Results 1 to 8 of 8
  1. #1
    Member
    Join Date
    Jun 2004
    Posts
    32
    Points
    1

    Default Ugly, ugly computer - worm.win32.netsky - HELP

    Hi --
    I'm helping a friend with her computer,because she does not have the patience to try and deal with the problems. This one is UGLY.

    First off - We have constant internet explorer windows opening up randomly pointing to sites such as "xpantiviruspro.com/2008/3/_freescan.php?aid=880028", "MalwareCrush Online", Scanner.adwareremover2007.com, Secure PCCleaner, and safenavweb.com. XPantivirus seems to like to randomly run its own scan and its almost impossible to stop - and it will not go away. We were also warned that we are infected with "worm.win32.netsky"
    There are also constant security warning pop ups that I know are not normal on this computer, as well as three desktop icons to virus scans that just appeared there. Also the background image on the desktop was changed to "DANGER PC"..something we also did not do.

    I have been attempting to do your directions as stated in the beginning of the forum, starting with Panda Activescan and Housecall for the last day and a half. However I started with doing the LSP-fix per the article since I was having internet access problems. It did not find anything to delete, and the internet worked nicely for me for about 35 minutes then I was back to all of pop ups, warnings and extremely slow processes.

    While it worked for that 35 minutes I began to attept to run Panda Active scan again. It will not let me run Panda at all; it gets as far as their start up page and never will begin scanning because these other windows take over and stop the process.

    I then skipped to Housecall. It seemed to have scanned even though it took me 3 hours to get it going due to the popups. However now, it says that its done, but it claims it will be 18 - 20 hours before it shows me the results.

    Is there anything else I can do in the meantime that will allow me to run these scans and go through your "do this first" post?

    Thank you!!!!!!

  2. #2
    Member
    Join Date
    Dec 2002
    Posts
    12,000
    Points
    1191

    Default

    Go ahead and post a HJT log:

    Download ...

    HiJackThis log - Trend Micro HijackThis 2.0.2
    Click here to download HJTInstall.exe
    • Save HJTInstall.exe to your desktop.
    • Doubleclick on the HJTInstall.exe icon on your desktop.
    • By default it will install to C:\Program Files\Trend Micro\HijackThis .
    • Click on Install.
    • It will create a HijackThis icon on the desktop.
    • Once installed, it will launch Hijackthis.
    • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" and Paste the entire contents of the log (no attachments) into your next post.

    DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
    DO NOT have Hijackthis fix anything yet. Most of what HJT lists will be harmless or even required by your Operating System, a spyware fighter will guide you.

    BG

  3. #3
    Member
    Join Date
    Jun 2004
    Posts
    32
    Points
    1

    Default

    As requested, here is the highjack log....

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:39:11 AM, on 1/5/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\PROGRA~1\Yahoo!\YOP\yop.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
    C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\WINDOWS\system32\regsvr32.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar BETA - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
    R3 - URLSearchHook: (no name) - - (no file)
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
    O2 - BHO: (no name) - (@J - (no file)
    O2 - BHO: (no name) - rsion - (no file)
    O2 - BHO: (no name) - x?07962-6F74-2D53-2644-206D7942484F} - (no file)
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0B2250E7-8E38-36B7-6548-0591625E159A} - C:\Program Files\zetmqvil\svzyimqt.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O2 - BHO: (no name) - 0-6328-4933-B7C9-A6CCDF9CBF6D} - (no file)
    O2 - BHO: (no name) - ?B4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
    O2 - BHO: (no name) - $49E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
    O3 - Toolbar: Yahoo! Toolbar BETA - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
    O4 - HKLM\..\Run: [RecoverFromReboo] C:\WINDOWS\Temp\RECOVE~1.EXE
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
    O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ytarkzgr] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ytarkzgr.dll"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=zuzeb004YYUS
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1193622604296
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_inst...syInstallX.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O22 - SharedTaskScheduler: homina - {df8c3aed-b58e-4bcb-96b3-aa1b7bbdbbd4} - C:\WINDOWS\system32\oyopu.dll (file missing)
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
    O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

    --
    End of file - 11880 bytes

  4. #4
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    Normally I would not have you clean hijackthis at this stage, as it only shows the "tip of the iceberg"

    However, to enable you to run the other programs I need you run easier ...

    Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6 Ojg5&lid=2

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/s u/sbcydsl/*http://www.yahoo.com

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/s b/sbcydsl/*http://www.yahoo.com/search/ie.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/s p/sbcydsl/*http://www.yahoo.com

    R3 - URLSearchHook: (no name) - - (no file)

    O2 - BHO: (no name) - (@J - (no file)
    O2 - BHO: (no name) - rsion - (no file)
    O2 - BHO: (no name) - x?07962-6F74-2D53-2644-206D7942484F} - (no file)

    O2 - BHO: (no name) - {0B2250E7-8E38-36B7-6548-0591625E159A} - C:\Program Files\zetmqvil\svzyimqt.dll

    O2 - BHO: (no name) - 0-6328-4933-B7C9-A6CCDF9CBF6D} - (no file)
    O2 - BHO: (no name) - ?B4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
    O2 - BHO: (no name) - $49E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)

    O4 - HKLM\..\Run: [ytarkzgr] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ytarkzgr.dll"

    O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm

    O22 - SharedTaskScheduler: homina - {df8c3aed-b58e-4bcb-96b3-aa1b7bbdbbd4} - C:\WINDOWS\system32\oyopu.dll (file missing)

    O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm


    THEN ...

    Download Superantispyware.

    http://www.superantispyware.com/

    Once downloaded and installed update the definitions
    and then run a full system scan quarantine what it finds!

    * Double-click SUPERAntiSypware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

    http://www.superantispyware.com/definitions.html

    * Under "Configuration and Preferences", click the Preferences button.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    o Close browsers before scanning.
    o Scan for tracking cookies.
    o Terminate memory threats before quarantining.
    * Click the "Close" button to leave the control center screen.
    * Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, under "Complete Scan", choose Perform Complete Scan.
    * Click "Next" to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    * Make sure everything has a checkmark next to it and click "Next".
    * A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    * If asked if you want to reboot, click "Yes".
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    o Click Preferences, then click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    o Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.

    THEN ...

    Please download Combofix: http://download.bleepingcomputer.com...a/ComboFix.exe
    and save to the desktop.

    1. Double click on combo.exe & follow the prompts.
    2. When finished, it will produce a logfile located at C:\ComboFix.txt.
    3. Post the contents of that log in your next reply with a new hijackthis log.

    Notes:
    * Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
    * Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

    Please remember to post :-

    1. SUPERAntiSpyware Scan Log
    2. C:\ComboFix.txt
    3. a new hijackthis log.( run after everything else)

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  5. #5
    Member
    Join Date
    Jun 2004
    Posts
    32
    Points
    1

    Default

    Here is the scan log from SUPERAntiSpyware:

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 01/05/2008 at 03:51 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3374
    Trace Rules Database Version: 1369

    Scan type : Complete Scan
    Total Scan Time : 01:10:19

    Memory items scanned : 622
    Memory threats detected : 2
    Registry items scanned : 4499
    Registry threats detected : 1
    File items scanned : 47288
    File threats detected : 180

    Trojan.Unclassified/Out-Variant
    C:\PROGRAM FILES\ZETMQVIL\SVZYIMQT.DLL
    C:\PROGRAM FILES\ZETMQVIL\SVZYIMQT.DLL
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\YTARKZGR.DLL
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\YTARKZGR.DLL

    AdwareFilter Toolbar
    HKU\S-1-5-21-1644491937-57989841-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{1028F737-81E7-452B-A860-E50CAD90A08C}

