Home   News  Product reviews  Website reviews  Forums   Competitions  Subscribe 
Search
You are not logged in.
Login | New user registration 		Main Index | Search | Active Topics | Who's Online | FAQ / HELP

Security >> HijackThis logs help and analysis
Previous topic Previous   View all topics Index   Next topic Next   Threaded Mode Threaded  
 |  Print Topic
Jump to first unread post. Pages: 1
sol2soul77
new user


Reg'd: Tue
Posts: 2
spyware infection ....
      #389443 - Tue Mar 25 2008 10:04 PM
Reply to this post Reply   Reply to this post Quote  

hi

my computer has been running really slowly and my backgroeund has been replaed with a blank screen with the caption warning spware deteted...my internet connection speed has deteriorated and multiple pages to sites i dont use open up aswell... please help.

attached is my hjt report

Logfile of HijackThis v1.99.1
Scan saved at 20:39:17, on 25/03/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\tsnpstd3.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\UMStor\Res.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
c:\Program Files\Intuwave Ltd\Shared\mRouterRunTime\mRouterRuntime.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {51C58BEE-AF12-4295-8668-2D6630A7A0EB} - C:\WINDOWS\System32\clusap.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: BrowsingTool - {D0661233-42D4-F7F1-80E1-8A9E0E99E71D} - C:\Program Files\BrowsingTool\BrowsingTool-2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\WINDOWS\UMStor\Res.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Phone Connection Monitor.lnk = C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsof...b?1194970102779
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsof...b?1194970090685
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://xscanner.spyshredderscanner.com/a/install1609.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe

kind regards

Post Extras: Print Post   Remind Me!   Notify Moderator  
Joe_LondonModerator
HijackThis Helper


Reg'd: Tue
Posts: 10701
Loc: London
Re: spyware infection .... [Re: sol2soul77]
      #389493 - Wed Mar 26 2008 01:38 PM
Reply to this post Reply   Reply to this post Quote  

Hi sol2soul77,

  1. 1. Download ComboFix.exe using either of these links:

    Link 1
    Link 3

  2. Double click on combofix.exe to run the programme & then follow the prompts.

    It will create a new system restore point and registry backup.

    You will be asked to type 1 (One) and then "enter" to run the programe.

    Your firewall may seek permission to allow the programme to run. Check the "Remember" checkbox and click yes

  3. When finished, it will produce a log for you. Save the log then copy and post it back here with a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Joe.

--------------------
If I have helped you in any way, please consider a donation:

Joe's WebSite.

Member of UNITE and ASAP.

Post Extras: Print Post   Remind Me!   Notify Moderator  
sol2soul77
new user


Reg'd: Tue
Posts: 2
Re: spyware infection .... [Re: Joe_London]
      #389676 - Thu Mar 27 2008 10:49 PM
Reply to this post Reply   Reply to this post Quote  

hi joe

attached is the combo log
ComboFix 08-03-26.3 - sol2soul 2008-03-27 22:26:08.5 - NTFSx86
Running from: C:\Documents and Settings\sol2soul\Desktop\ComboFix2.exe
.

((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 )))))))))))))))))))))))))))))))
.

