Author Topic: [Resolved] My internet running on it's "Own"  (Read 7465 times)

Offline 1dee1doug

  • Bronze Member
  • Posts: 14
Re: [In Progress] My internet running on it's "Own"
« Reply #15 on: November 14, 2008, 01:07:07 PM »
This has been completely above what I really understand.  I hope I have complied.

When I finally got a desktop back after Combofix, I still got the "window Installer" window back.  It tries to install ccCommon and says it can't.  I have no idea what that is.

the "net stop gmer" said "........does not exist"

I've run all in your instructions (combofix, ATF Cleaner, Gmer) before I did another HJT log.  I may not have done that right?

ComboFix 08-11-12.02 - Dee Lytle 2008-11-14 10:24:19.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.248 [GMT -8:00]
Running from: c:\documents and settings\Dee Lytle\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\uninstall information
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\IE4 Error Log.txt
c:\windows\system32\Cache
c:\windows\system32\crosof~1.net

.
(((((((((((((((((((((((((   Files Created from 2008-10-14 to 2008-11-14  )))))))))))))))))))))))))))))))
.

2008-11-12 08:40 . 2008-09-04 09:15   1,106,944   -----c---   c:\windows\system32\dllcache\msxml3.dll
2008-11-12 08:40 . 2008-10-24 03:21   455,296   -----c---   c:\windows\system32\dllcache\mrxsmb.sys
2008-11-08 11:05 . 2008-11-08 11:05   <DIR>   d----c---   c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-11-07 11:23 . 2008-11-07 11:23   <DIR>   d--------   c:\documents and settings\LocalService\Application Data\agi
2008-11-07 11:06 . 2008-11-07 11:22   <DIR>   d--------   c:\documents and settings\Dee Lytle\Application Data\agi
2008-11-07 11:06 . 2008-11-07 11:19   <DIR>   d--------   c:\documents and settings\All Users\Application Data\agi
2008-11-07 11:04 . 2008-11-07 11:18   2,117,632   --a------   c:\windows\system32\python25.dll
2008-11-07 11:04 . 2008-09-16 08:26   1,332,197   --a------   c:\windows\system32\pythondll.zip
2008-11-07 11:04 . 2008-11-07 11:18   339,968   --a------   c:\windows\system32\pythoncom25.dll
2008-11-07 11:04 . 2008-11-07 11:18   114,688   --a------   c:\windows\system32\pywintypes25.dll
2008-11-07 11:03 . 2008-11-07 11:04   <DIR>   d--------   c:\program files\AGI
2008-11-05 17:17 . 2008-11-05 17:16   410,976   --a------   c:\windows\system32\deploytk.dll
2008-11-05 17:17 . 2008-11-05 17:16   73,728   --a------   c:\windows\system32\javacpl.cpl
2008-11-05 13:03 . 2008-11-05 14:07   <DIR>   d--------   c:\program files\EsetOnlineScanner
2008-11-05 11:06 . 2008-11-05 11:06   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2008-11-05 11:06 . 2008-11-05 11:06   <DIR>   d--------   c:\documents and settings\Dee Lytle\Application Data\Malwarebytes
2008-11-05 11:06 . 2008-11-05 11:06   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-05 11:06 . 2008-10-22 16:28   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-05 11:06 . 2008-10-22 16:28   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2008-10-31 19:49 . 2008-10-31 19:49   <DIR>   d--------   c:\program files\Trend Micro
2008-10-24 12:26 . 2008-11-09 13:07   54,156   --ah-----   c:\windows\QTFont.qfn
2008-10-24 12:26 . 2008-10-24 12:26   1,409   --a------   c:\windows\QTFont.for
2008-10-24 06:44 . 2008-10-15 08:34   337,408   -----c---   c:\windows\system32\dllcache\netapi32.dll
2008-10-15 15:11 . 2008-09-08 02:41   333,824   -----c---   c:\windows\system32\dllcache\srv.sys
2008-10-15 15:10 . 2008-08-14 02:11   2,189,184   -----c---   c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 15:10 . 2008-08-14 02:09   2,145,280   -----c---   c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 15:10 . 2008-08-14 01:33   2,066,048   -----c---   c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 15:10 . 2008-08-14 01:33   2,023,936   -----c---   c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-15 15:10 . 2008-09-15 04:12   1,846,400   -----c---   c:\windows\system32\dllcache\win32k.sys
2008-10-14 15:37 . 2008-10-14 15:37   <DIR>   d--------   c:\documents and settings\All Users\Application Data\LogiShrd
2008-10-14 15:34 . 2008-10-14 15:34   0   --ah-----   c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-10-14 15:34 . 2008-10-14 15:34   0   --ah-----   c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2008-10-14 15:34 . 2008-10-14 15:34   0   --ah-----   c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-10-14 15:29 . 2008-11-05 16:23   <DIR>   d--------   c:\program files\Common Files\Logishrd