    Adware.Tracking Cookie
    C:\Documents and Settings\Owner\Cookies\owner@protect.trustedantivirus[3].txt
    C:\Documents and Settings\Owner\Cookies\owner@gopornjunkies[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@protect.trustedantivirus[6].txt
    C:\Documents and Settings\Owner\Cookies\owner@imrworldwide[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@ads.cnn[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@yieldmanager[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@try.screensavers[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@media.adrevolver[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@gomyhit[5].txt
    C:\Documents and Settings\Owner\Cookies\owner@secure.advancedcleaner[3].txt
    C:\Documents and Settings\Owner\Cookies\owner@gomyhit[6].txt
    C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@advancedcleaner[3].txt
    C:\Documents and Settings\Owner\Cookies\owner@sale.trustedantivirus[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@specificclick[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@ads.napkinnights[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@eyewonder[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@richmedia.yahoo[3].txt
    C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@pandasoftware.112.2o7[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@trustedantivirus[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@adrevolver[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@media.adrevolver[3].txt
    C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@precisionclick[3].txt
    C:\Documents and Settings\Owner\Cookies\owner@findagrave[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@traffic.prod.cobaltgroup[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@1xxx.cqcounter[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@2.marketbanker[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@3.adbrite[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@4.adbrite[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@a.websponsors[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@ads.adbrite[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@ads.adgoto[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@ads.bmezine[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@ads.boats[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@ads.bridgetrack[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@ads.crakmedia[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@ads.ctimesmedia[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@ads.kaktuz[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@ads.lasvegas[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@ads.monster[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@ads.topix[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@ads.vegas[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@ads2.drivelinemedia[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@ads4.blastro[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@adserver.ringro[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@adserver2.teracent[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@adserver5.teracent[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@adultfriendfinder[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@adultsexblogs[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@adv.dmv[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@allanalpleasures.allaxxxess[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@bet.122.2o7[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@bizjournals.112.2o7[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@blockbuster.112.2o7[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@brightcove.112.2o7[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@creditsolutions.112.2o7[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfl4ggajcbp.stats.esomniture[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlosmdjeeq.stats.esomniture[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@eroticlick[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@ez-tracks[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@eztracks.aavalue[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@fhg.cuteteencheaters[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@fhg.sexvidsonpod[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@finditclassifieds[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@freecodesource.advertserve[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@freeultimateporn[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@gaypornaccess[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@gcc-06.googleadservices[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@h.starware[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@hornymatches[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@jumps.ez-tracks[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@media.hotels[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@media.mtvnservices[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@megaporndump[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@metacafe.122.2o7[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@microsoftwlmessengermkt.112.2o7[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@monstercom.112.2o7[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@msnaccountservices.112.2o7[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@nike.112.2o7[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@offers.intermediainteractive[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@onetoone.112.2o7[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@overture[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@path.pureadstracking[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@popularscreensavers[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@pornbilly[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@pornblograbbit[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@pornblogworld[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@pornguidenetwork[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@pornmaniak[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@pornparadisegals[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@pornpimps[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@pornsexarea[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@precisionclick[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@primedia.us.intellitxt[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@primediamags[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@real-sexxx[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@richmedia.yahoo[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@screensaversandwallpapersfree[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[4].txt
    C:\Documents and Settings\Owner\Cookies\owner@sexyamateurs.genblogger[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@sixapart.adbureau[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@smileycentral[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@spamblockerutility[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@stats.adbrite[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@stats.sphere[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@store.primediamags[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@thesuperxxx[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@thesuperxxx[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@ticketsnow[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@tmmedia.mylocalbands[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@track.bestbuy[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@track.leadjunky[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@traffic.myoasis[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@try.starware[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@us.2.cqcounter[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@viamtvcom.112.2o7[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@viamtvnvideo.112.2o7[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@vmix.adbureau[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@webstat.yamaha[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@www.adultsexblogs[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@www.cybersexent[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@www.ez-tracks[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@www.find-reno-tahoe[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@www.finditclassifieds[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@www.finditclassifieds[3].txt
    C:\Documents and Settings\Owner\Cookies\owner@www.fpctraffic2[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@www.free-amateursex[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@www.googleadservices[11].txt
    C:\Documents and Settings\Owner\Cookies\owner@www.googleadservices[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@www.googleadservices[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@www.googleadservices[3].txt
    C:\Documents and Settings\Owner\Cookies\owner@www.googleadservices[4].txt
    C:\Documents and Settings\Owner\Cookies\owner@www.iporn0[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@www.magicxxxvideos[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@www.megaporndump[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@www.onlineemedia[3].txt
    C:\Documents and Settings\Owner\Cookies\owner@www.playmate-porn[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@www.pornparadisegals[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@www.pornpimps[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@www.screensavers[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@www.ticketsnow[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@www.tomtracker[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@www.xxxmofo[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@www.xxxmsncam[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@www.yousexus[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@www3.addfreestats[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@www7.addfreestats[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@xxx-babez[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@xxxmofo[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@xxxpower[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@yadro[2].txt

    Desktop Hijacker.AboutYourPrivacy
    C:\WINDOWS\privacy_danger\images\capt.gif
    C:\WINDOWS\privacy_danger\images\danger.jpg
    C:\WINDOWS\privacy_danger\images\down.gif
    C:\WINDOWS\privacy_danger\images\spacer.gif
    C:\WINDOWS\privacy_danger\images
    C:\WINDOWS\privacy_danger\index.htm
    C:\WINDOWS\privacy_danger
    C:\Documents and Settings\Owner\Desktop\Error Cleaner.url
    C:\Documents and Settings\Owner\Desktop\Privacy Protector.url
    C:\Documents and Settings\Owner\Desktop\Spyware&Malware Protection.url
    C:\Documents and Settings\Owner\Favorites\Error Cleaner.url
    C:\Documents and Settings\Owner\Favorites\Privacy Protector.url
    C:\Documents and Settings\Owner\Favorites\Spyware&Malware Protection.url

    Adware.Accoona
    C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\SAREMOVE.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{75C4B3F9-3388-4654-A5BE-8C4EF2976CB7}\RP901\A0071564.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{75C4B3F9-3388-4654-A5BE-8C4EF2976CB7}\RP901\A0071567.EXE

    Rogue.AdvancedCleaner
    C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\Q9T2GNZK\ADCFREEINSTALLER[1].EXE

    Trojan.Downloader-Gen/MobRules
    C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20080105-143056-789.DLL

    Adware.Starware
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{75C4B3F9-3388-4654-A5BE-8C4EF2976CB7}\RP891\A0057990.EXE

    Trojan.NewDotNet-Installer
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{75C4B3F9-3388-4654-A5BE-8C4EF2976CB7}\RP901\A0071565.EXE

    Adware.WhenU
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{75C4B3F9-3388-4654-A5BE-8C4EF2976CB7}\RP901\A0071566.EXE

    Trojan.Media-Codec/NewMedia
    C:\WINDOWS\NMCUNINSTALL.EXE

    Here is the log file from ComboFix:

    ComboFix 08-01-06.4 - Owner 2008-01-05 17:26:50.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.81 [GMT -8:00]
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
    .