2008-03-27 20:40 . 2008-03-27 20:40 <DIR> d-------- C:\ComboFix
2008-03-26 07:21 . 2008-03-25 22:21 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-26 07:21 . 2008-03-26 07:21 2,550 --a------ C:\WINDOWS\unins000.dat
2008-03-25 23:25 . 2008-03-25 23:25 122 --a------ C:\WINDOWS\wininit.ini
2008-03-25 22:16 . 2008-03-25 22:21 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-25 22:16 . 2008-03-26 14:29 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-03-25 20:36 . 2008-03-25 20:36 269,334 --a------ C:\WINDOWS\system32\mtknmdgjmpknmp.bmp
2008-03-25 20:31 . 2008-03-25 20:31 269,334 --a------ C:\WINDOWS\system32\hkfetoril.bmp
2008-03-25 19:31 . 2008-03-25 19:31 269,334 --a------ C:\WINDOWS\system32\rmtkralonid.bmp
2008-03-25 19:24 . 2008-03-27 22:22 <DIR> d-------- C:\Program Files\Symantec
2008-03-25 19:24 . 2008-03-25 19:24 <DIR> d-------- C:\Documents and Settings\sol2soul\Application Data\Symantec
2008-03-25 19:24 . 2008-03-27 22:25 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec
2008-03-25 19:23 . 2008-03-27 22:24 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-24 23:57 . 2001-08-18 14:00 88,064 --a------ C:\WINDOWS\system32\clusap.dll
2008-03-24 22:58 . 2008-03-24 22:58 <DIR> d-------- C:\Documents and Settings\sol2soul\Application Data\Anti-Virus-Pro.com
2008-03-24 22:57 . 2008-03-24 23:13 <DIR> d-------- C:\Program Files\AntiVirusPro
2008-03-24 22:57 . 2008-03-24 22:57 269,334 --a------ C:\WINDOWS\system32\tsrmdsbal.bmp
2008-03-24 14:49 . 2008-03-24 19:42 868,352 --a------ C:\ffastunT.ffl
2008-03-14 16:39 . 2008-03-15 08:00 <DIR> d-------- C:\Documents and Settings\pavlinka\Application Data\AVG7
2008-03-12 10:59 . 2008-03-12 10:59 8,617 --a------ C:\WINDOWS\extend.dat
2008-03-02 11:47 . 2008-03-27 08:00 <DIR> d-------- C:\Documents and Settings\sol2soul\Application Data\AVG7
2008-03-02 11:47 . 2008-03-02 11:47 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2008-03-02 11:46 . 2008-03-02 11:46 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-03-02 11:46 . 2008-03-03 08:51 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 22:29 --------- d-----w C:\Documents and Settings\sol2soul\Application Data\Skype
2008-03-27 21:44 --------- d-----w C:\Program Files\BrowsingTool
2008-03-27 21:02 --------- d-----w C:\Documents and Settings\sol2soul\Application Data\LimeWire
2008-03-25 23:24 --------- d-----w C:\Program Files\SpyShredder
2008-02-25 11:07 --------- d-----w C:\Program Files\TalkTalk Online Security
2008-02-24 12:44 --------- d-----w C:\Program Files\MSXML 4.0
2008-02-24 12:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-24 12:43 --------- d-----w C:\Program Files\Sony Ericsson
2008-02-24 12:43 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-02-24 12:43 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Teleca
2008-02-24 12:43 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Sony Ericsson
2008-02-21 17:17 --------- d-----w C:\Program Files\ICQLite
2008-02-21 13:22 --------- d-----w C:\Program Files\MSN Messenger
2008-02-20 07:46 --------- d-----w C:\Program Files\ICQToolbar
2008-02-19 21:56 --------- d-----w C:\Documents and Settings\sol2soul\Application Data\ICQLite
2008-02-16 14:00 --------- d-----w C:\Program Files\FBrowserAdvisor
2008-02-15 21:25 --------- d-----w C:\Program Files\LimeWire
2008-02-15 21:24 --------- d-----w C:\Program Files\Java
2008-02-15 21:19 --------- d-----w C:\Program Files\Common Files\Java
2004-04-19 01:54 139,264 ----a-w C:\Program Files\MSI20Wiz.dll
.

((((((((((((((((((((((((((((( snapshot@2008-03-26_20.34.31.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-26 20:09:32 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-03-27 20:44:55 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{237B0715-490B-427E-941E-D89B4042D7D1}]
2001-08-18 14:00 88064 --a------ C:\WINDOWS\System32\clusap.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51C58BEE-AF12-4295-8668-2D6630A7A0EB}]
2001-08-18 14:00 88064 --a------ C:\WINDOWS\System32\clusap.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{71D0F621-871B-47D5-9191-C2B5ED5B5A5F}]
2001-08-18 14:00 88064 --a------ C:\WINDOWS\System32\clusap.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BE501CE-D618-4F1D-A4D1-1EBF1C0A90F5}]
2001-08-18 14:00 88064 --a------ C:\WINDOWS\System32\clusap.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D0661233-42D4-F7F1-80E1-8A9E0E99E71D}]
2007-12-30 20:48 1019904 --a------ C:\Program Files\BrowsingTool\BrowsingTool-2.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-18 14:00 13312]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-16 16:30 68856]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 13:31 22880040]
"Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CamTray.exe" [2005-10-27 10:00 299008]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [2006-11-29 16:28 262144]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-18 14:12 843776]
"USB Storage Toolbox"="C:\WINDOWS\UMStor\Res.EXE" [2005-09-14 20:44 65536]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 10:06 3144800]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2001-08-18 14:00 135680]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-02 11:47 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-08-18 14:00 13312]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-02 11:47 219136]