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-14 18:16   ---------   d-----w   c:\program files\Common Files\Symantec Shared
2008-11-14 18:02   ---------   d---a-w   c:\documents and settings\All Users\Application Data\TEMP
2008-11-14 06:18   ---------   d-----w   c:\program files\Spyware Doctor
2008-11-13 22:51   ---------   d-----w   c:\program files\Quicken
2008-11-13 06:12   ---------   d-----w   c:\program files\Common Files\Adobe
2008-11-07 19:23   ---------   d-----w   c:\program files\Webshots
2008-11-07 19:22   ---------   d-----w   c:\documents and settings\Dee Lytle\Application Data\Webshots
2008-11-07 19:18   348,160   ----a-w   c:\windows\system32\MSVCR71.DLL
2008-11-07 18:01   ---------   d-----w   c:\program files\Google
2008-11-06 01:16   ---------   d-----w   c:\program files\Java
2008-11-06 00:33   ---------   d-----w   c:\program files\Common Files\Logitech
2008-11-06 00:22   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-11-03 22:10   ---------   d-----w   c:\program files\Norton 360 Premier Edition
2008-10-26 23:18   ---------   d-----w   c:\documents and settings\Dee Lytle\Application Data\Corel
2008-10-26 22:24   1,890   --sha-w   c:\windows\system32\KGyGaAvL.sys
2008-10-24 11:21   455,296   ----a-w   c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 14:17   ---------   d-----w   c:\program files\Microsoft Silverlight
2008-10-06 22:37   ---------   d-----w   c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-04 02:15   ---------   d-----w   c:\program files\Picasa2
2008-10-02 19:40   ---------   d-----w   c:\documents and settings\All Users\Application Data\SecTaskMan
2008-10-01 00:43   1,286,152   ----a-w   c:\windows\system32\msxml4.dll
2008-09-29 15:47   ---------   d-----w   c:\documents and settings\LocalService\Application Data\PC Tools
2008-09-28 21:11   ---------   d-----w   c:\program files\Avery Wizard
2008-09-15 12:12   1,846,400   ----a-w   c:\windows\system32\win32k.sys
2008-09-10 01:14   1,307,648   ----a-w   c:\windows\system32\msxml6.dll
2008-09-07 00:40   60,800   ----a-w   c:\windows\system32\S32EVNT1.DLL
2008-09-04 17:15   1,106,944   ----a-w   c:\windows\system32\msxml3.dll
2008-08-26 07:24   826,368   ----a-w   c:\windows\system32\wininet.dll
2008-08-25 20:23   112,384   ----a-w   c:\documents and settings\Dee Lytle\Application Data\GDIPFONTCACHEV1.DAT
2008-08-14 10:11   2,189,184   ----a-w   c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33   2,066,048   ----a-w   c:\windows\system32\ntkrnlpa.exe
2004-12-31 17:35   1,712,840   -c--a-w   c:\program files\MapsourceTutorial.exe
2003-09-08 16:20   1,782,840   -c--a-w   c:\program files\PPVIEWER.EXE
2003-08-27 21:19   36,963   -c----w   c:\program files\Common Files\SM1updtr.dll
2008-05-14 16:46   32,768   --sha-w   c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051420080515\index.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24   576352   --a------   c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24   576352   --a------   c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24   576352   --a------   c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360 Premier Edition\osCheck.exe" [2008-02-26 988512]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-20 443968]

c:\documents and settings\Dee Lytle\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2008-11-07 157000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuMyMusic"= 1 (0x1)
"NoStartMenuNetworkPlaces"= 1 (0x1)
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm
"aux"= ctwdm32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^rppk.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^wbtray.lnk]
backup=c:\windows\pss\wbtray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Doug&Dee^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAS Client
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KavSvc

