 294 --ahs---- C:\WINDOWS\system32\jjynriga.ini
2008-02-24 18:26 . 2008-02-26 20:19 48 ---hs---- C:\WINDOWS\S3AE3FE20.tmp
2008-02-24 12:39 . 2008-02-26 22:21 <DIR> d-------- C:\Program Files\AskTBar
2008-02-24 12:10 . 2008-02-24 12:10 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-02-23 17:33 . 2008-02-23 17:33 <DIR> d-------- C:\Program Files\iTunes
2008-02-23 17:33 . 2008-03-15 22:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-23 17:33 . 2008-02-23 17:33 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-23 17:32 . 2008-02-23 17:32 <DIR> d-------- C:\Program Files\QuickTime.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-22 19:55 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-22 02:14 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-22 02:13 --------- d-----w C:\Program Files\Microsoft Works
2008-03-22 02:06 --------- d-----w C:\Program Files\MSBuild
2008-03-21 20:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-18 06:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-18 06:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-03-18 06:21 --------- d-----w C:\Program Files\Yahoo!
2008-03-15 20:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-15 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-03-13 18:19 438,632 ----a-w C:\WINDOWS\system32\Incinerator.dll
2008-03-13 18:08 38,912 ----a-w C:\WINDOWS\system32\smrgdf.exe
2008-03-13 17:25 32,768 ----a-w C:\WINDOWS\system32\iolobtdfg.exe
2008-03-11 02:25 --------- d-----w C:\Program Files\Symantec
2008-03-02 18:30 --------- d-----w C:\Documents and Settings\Jorge Cruz\Application Data\LimeWire
2008-02-28 06:10 --------- d-----w C:\Documents and Settings\Jorge Cruz\Application Data\iolo
2008-02-24 01:40 --------- d-----w C:\Documents and Settings\Jorge Cruz\Application Data\Apple Computer
2008-02-24 01:33 --------- d-----w C:\Program Files\iPod
2008-02-21 01:33 --------- d-----w C:\Documents and Settings\Jorge Cruz\Application Data\Vso
2008-02-18 02:11 --------- d-----w C:\Program Files\eGames
2008-02-17 07:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2008-02-17 07:05 --------- d-----w C:\Program Files\Elaborate Bytes
2008-02-17 07:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-02-15 05:22 --------- d-----w C:\Documents and Settings\Jorge Cruz\Application Data\dvdcss
2008-02-15 04:56 --------- d-----w C:\Program Files\MadZ Clone DVD Pro
2008-02-15 04:43 81,920 ----a-w C:\Documents and Settings\Jorge Cruz\Application Data\ezpinst.exe
2008-02-15 04:43 47,360 ----a-w C:\Documents and Settings\Jorge Cruz\Application Data\pcouffin.sys
2008-02-14 04:37 --------- d-----w C:\Program Files\DVD Decrypter
2008-02-13 05:30 --------- d-----w C:\Program Files\Active Data Recovery Services
2008-02-13 05:13 --------- d-----w C:\Program Files\Movie Splitter
2008-02-13 05:12 --------- d-----w C:\Program Files\Free WMA to MP3 Converter
2008-02-11 03:36 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-10 20:01 --------- d-----w C:\Program Files\2nd Story Software
2008-02-10 09:15 --------- d-----w C:\Program Files\CDKeyFinder
2008-02-10 04:38 --------- d-----w C:\Program Files\Common Files\L&H
2008-02-10 02:23 --------- d-----w C:\Program Files\Evidence Eliminator
2008-02-02 03:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-28 23:46 --------- d-----w C:\Program Files\Java
2008-01-28 06:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pinnacle Studio
2008-01-28 06:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pinnacle
2008-01-28 06:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-28 06:51 --------- d-----w C:\Program Files\Pinnacle
2008-01-28 06:35 --------- d-----w C:\Documents and Settings\Jorge Cruz\Application Data\InstallShield
2008-01-27 00:21 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\iolo
2008-01-26 20:23 --------- d-----w C:\Program Files\Bonjour
2008-01-26 05:12 --------- d-----w C:\Program Files\DIFX
2008-01-26 05:10 --------- d-----w C:\Program Files\Analog Devices
2008-01-26 03:21 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-01-26 03:21 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-26 03:21 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-26 03:21 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-25 06:10 --------- d-----w C:\Program Files\Nsasoft
2008-01-25 05:48 --------- d-----w C:\Program Files\Microsoft.NET
2008-01-25 05:45 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-01-25 05:39 --------- d-----w C:\Program Files\VNITANKY42B
2008-01-23 05:31 --------- d-----w C:\Program Files\MSXML 4.0
2008-01-21 19:27 65 ----a-w C:\Program Files\Common Files\appop.log
2008-01-20 07:51 74,703 ----a-w C:\WINDOWS\system32\mfc45.dll
2003-08-30 00:09 55 ----a-r C:\Program Files\data.tag
2003-08-29 23:14 65,108 ----a-r C:\Program Files\data1.hdr
2003-08-29 23:14 495 ----a-r C:\Program Files\layout.bin
2003-07-02 23:54 241,004 ----a-r C:\Program Files\setup.inx
2003-06-23 23:28 401 ----a-r C:\Program Files\Setup.ini
2003-06-23 23:28 308,278 ----a-r C:\Program Files\win256_3.bmp
2003-06-23 23:28 308,276 ----a-r C:\Program Files\SoundMAX.bmp
2003-06-23 23:28 1,768 ----a-r C:\Program Files\setup.iss
2002-07-26 01:07 346,602 ----a-r C:\Program Files\ikernel.ex_
2002-06-20 00:26 40,960 ----a-r C:\Program Files\AEEnable.exe
2002-04-22 21:40 45,056 ----a-r C:\Program Files\adminchk.dll
2002-03-12 01:10 1,078 ----a-r C:\Program Files\SMax3CP.ico
2001-11-19 23:42 7 ----a-r C:\Program Files\nocompi.txt
2001-11-19 23:42 6 ----a-r C:\Program Files\nocompu.txt
2001-08-25 00:45 61,440 ----a-r C:\Program Files\RemADI.exe
2001-08-16 02:08 377,856 ----a-r C:\Program Files\269601USA8.exe
2000-05-15 19:08 134,656 ----a-r C:\Program Files\Setup.exe
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:07 15360]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [ ]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 08:41 223984]
"AROReminder"="C:\Program Files\Advanced Registry Optimizer\ARO.exe" [2007-07-23 09:34 2084480][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-10-26 15:42 509224]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-10-05 04:25 868352]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [2008-03-13 10:19 759656]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-13 23:11 771704]
"nwiz"="nwiz.exe" [2007-05-11 06:03 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 06:03 8429568]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 08:41 223984][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amva]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avpa]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b012a549]
C:\WINDOWS\system32\nxdgynpy.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchList]
--a------ 2007-03-21 15:41 145496 C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=R0 ivicd;Ivi CDVD Filter Driver;C:\WINDOWS\system32\drivers\ivicd.sys [2005-01-12 06:29]
R2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-03-13 10:11]
R2 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-03-13 10:11]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-03 17:07]
R3 iviudf;iviudf;C:\WINDOWS\system32\drivers\IviUdf.sys [2005-06-23 02:09]
R3 WlanUIG;2Wire 802.11g USB Driver;C:\WINDOWS\system32\DRIVERS\WlanUIG.sys [2004-05-16 16:46]*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 18:47:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-25 06:52:06 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1200811945.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-03-18 04:00:21 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Jorge Cruz.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-22 17:22:53
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
Completion time: 2008-03-22 17:23:15
ComboFix-quarantined-files.txt 2008-03-23 01:23:06
ComboFix2.txt 2008-03-23 01:12:08
ComboFix3.txt 2008-03-22 01:39:15
ComboFix4.txt 2008-03-20 19:06:01
.
2008-03-23 00:36:49 --- E O F ---and this is the Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:30:31 PM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Program Files\antivirus fix\HiJackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe--
End of file - 8504 bytes
thanks,4321
0
Hi i have alot of viruses on my computor. if anybody knows anything about these viruses or can tell be what they do to the computor i would be very greatfull. also if you know of anything that can help get rid of them that would be very appreciated!! thank you.
this is what i think i have:worm/generic.AJW
worm.delf.ATB
java/byteVerify
VBS/small.A
trojan horse exploit.downloader
trojan horse small.2.Z
trojan horse downloader/generic4.IPL
trojan horse generic9.AHAI
trojan horse downloader.zlob.UVA
trojan horse generic2.FRK
trojan horse PSW.onlinegames.AHOL
trojan horse PSW.onlinegames.AHOO
trojan horse PSW.onlinegames.X
trojan horse PSW.onlinegames.Z
downloader.swizzor
as you can see there is alot. please help me... what do i do?
0
you make up a new thread
Some HELP in posting on Cnet plus free progs and instructions Glad to Help!
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