C:\Documents and Settings\sol2soul\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 21:32:57 147456]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\digital imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\digital imaging\bin\hpqthb08.exe [2004-11-04 19:50:52 53248]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-08-01 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-08-01 51984]
Phone Connection Monitor.lnk - C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe [2007-12-15 01:05:21 754176]

R3 iadusb;MT882;C:\WINDOWS\System32\DRIVERS\glauiad.sys [2006-07-27 15:37]
R3 V0260VID;Live! Cam Vista IM;C:\WINDOWS\System32\DRIVERS\V0260Vid.sys [2006-11-03 22:45]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-25 19:39:39 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 22:29:34
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NAVAP]
"ImagePath"="\??\C:\WINDOWS\System32\Drivers\NAVAP.SYS"

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\navapsvc]
"ImagePath"="C:\Program Files\Norton AntiVirus\navapsvc.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NAVENG]
"ImagePath"="\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20010808.016\NAVENG.SYS"

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NAVEX15]
"ImagePath"="\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20010808.016\NAVEX15.SYS"
--

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NISSERV]
"ImagePath"="\"C:\Program Files\Norton Internet Security\NISSERV.EXE\""

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NISUM]
"ImagePath"="\"C:\Program Files\Norton Internet Security\NISUM.EXE\""
--

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SBService]
"ImagePath"="C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe"
--

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SYMDNS]
"ImagePath"="\??\C:\WINDOWS\System32\Drivers\SYMDNS.SYS"
--

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SYMFW]
"ImagePath"="\??\C:\WINDOWS\System32\Drivers\SYMFW.SYS"

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SYMNDIS]
"ImagePath"="\??\C:\WINDOWS\System32\Drivers\SYMNDIS.SYS"

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SymProxySvc]
"ImagePath"="\"C:\Program Files\Norton Internet Security\SymProxySvc.exe\""

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SYMREDRV]
"ImagePath"="\??\C:\WINDOWS\System32\Drivers\SYMREDRV.SYS"
.
Completion time: 2008-03-27 22:31:26
ComboFix-quarantined-files.txt 2008-03-27 22:30:33
ComboFix2.txt 2008-03-27 20:52:23
ComboFix3.txt 2008-03-26 20:38:05
Pre-Run: 17,781,735,424 bytes free
Post-Run: 17,766,785,024 bytes free
.
2008-02-20 23:02:05 --- E O F ---

and the fresh hjt log


Logfile of HijackThis v1.99.1
Scan saved at 22:48:22, on 27/03/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\UMStor\Res.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
c:\Program Files\Intuwave Ltd\Shared\mRouterRunTime\mRouterRuntime.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Microsoft Office\Office\Winword.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {0B0DBFBA-AF58-4E14-B01C-51EB9E1F6BDC} - C:\WINDOWS\System32\clusap.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {237B0715-490B-427E-941E-D89B4042D7D1} - C:\WINDOWS\System32\clusap.dll
O2 - BHO: (no name) - {51C58BEE-AF12-4295-8668-2D6630A7A0EB} - C:\WINDOWS\System32\clusap.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {71D0F621-871B-47D5-9191-C2B5ED5B5A5F} - C:\WINDOWS\System32\clusap.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7BE501CE-D618-4F1D-A4D1-1EBF1C0A90F5} - C:\WINDOWS\System32\clusap.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: BrowsingTool - {D0661233-42D4-F7F1-80E1-8A9E0E99E71D} - C:\Program Files\BrowsingTool\BrowsingTool-2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\WINDOWS\UMStor\Res.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Phone Connection Monitor.lnk = C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsof...b?1194970102779
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsof...b?1194970090685
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://xscanner.spyshredderscanner.com/a/install1609.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

cheers sol

Post Extras: Print Post   Remind Me!   Notify Moderator  
Joe_LondonModerator
HijackThis Helper


Reg'd: Tue
Posts: 10701
Loc: London
Re: spyware infection .... [Re: sol2soul77]
      #389703 - Fri Mar 28 2008 09:47 AM
Reply to this post Reply   Reply to this post Quote  

Hi Sol,

I strongly recommend that you uninstall Limewire via the add/remove utility in the control panel.

For furthr information please read this article By Taz CC
http://www.castlecops.com/t204179-P2P_programs_we_ask_that_you_remove_first.html

Open Hijackthis, take another scan and place a checkmark next to these entries.

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {0B0DBFBA-AF58-4E14-B01C-51EB9E1F6BDC} - C:\WINDOWS\System32\clusap.dll
O2 - BHO: (no name) - {237B0715-490B-427E-941E-D89B4042D7D1} - C:\WINDOWS\System32\clusap.dll
O2 - BHO: (no name) - {51C58BEE-AF12-4295-8668-2D6630A7A0EB} - C:\WINDOWS\System32\clusap.dll
O2 - BHO: (no name) - {71D0F621-871B-47D5-9191-C2B5ED5B5A5F} - C:\WINDOWS\System32\clusap.dll
O2 - BHO: (no name) - {7BE501CE-D618-4F1D-A4D1-1EBF1C0A90F5} - C:\WINDOWS\System32\clusap.dll
O2 - BHO: BrowsingTool - {D0661233-42D4-F7F1-80E1-8A9E0E99E71D} - C:\Program Files\BrowsingTool\BrowsingTool-2.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://xscanner.spyshredderscanner.com/a/install1609.cab
Close all open Windows except Hijackthis and click on "fix Checked".

Open Windows Explorer, Locate and delete the following item(s), if present. Make sure you're able to view system and hidden files/ folders:

files...
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\unins000.exe
C:\WINDOWS\unins000.dat
C:\WINDOWS\system32\mtknmdgjmpknmp.bmp
C:\WINDOWS\system32\hkfetoril.bmp


folders...
C:\Program Files\LimeWire
C:\Documents and Settings\sol2soul\Application Data\Anti-Virus-Pro.com
C:\Program Files\AntiVirusPro
C:\Program Files\BrowsingTool
C:\Documents and Settings\sol2soul\Application Data\LimeWire
C:\Program Files\SpyShredder
C:\Program Files\ICQToolbar
C:\Program Files\FBrowserAdvisor

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".

Reboot the Computer to allow the changes to take effect.

You are running an old version of Sun Java which needs updating:
  • Go here and click on the Download button to the right of Java Runtime Environment (JRE) 6u5.
  • Accept the license agreement by clicking the appropriate radio button and then continue.
  • Under Windows Platform - Java(TM) SE Runtime Environment 6 Update 5, click the Windows Offline Installation, Multi-language link.
  • Go to Add/Remove Programs and remove any entries that refer to Java 2 Runtime Environment and then reboot your PC.
  • Navigate to and delete the following folder, if it exists: C:\Program Files\Java.
  • Finally double click the installation file that you downloaded earlier.


Open Hijackthis,
Click Config | Misc Tools | Open Unistall Manager.
A list of the entries in Add/remove programs will appear.
Click on Save List...
The list will be saved as 'Uninstall_list.txt'
Copy & Paste the contents in your next reply.

  1. Double click on combofix.exe to run the programme & then follow the prompts.

    It will create a new system restore point and registry backup.

    You will be asked to type 1 (One) and then "enter" to run the programe.

    Your firewall may seek permission to allow the programme to run. Check the "Remember" checkbox and click yes

  2. When finished, it will produce a log for you. Save the log then copy and post it back here with a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post the following:
  1. A new Hijackthis log
  2. The Uninstall List.
  3. The Combofix log.


This may not remove all the infections present. It is important that you post back and complete the fix.

Please post in this thread for further review and evaluation.
Please provide details of any problems you encountered whilst performing the above steps & update us on how the Computer is running.

Joe.

--------------------
If I have helped you in any way, please consider a donation:

Joe's WebSite.

Member of UNITE and ASAP.

Post Extras: Print Post   Remind Me!   Notify Moderator  
Pages: 1

Previous topic Previous   View all topics Index   Next topic Next   Threaded Mode Threaded  
Rate this topic

Jump to


Extra information
1 registered and 6 anonymous users are browsing this forum.

Moderator:  putasolutions, greysts, bricat, AndrewC, Joe_London, John_McKenna, Mouse, Hello_There, TheFatControlleR, Nanook, Noviciate 


Print Topic

Forum Permissions
      You cannot start new topics
      You cannot reply to topics
      HTML is disabled
      Mark-up is enabled

Rating:
Topic views: 0

Contact Us | Privacy statement Main website
Hitwise Top 10 Award Winner - Jan-Mar 2005

About us | Contact us | Link to us | Terms & Conditions | Privacy Policy
© Copyright IPC Media Limited, All rights reserved