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AHQInit]
--a------ 2001-03-27 17:00 102400 c:\program files\Creative\SBLive\Program\AHQInit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIAGENT]
--a------ 2001-08-30 00:00 172122 c:\program files\Creative\SBLive\Creative Diagnostics 2.0\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2002-12-09 16:19 188416 c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2008-08-20 17:18 443968 c:\program files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 20:16 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2005-03-08 20:13 1695744 c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
-ra------ 2003-08-27 13:20 94208 c:\windows\SM1bg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--a------ 2000-05-11 00:00 90112 c:\windows\Updreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a------ 2008-02-29 02:12 76304 c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Speed Disk service"=2 (0x2)
"NVSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\LUALL.EXE"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\Cinemsup.sys [2003-12-19 6656]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2008-08-05 160792]
R2 AGWinService;AG Windows Service;c:\program files\AGI\common\win32\PythonService.exe [2008-11-07 10240]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 3744]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 3904]
R2 WinBackupScheduler;WinBackup Scheduler;c:\program files\Uniblue\WinBackup 2.0\wbscheds.exe [2006-08-07 57344]
S2 LBeepKE;LBeepKE;c:\windows\system32\Drivers\LBeepKE.sys [ ]
S3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-14 c:\windows\Tasks\User_Feed_Synchronization-{9F98E6E0-9E65-4AB8-AA4A-13D87773E786}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 12:58]

2007-04-26 c:\windows\Tasks\XoftSpy.job
- c:\program files\XoftSpy\XoftSpy.exe []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NWEReboot - (no file)
HKU-Default-Run-Norton SystemWorks - c:\program files\Norton SystemWorks\cfgwiz.exe
Notify-= - (no file)
MSConfigStartUp-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_03\bin\jusched.exe
MSConfigStartUp-536W3FQ - webtname.exe
MSConfigStartUp-AUNPS2 - AUNPS2.DLL


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Default_Search_URL = hxxp://www.google.com/ie
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Search Bar =
O8 -: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 -: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 -: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
O8 -: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM

O16 -: ppctlcab - hxxp://69.44.122.156/scanner/ppctlcab.cab
c:\windows\Downloaded Program Files\OSD406.OSD
c:\windows\Downloaded Program Files\ppctl.dll

O16 -: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} - hxxp://www.nevadadot.com/ACGM/Acgm.cab
c:\windows\Downloaded Program Files\acgm.inf
c:\windows\system32\msvcrt.dll
c:\windows\system32\snbdpl1.dll
c:\windows\system32\snbd10dm.dll
c:\windows\system32\igsnrn22.dll
c:\windows\system32\igsnpb22.dll
c:\windows\system32\igsnol22.dll
c:\windows\system32\igsncm22.dll
c:\windows\system32\browser.exa
c:\windows\system32\Acgm.Dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-14 10:26:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-11-14 10:32:27
ComboFix-quarantined-files.txt  2008-11-14 18:31:19

Pre-Run: 55,529,107,456 bytes free
Post-Run: 55,513,198,592 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

253   --- E O F ---   2008-11-12 16:52:08


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-14 10:50:29
Windows 5.1.2600 Service Pack 3


---- Devices - GMER 1.0.14 ----

AttachedDevice  \FileSystem\Fastfat \Fat     fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice  \Driver\Tcpip \Device\Ip     SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice  \Driver\Tcpip \Device\Ip     pctfw2.sys (PC Tools TDI Driver/PC Tools)
AttachedDevice  \Driver\Tcpip \Device\Tcp    SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice  \Driver\Tcpip \Device\Tcp    pctfw2.sys (PC Tools TDI Driver/PC Tools)
AttachedDevice  \Driver\Tcpip \Device\Udp    SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice  \Driver\Tcpip \Device\Udp    pctfw2.sys (PC Tools TDI Driver/PC Tools)
AttachedDevice  \Driver\Tcpip \Device\RawIp  pctfw2.sys (PC Tools TDI Driver/PC Tools)
AttachedDevice  \Driver\Tcpip \Device\RawIp  SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.14 ----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:21 AM, on 11/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\AGI\common\win32\PythonService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Uniblue\WinBackup 2.0\wbscheds.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://next.my.msn.com/?ppud=4
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360 Premier Edition\osCheck.exe"
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - S-1-5-18 Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www6.comcast.net
O15 - Trusted Zone: http://www.eset.com
O15 - Trusted Zone: http://maps.live.com
O15 - Trusted Zone: http://www.spoiledmaltese.com
O15 - Trusted Zone: http://*.spoiledmaltese.com
O15 - Trusted Zone: http://*.spywarehammer.com
O15 - Trusted Zone: http://*.turbotax.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156/scanner/axscanner.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ControlInstaller Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093994866449
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179961909765
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B495C654-5860-45D4-8EAA-5663B9393F33} (OVA Class) - http://go.microsoft.com/fwlink/?linkid=49480
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://www.nevadadot.com/ACGM/Acgm.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AG Windows Service (AGWinService) - Unknown owner - C:\Program Files\AGI\common\win32\PythonService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: WinBackup Scheduler (WinBackupScheduler) - Uniblue Systems - C:\Program Files\Uniblue\WinBackup 2.0\wbscheds.exe

--
End of file - 11388 bytes

Offline negster22

  • Global Moderator
  • Platinum Member
  • Posts: 3624
    • Secure Computer Solutions
Re: [In Progress] My internet running on it's "Own"
« Reply #16 on: November 14, 2008, 01:29:46 PM »
Give me some time to review the logs.

Windows Installer does not run in safe mode so you can run ComboF from there if need be.

That is an OK msg. Sometimes Gmer driver unloads itself and sometimes it does not.  The point is you do not want the driver loaded and it is not.

Gmer log clean - no rootkits.

Please tell me what this is and why you have so many downloaded files from that site:
hxxp://www.nevadadot.com/
Microsoft MVP - Consumer Security 2006 - 2011
BITS and PC's

Offline 1dee1doug

  • Bronze Member
  • Posts: 14
Re: [In Progress] My internet running on it's "Own"
« Reply #17 on: November 14, 2008, 02:14:19 PM »
nevadadot I guess would be because my husband is a truck driver and has been to the Nevada Dept. of Trans. website.  There does not have to be anything left on the computer for that site.  He can always go there to check roads any time.  He hasn't used Nevada for some time and may not go there again.  So I don't know why it shows up with a lot of files.

I haven't rebooted and don't have Spyware Doc running yet.  Just Norton 360.

Offline negster22

  • Global Moderator
  • Platinum Member
  • Posts: 3624
    • Secure Computer Solutions
Re: [In Progress] My internet running on it's "Own"
« Reply #18 on: November 14, 2008, 04:59:50 PM »
You are looking pretty good now.

It looks like Combofix removed the installer you were talking about.

Are you still getting that?

I think it is safe to fix these in HJT because they seem mostly to be related to online scanners and nevadadot.com, but go thru them first:

Scan with HijackThis by clicking the  "Scan "
button and place a checkmark next to the following items. Close ALL other
windows and browsers except HijackThis. Click "fix checked".


O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/betapit/PCPitStop.CABO16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156/scanner/axscanner.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cabO16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cabO16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://www.nevadadot.com/ACGM/Acgm.cab

Close HJT


Open a command prompt (Start | run |type cmd and hit Enter)
  • Copy and paste the following text in the code box into a Notepad file
  • Adjust the Notepad format settings,  by making sure word wrap is unchecked (disabled)
  • Save the file to your desktop as fix.reg, making sure to set the "Save as file type" to "all files"
  • Exit the command prompt.
Code: [Select]
REGEDIT4

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=-

Double-click the fix.reg (aqua blocks) icon on your desktop to execute the registry script.

Note: You must make sure Norton script blocking is disabled, before running fix.reg

Remove any tasks related to XoftSpy in the Task Mgr Control Panel -> Scheduled Tasks):
c:\windows\Tasks\XoftSpy.job
- c:\program files\XoftSpy\XoftSpy.exe []

Reboot and post a new HJT log
Microsoft MVP - Consumer Security 2006 - 2011
BITS and PC's

Offline 1dee1doug

  • Bronze Member
  • Posts: 14
Re: [In Progress] My internet running on it's "Own"
« Reply #19 on: November 14, 2008, 05:17:49 PM »
1. What is the Norton Script blocking?  I won't try to do the fix.reg until I hear from you.

2. Anything I click on in the Norton 360 menus doesn't work.  I get the "installing" then asking for the ccCommon.

The main screen for the Norton program looks normal, it says "You are Protected" but otherwise isn't operating if I ask for anything.  It is looking like I'll have to uninstall all Norton and reinstall.  I don't have the disk to the new version of 360, I downloaded it.  I have the key.


Offline negster22

  • Global Moderator
  • Platinum Member
  • Posts: 3624
    • Secure Computer Solutions
Re: [In Progress] My internet running on it's "Own"
« Reply #20 on: November 14, 2008, 05:39:23 PM »
Quote
1. What is the Norton Script blocking?  I won't try to do the fix.reg until I hear from you.

You may or may not have it, but you should run the fix.reg anyway, and you'll know if it doesn't go thru.  If it works correctly, you will get a message saying the information was successfully added to the registry.

http://service1.symantec.com/SUPPORT/nav.nsf/docid/2001082912274906

Quote
2. Anything I click on in the Norton 360 menus doesn't work.  I get the "installing" then asking for the ccCommon.

The main screen for the Norton program looks normal, it says "You are Protected" but otherwise isn't operating if I ask for anything.  It is looking like I'll have to uninstall all Norton and reinstall.  I don't have the disk to the new version of 360, I downloaded it.  I have the key.

When did this start happening?  Since you do have the key it is best to remove and reinstall.

Please post this file:
C:\Qoobox\ComboFix-quarantined-files.txt

This will show everything CF removed.
« Last Edit: November 14, 2008, 05:46:14 PM by negster22 »
Microsoft MVP - Consumer Security 2006 - 2011
BITS and PC's

Offline 1dee1doug

  • Bronze Member
  • Posts: 14
Re: [In Progress] My internet running on it's "Own"
« Reply #21 on: November 14, 2008, 05:56:30 PM »
Re: Script blocking......only control in 360 is "Enable Auto Protect" and "Enable Firewall".

Re: ccCommon requested........it started coming onto the desktop last night when booting.  Today after I did the things you asked and I got things running again it happens on all the Norton menus.  That may have been the case since last night also, but I didn't try asking for anything from Norton 360 menus until now.


Offline 1dee1doug

  • Bronze Member
  • Posts: 14
Re: [In Progress] My internet running on it's "Own"
« Reply #22 on: November 14, 2008, 06:55:30 PM »
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:53:34 PM, on 11/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\AGI\common\win32\PythonService.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Uniblue\WinBackup 2.0\wbscheds.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://next.my.msn.com/?ppud=4
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: (no name) - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360 Premier Edition\osCheck.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - S-1-5-18 Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www6.comcast.net
O15 - Trusted Zone: http://www.eset.com
O15 - Trusted Zone: http://maps.live.com
O15 - Trusted Zone: http://www.spoiledmaltese.com
O15 - Trusted Zone: http://*.spoiledmaltese.com
O15 - Trusted Zone: http://*.spywarehammer.com
O15 - Trusted Zone: http://*.turbotax.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ControlInstaller Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093994866449
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179961909765
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B495C654-5860-45D4-8EAA-5663B9393F33} (OVA Class) - http://go.microsoft.com/fwlink/?linkid=49480
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AG Windows Service (AGWinService) - Unknown owner - C:\Program Files\AGI\common\win32\PythonService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: WinBackup Scheduler (WinBackupScheduler) - Uniblue Systems - C:\Program Files\Uniblue\WinBackup 2.0\wbscheds.exe

--
End of file - 10953 bytes

Offline 1dee1doug

  • Bronze Member
  • Posts: 14
Re: [In Progress] My internet running on it's "Own"
« Reply #23 on: November 16, 2008, 12:33:39 PM »
Consider me checking out.  I've reinstalled Norton 360 since my last HJT posted here, and everything seems O.K.  It got rid of the hunting for ccCommon.  I've got both Spyware Doc and Norton 360 running.
Thanks for the help Nancy.

Offline negster22

  • Global Moderator
  • Platinum Member
  • Posts: 3624
    • Secure Computer Solutions
Re: [In Progress] My internet running on it's "Own"
« Reply #24 on: November 18, 2008, 09:44:39 AM »
Hello 1dee1doug - Sorry I dd not reply sooner but I mssed notification that you had replied. I'm glad that things are back to normal now.

Doing the following will quickly remove the tools we used to clean you up:

Click start -> run, then copy and paste the following line into the Open box and click OK.

ComboFix /u

Please download OTCleanIt by OldTimer

Double click OTCleanIt, click the Clean Up button.

You may get prompted by your firewall that OTCleanit/OTMoveIt wants to contact the internet -  allow this.  A file called cleanup.txt will be downloaded, and a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

Please read this material on how to Prevent Reinfection. It will describe important safety measures you can implement to keep your system secure, and provide safe surfing tips.  You should follow the directions on setting a new system restore point, and install the passive preventative protection that is suggested in the article such as SpywareBlaster, and the MVPS Host file.

Safe Surfing!
Microsoft MVP - Consumer Security 2006 - 2011
BITS and PC's