Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Jul 5th, 2008, 6:03am
   Mischel Internet Security Forum
   Malware
   Adware, Browser Hijackers and other Malware (Moderators: Helena, Gavin_Coe, Magnus)
   malware still present after several scans		 « Previous topic | Next topic »
Pages: 1    Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: malware still present after several scans  (Read 2255 times)
shaolin
Newbie
*





   


Posts: 5
malware still present after several scans
« on: Jul 10th, 2006, 10:42pm »
Hey, I saw a thread in the forum about a specific trojan (http://forum.misec.net/board/Trojans/1142198471) , so I followed  the instructions and downloaded this and that, and scanned and all, but some stupid invisible file must have remained and ends up bringing everything back (yes, I turned system restore off) so I registered to please ask for some help.
 
I've scanned with Kaspersky, Panda, Hijackthis, Comodo AntiVirus (I also have Comodo firewall), Housecall (and by the way, my screen goes blank when housecall loads. I have to turn it off and on again), Yahoo anti-spy, Spybot, and Ad-aware. As I type, Housecall is still finishing up, so here are the most current logs:
 
Comodo didn't find anything this time, but it has sent a few trojans away;
Kaspersky didn't find anything this time either;
 
Panda:
 
Incident            Status    Location                                            
 
Adware:adware/miamore              Not disinfected     Windows Registry                                        
Possible Virus.               Not disinfected     C:\dell\xpp\D820\COMM\R118077\Utility\dmbcu.msi[unk_0085][F_SXKey.C6538EA3_2D23_43C7_A48E_1946AFCD6C70]                            
Possible Virus.               Not disinfected     C:\dell\xpp\D820\COMM\R118082\Utility\dmbcu.msi[unk_0084][F_SXKey.C6538EA3_2D23_43C7_A48E_1946AFCD6C70]                            
Spyware:Cookie/Apmebf              Not disinfected     C:\Documents and Settings\Marius Verius\Application Data\Mozilla\Firefox\Profiles\h0qcxlnj.default\cookies.txt[.apmebf.com/]                      
Spyware:Cookie/Com.com             Not disinfected     C:\Documents and Settings\Marius Verius\Application Data\Mozilla\Firefox\Profiles\h0qcxlnj.default\cookies.txt[.terra.com.br/]                          
Spyware:Cookie/Advertising         Not disinfected     C:\Documents and Settings\Marius Verius\Cookies\marius verius@advertising[1].txt                                
Spyware:Cookie/Apmebf              Not disinfected     C:\Documents and Settings\Marius Verius\Cookies\marius verius@apmebf[1].txt                                
Spyware:Cookie/Reliablestats            Not disinfected     C:\Documents and Settings\Marius Verius\Cookies\marius verius@stats1.reliablestats[2].txt                                
Possible Virus.               Not disinfected     C:\Documents and Settings\Marius Verius\Local Settings\Temporary Internet Files\Content.IE5\G16VOD2B\ATF-Cleaner[1].exe                            
 
******************
 
Ad-aware found 8 CnsMin and 3 tracking cookies (logfile is too long, but I'll post if you want)
 
Spybot found Advertising.com, Windows Security Center.AntiVirusOverride and Windows Security Center.FirewallOverride (again, log is way too long)
 
Hijackthis log:
 
Logfile of HijackThis v1.99.1
Scan saved at 23:32:11, on 10/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\WINDOWS\keyacc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Personal Firewall\CPF.exe
C:\Program Files\Comodo\LaunchPad\CLPTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
C:\Program Files\Comodo\VEngine\VEngine.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Comodo\Personal Firewall\cmdagent.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\Program Files\Cisco Systems\VPN\cvpnd.exe
c:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
C:\Program Files\Comodo\Comodo AntiSpam\CAS32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Comodo\i-Vault\i-Vault.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Yahoo!\YPSR\ypsr.exe
C:\Marion\Arquivos\Programas\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www. yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www. yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www. yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =  
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =  
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.case.edu/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "c:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [KeyAccess] c:\WINDOWS\keyacc32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Comodo Personal Firewall] C:\Program Files\Comodo\Personal Firewall\CPF.exe sysrestart
O4 - HKLM\..\Run: [Comodo Launch Pad Tray] C:\Program Files\Comodo\LaunchPad\CLPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"  " /login"
O4 - HKLM\..\Run: [VEngine] C:\Program Files\Comodo\VEngine\VEngine.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager]  -quiet
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN\vpngui.exe
O4 - Global Startup: Comodo AntiSpam.lnk = C:\Program Files\Comodo\Comodo AntiSpam\CAS32.exe
O4 - Global Startup: KeyAccess.lnk = C:\WINDOWS\keyacc32.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\caslsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\caslsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\caslsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\caslsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x 86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: KATRACK.DLL
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Personal Firewall\cmdagent.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN\cvpnd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
 
****************
 
Yahoo antispy found Trust Toolbar v3 and Advertising.com (not able to save log)
 
Should I fix everything I can right now or should I wait?
 
I won't post the housecall log because it will still take a while to finish, but if someone could please help, I'd really appreciate. Some of my problems are popups saying that my pc is infected (doh) and to download this stupid antivirus. There's another popup that is just a blank screen, but the title bar says that an error was detected, and the address is some 'winantivirus' deal. Another problem is that every time I start up my pc, the Windows/System32 folder opens up out of nowhere.
 
So please, if you guys know of a way to just clean the whole mess up once and for all (I've cleaned it up about 3 times and it comes back) I'd really appreciate it.
 
Thanks a lot.
 
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5467
Re: malware still present after several scans
« Reply #1 on: Jul 11th, 2006, 3:51am »
Welcome to the forum shaolin,  Wink
 
Quote:
Should I fix everything I can right now or should I wait?

 
I recommend that you go to START-SETTINGS-CONTROL PANEL-Internet Options and remove all your Temporary Internet Files and cookies plus the History files.  Clear your Firefox temp files and cookies too.
 
Download the trial version of TH if you do not have TH on system.  Run LiveUpdate to obtain the latest rulesets.  Open TH scanner and set ALL the options active under the OPTIONS icon in the icon bar.  
 
Reboot into SAFE MODE and run a full system scan with TH scanner.  Let it clean what it finds.
 
Reboot your computer and rescan with your security programs and let them clean what they find (except those labeled as "possible").  
 
Then reboot again and run another set of scans and see if things are cleared up.
 
Does this solve your issue?  If not, reboot again, run another HJT scan and post a new log here.  Also tell us what the remaining problems are.  Wink
 
Did the TH scan in SAFE MODE find anything?
 
 
« Last Edit: Jul 11th, 2006, 4:12am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
shaolin
Newbie
*





   


Posts: 5
Re: malware still present after several scans
« Reply #2 on: Jul 11th, 2006, 8:16am »
Alright, I have downloaded and updated it, and I cleaned everything I could. I must go to work, though, so when I return I'll start in safe mode and scan, and let you know the results.
 
Thank you very much. =)
IP Logged
shaolin
Newbie
*





   


Posts: 5
Re: malware still present after several scans
« Reply #3 on: Jul 11th, 2006, 11:52am »
Well, TH found these:
 
Adware.MediaTickets.124
Adware.Virtumonde.100
Agent.100
Delf.100
 
and removed them, I believe, but on my next start, there it was: the system32 folder. I'll run all scans again and post the logs when I'm done.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5467
Re: malware still present after several scans
« Reply #4 on: Jul 11th, 2006, 3:00pm »
Quote:
Adware.MediaTickets.124  
Adware.Virtumonde.100  
Agent.100  
Delf.100  
 
and removed them, I believe, but on my next start, there it was: the system32 folder. I'll run all scans again and post the logs when I'm done.

 
Keep in mind that when TrojanHunter "quarantines" a file, it does not do it in the standard fashion.  It neutralizes the malicious file by adding a .tcf extension to it.  For example, file badguy.exe becomes badguy.exe.tcf.  The file is not moved or deleted from the system...just neutralized.  If for some reason you wanted to reactivate the file, you would just need to remove the .tcf extension.  
(Version 4.6 of TH will change its method for this.  It will move the offending file to a quarantine folder...like most other security programs do.  V4.6 is in beta testing now and no target date for release is provided.)
 
Look forward to seeing your new scan logs.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
shaolin
Newbie
*





   


Posts: 5
Re: malware still present after several scans
« Reply #5 on: Jul 11th, 2006, 5:17pm »
Alright, all the scans this time were clean. I did everything again, including TH.
 
BUT... the system32 folder keeps opening at startup.
 
Here's my Hijackthis log:
 
Logfile of HijackThis v1.99.1
Scan saved at 18:16:32, on 11/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Comodo\Personal Firewall\cmdagent.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\Program Files\Cisco Systems\VPN\cvpnd.exe
c:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\WINDOWS\keyacc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Personal Firewall\CPF.exe
C:\Program Files\Comodo\LaunchPad\CLPTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
C:\Program Files\Comodo\VEngine\VEngine.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
C:\Program Files\Comodo\Comodo AntiSpam\CAS32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Comodo\Comodo AntiSpam\CasProc.exe
C:\Marion\Arquivos\Programas\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www. yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www. yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =  
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =  
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.case.edu/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: DiABLO - {487CA274-DDC9-45CA-BF51-2017CE8D6D8A} - C:\Program Files\Comodo\i-Vault\i-Vault.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {58A4388C-D0DC-478A-8D0A-8CE3967B5490} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ESigil Browser Helper - {A968A4B4-C492-4834-B651-17602C3885C8} - C:\Program Files\Comodo\VEngine\ESigil.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "c:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [KeyAccess] c:\WINDOWS\keyacc32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Comodo Personal Firewall] C:\Program Files\Comodo\Personal Firewall\CPF.exe sysrestart
O4 - HKLM\..\Run: [Comodo Launch Pad Tray] C:\Program Files\Comodo\LaunchPad\CLPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"  " /login"
O4 - HKLM\..\Run: [VEngine] C:\Program Files\Comodo\VEngine\VEngine.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager]  -quiet
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN\vpngui.exe
O4 - Global Startup: Comodo AntiSpam.lnk = C:\Program Files\Comodo\Comodo AntiSpam\CAS32.exe
O4 - Global Startup: KeyAccess.lnk = C:\WINDOWS\keyacc32.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://c:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\caslsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\caslsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\caslsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\caslsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x 86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: KATRACK.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: winrnt32 - winrnt32.dll (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Personal Firewall\cmdagent.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN\cvpnd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
 
Thanks
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5467
Re: malware still present after several scans
« Reply #6 on: Jul 11th, 2006, 8:54pm »
Certainly glad to here you are cleaned up.  Please read these links concerning the system32 folder opening on startup.
 
http://pressf1.pcworld.co.nz/archive/index.php/t-41892.html
 
http://www.infopackets.com/channels/en/windows/gazette/2006/20060405_sys tem32_folder_opens_at_startup.htm
 
http://ask-leo.com/why_does_my_system32_folder_open_when_i_log_in.html
 
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21896134.html
 
I suspect it is related to one of the entries in your RUN registry as mentioned in these articles.  Hopefully you can find it as you read the articles.  It's not a spyware issue; it's a registry entry issue.  
 
Please let us know if you find the problem after perusing these articles and investigating your computer.
 
If you Google  system32 folder opens on startup you will find many more articles about this.
« Last Edit: Jul 12th, 2006, 12:13am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
shaolin
Newbie
*





   


Posts: 5
Re: malware still present after several scans
« Reply #7 on: Jul 14th, 2006, 3:09pm »
Hey, sorry for the delay on a reply; I was kinda unavailable.
 
So, I checked out all of those websites and threads, but none of the methods worked for me. Since I knew, however, that the problem was in the registry, I looked for a repairing program and found one called Advanced WindowsCare right there on Download.com, free licence. =) It worked great for me, so now my pc is running as smoothly as ever!! I reccomend that if anyone runs into reg problems that they can't fix.
 
Thanks so much for all your help and support!
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5467
Re: malware still present after several scans
« Reply #8 on: Jul 14th, 2006, 3:27pm »
Hey, glad you are back to normal !   Cheesy
 
And thanks for the tip on Advanced WindowsCare.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5467
Re: malware still present after several scans
« Reply #9 on: Aug 15th, 2006, 2:09am »
Fixed and thread Locked.  Please create a new post if assistance is needed on this topic.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Pages: 1    Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register