    2008-01-05 17:25 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2008-01-05 14:34 . 2008-01-05 14:38 d-------- C:\Program Files\SUPERAntiSpyware
    2008-01-05 14:34 . 2008-01-05 14:34 d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-01-05 09:36 . 2008-01-05 09:36 d-------- C:\Program Files\Trend Micro
    2008-01-04 20:30 . 2008-01-04 20:30 118 --a------ C:\WINDOWS\system32\MRT.INI
    2008-01-04 16:15 . 2008-01-04 16:15 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
    2008-01-04 16:15 . 2008-01-04 16:15 1,406 --a------ C:\WINDOWS\system32\Help.ico
    2008-01-04 16:13 . 2008-01-04 16:14 30,590 --a------ C:\WINDOWS\system32\pavas.ico
    2008-01-04 16:12 . 2008-01-04 16:24 d-------- C:\WINDOWS\system32\ActiveScan
    2008-01-04 15:23 . 2008-01-04 15:23 22 --a------ C:\WINDOWS\kodakpcd.Owner.ini
    2008-01-04 12:58 . 2008-01-05 17:18 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-01-04 12:58 . 2008-01-04 12:58 1,409 --a------ C:\WINDOWS\QTFont.for

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-05 22:34 --------- d-----w C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
    2008-01-05 04:26 --------- d-----w C:\Program Files\Windows Live Toolbar
    2008-01-05 03:56 --------- d-----w C:\Program Files\Lavasoft
    2008-01-05 03:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
    2008-01-04 21:46 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
    2007-11-01 02:36 48,776 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
    2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
    2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
    2005-09-24 19:30 774,144 ----a-w C:\Program Files\RngInterstitial.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 16:43 4670704]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 05:56 15360]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 13:42 1404928]
    "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 00:05 122939]
    "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 00:01 110592]
    "YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-06-26 12:48 509224]
    "BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-08-02 12:33 368720]
    "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
    "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
    "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
    "YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 15:19 129536]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
    "Lexmark 4200 Series"="C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 02:04 57344]
    "FaxCenterServer4_in_1"="C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" [2004-01-22 10:59 151552]
    "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-09-03 12:33 1838592]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42 267064]
    "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816]
    "osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-13 23:11 771704]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
    Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-07 06:26:28]
    ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-08-17 12:20:06]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL


    *Newly Created Service* - COMHOST
    *Newly Created Service* - PROCEXP90
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-01-06 01:13:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
    - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
    "2008-01-06 01:20:35 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
    - C:\Program Files\Windows Defender\MpCmdRun.exe
    "2007-11-01 02:46:28 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Owner.job"
    - C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-05 17:30:31
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-01-05 17:31:30
    .
    2008-01-04 21:46:08 --- E O F ---

    And last but not least, the new Hijackthis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:33:30 PM, on 1/5/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\PROGRA~1\Yahoo!\YOP\yop.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
    C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
    C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar BETA - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O3 - Toolbar: Yahoo! Toolbar BETA - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
    O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=zuzeb004YYUS
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1193622604296
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_inst...syInstallX.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

    --
    End of file - 10318 bytes

    Everything so far is running beautifully. The computer itself seem to also have sped up quite a bit.

  6. #6
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    All your logs are clean...

    I am very surprised that Combofix was clean & showed so few files, considering what SUPERAntiSpyware found ... but it's clean none the less ...

    Now that your computer is clean it's a good idea to purge your system restore (going back to a saved restore point could put all the infections you had back)

    This will clear all your infected restore points...

    Turn off (Disable) System Restore in XP :-

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.
    Restart your computer.

    Then...

    Turn on (enable) System Restore :-

    Follow the same procedure, but this time uncheck Turn off System Restore

    if you have any problem with this... here's a link to instructions :-


    Disabling or enabling Windows XP System Restore >

    http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  7. #7
    Member
    Join Date
    Jun 2004
    Posts
    32
    Points
    1

    Default

    Thank you ever so much for your time and expertise. My friend is going to flip - she didn't belive it would ever be fixed! (BTW... your town is beautiful, been there once.)

    Have a wonderful week.

  8. #8
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    From the help2go team

    You're very welcome

    Glad we could help :wink:

    I'll lock this thread now that it is resolved...

    Should the original poster require it re-opening, please PM a moderator ... thanks

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -