Help removing w32.pinfi - Free Antivirus Forum

Help removing w32.pinfi

BullGuard Antivirus Forum > Virus > Virus Questions > Help removing w32.pinfi

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

pepperbell12
New Member

Date Joined Nov 2008
Total Posts : 4

Posted 11-14-2008 4:12 (GMT +1)

Norton keeps blocking w32.pinfi virus. I cant seem to get rid of it. I may have another virus possibly also because it originally deleted all of my desktop, but I was able to bring it all back except a few that won't run. Any help would be appreciated.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 11-14-2008 8:35 (GMT +1)

Hello

Download this program: http://www.ctrlaltdel.dk/Fix_download.exe

and save it on the desktop. Then double click on it (Fix_download.exe).

You may have to allow the program to download files from the web!

The program download the necessary cleaning programs. Once the program
is downloaded, there will be a folder on your desktop named
Fix. – if the instructions not automatically opens, so
double-click "FIX_manual.htm" in Fix folder.

Please follow the instructions and copy the logs here, in this Topic.

Note : Fix_download.exe is detected by some antivirus programs as a "RiskTool" /infection; it is not a virus. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

If necessary, temporarily disable your anti-virus, real-time protection before downloading

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

pepperbell12
New Member

Date Joined Nov 2008
Total Posts : 4

Posted 11-14-2008 7:53 (GMT +1)

Thank you for helping me try and resolve this issue with my computer. I have done all of the steps and here arer the logs for all of them. The computer is extremely slow and it took forever to do the scans.

Malware Bytes log:

Malwarebytes' Anti-Malware 1.30
Database version: 1397
Windows 5.1.2600 Service Pack 2

11/14/2008 12:04:56 PM
mbam-log-2008-11-14 (12-04-56).txt

Scan type: Full Scan (C:\|)
Objects scanned: 98452
Time elapsed: 2 hour(s), 55 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 23
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Combofix log:

ComboFix 08-11-12.02 - Laptop User 2008-11-14 12:36:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.542 [GMT -5:00]
Running from: c:\documents and settings\Laptop User\Desktop\FIX\ComboFix.exe
* Created a new restore point

[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Laptop User\Application Data\FunWebProducts
c:\windows\system32\drivers\fad.sys

.
((((((((((((((((((((((((( Files Created from 2008-10-14 to 2008-11-14 )))))))))))))))))))))))))))))))
.

2008-11-14 08:50 . 2008-11-14 08:50 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-14 08:50 . 2008-11-14 08:50 <DIR> d-------- c:\documents and settings\Laptop User\Application Data\Malwarebytes
2008-11-14 08:50 . 2008-11-14 08:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-14 08:50 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-14 08:50 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-13 23:45 . 2008-11-14 12:11 <DIR> d-------- C:\cb53ed9d2284794233f764b9
2008-11-13 16:28 . 2008-11-13 23:27 <DIR> d-------- C:\9d07d0c3ff8fb7c32482bb8cbc36
2008-11-13 13:59 . 2008-11-13 13:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2008-11-13 09:33 . 2008-11-13 09:31 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-11-13 09:31 . 2008-11-13 09:36 <DIR> d-------- c:\documents and settings\Laptop User\.housecall6.6
2008-11-13 08:36 . 2006-05-16 18:11 22,752 --a------ c:\windows\system32\spupdsvc.exe
2008-11-11 14:59 . 2008-11-11 14:59 <DIR> d-------- c:\program files\Symantec
2008-11-11 14:59 . 2008-11-11 15:01 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2008-11-11 14:59 . 2008-11-11 14:59 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-11 14:59 . 2008-11-11 14:59 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2008-11-11 14:59 . 2008-11-11 14:59 35,888 -ra------ c:\windows\system32\drivers\SymIM.sys
2008-11-11 14:59 . 2008-11-11 14:59 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-11 14:59 . 2008-11-11 14:59 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-11-11 14:58 . 2008-11-13 23:30 <DIR> d-------- c:\windows\system32\drivers\NAV
2008-11-11 14:58 . 2008-11-11 14:58 <DIR> d-------- c:\program files\Windows Sidebar
2008-11-11 14:58 . 2008-11-11 14:58 <DIR> d-------- c:\program files\Norton AntiVirus
2008-11-11 14:57 . 2008-11-11 14:57 <DIR> d-------- c:\program files\NortonInstaller
2008-11-11 14:57 . 2008-11-11 14:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-11-11 14:57 . 2008-11-11 15:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2008-11-11 08:38 . 2008-11-11 08:38 <DIR> d-------- c:\documents and settings\Administrator
2008-11-11 08:15 . 2008-11-11 08:15 <DIR> d-------- c:\windows\Downloaded Installations
2008-11-10 22:47 . 2003-06-25 16:05 266,360 --a------ c:\windows\system32\TweakUI.exe
2008-11-10 22:47 . 2002-06-21 15:09 160,217 --a------ c:\windows\system32\PowerToysLicense.rtf
2008-11-10 22:43 . 2008-11-10 22:43 <DIR> d-------- c:\program files\Lavasoft
2008-11-10 22:43 . 2008-11-10 22:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-10 22:42 . 2008-11-10 22:42 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-08 10:30 . 2008-11-08 19:11 <DIR> d-------- c:\documents and settings\Laptop User\Application Data\ZoomBrowser EX
2008-11-07 17:19 . 2008-11-07 17:19 <DIR> d-------- c:\documents and settings\Laptop User\Application Data\Arcsoft
2008-11-07 17:19 . 2008-11-07 17:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\ArcSoft
2008-11-07 17:17 . 2008-11-07 17:18 <DIR> d-------- c:\program files\Common Files\ArcSoft
2008-10-30 16:46 . 2008-10-30 16:46 <DIR> d-------- c:\program files\APTE Software
2008-10-26 18:29 . 2008-10-26 18:30 664 --a------ c:\windows\system32\d3d9caps.dat
2008-10-24 09:36 . 2008-11-08 10:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\ZoomBrowser
2008-10-24 09:35 . 2008-10-24 09:39 <DIR> d-------- c:\program files\Canon
2008-10-24 08:55 . 2008-10-24 08:55 <DIR> d-------- c:\program files\Common Files\Canon
2008-10-21 13:57 . 2008-10-21 13:57 0 --ah----- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2008-10-21 13:57 . 2008-10-21 13:57 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2008-10-21 13:52 . 2008-10-21 13:52 0 --ah----- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2008-10-21 13:47 . 2008-03-21 12:57 14,640 --------- c:\windows\system32\spmsgXP_2k3.dll
2008-10-21 13:47 . 2008-10-21 13:47 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-10-21 13:47 . 2008-10-21 13:47 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-10-21 13:46 . 2008-11-13 08:45 <DIR> d-------- c:\program files\Zune
2008-10-21 13:45 . 2008-05-02 04:05 62,592 -----c--- c:\windows\system32\dllcache\cdrom.sys
2008-10-21 13:44 . 2008-05-02 08:30 464,384 --------- c:\windows\system32\imapi2fs.dll
2008-10-21 13:44 . 2008-05-02 08:30 464,384 -----c--- c:\windows\system32\dllcache\imapi2fs.dll
2008-10-21 13:44 . 2008-05-02 08:30 317,952 --------- c:\windows\system32\imapi2.dll
2008-10-21 13:44 . 2008-05-02 08:30 317,952 -----c--- c:\windows\system32\dllcache\imapi2.dll
2008-10-21 13:41 . 2008-10-21 13:41 <DIR> d-------- c:\windows\system32\LogFiles
2008-10-21 13:41 . 2008-11-13 08:45 <DIR> d-------- c:\windows\system32\drivers\UMDF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-13 14:57 --------- d-----w c:\documents and settings\Laptop User\Application Data\FrostWire
2008-11-11 21:44 --------- d-----w c:\program files\FaxTools
2008-11-11 20:22 --------- d-----w c:\program files\QuickTime
2008-11-11 20:22 --------- d-----w c:\program files\PictureProject In Touch Downloader
2008-11-11 20:22 --------- d-----w c:\program files\ABBYY FineReader 5.0 Sprint
2008-11-11 20:01 352,214 ----a-w c:\windows\system32\LEXPPS.EXE
2008-11-10 00:49 --------- d-----w c:\documents and settings\Laptop User\Application Data\OpenOffice.org2
2008-11-07 22:21 --------- d-----w c:\documents and settings\All Users\Application Data\Kodak
2008-11-07 22:17 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-07 22:17 --------- d-----w c:\program files\ArcSoft
2008-11-07 22:16 --------- d-----w c:\program files\Kodak
2008-11-07 22:14 --------- d-----w c:\program files\Common Files\Kodak
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-11 20:04 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2008-10-11 20:02 --------- d-----w c:\documents and settings\Laptop User\Application Data\muvee Technologies
2008-10-11 19:56 --------- d-----w c:\documents and settings\All Users\Application Data\muvee Technologies
2008-10-11 18:52 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
2008-10-02 12:34 --------- d-----w c:\documents and settings\Laptop User\Application Data\Apple Computer
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-22 00:05 --------- d-----w c:\program files\MySpace
2008-09-22 00:05 --------- d-----w c:\documents and settings\Laptop User\Application Data\MySpace
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-27 20:19 581,192 ----a-w c:\windows\system32\WinUSBCoInstaller.dll
2008-08-27 20:19 1,302,600 ----a-w c:\windows\system32\WUDFUpdate_01007.dll
2008-08-27 20:18 1,112,288 ----a-w c:\windows\system32\WdfCoInstaller01007.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-14 10:00 2,180,352 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:22 2,057,728 ----a-w c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-07-28 05:46 160496 --a------ c:\program files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2008-08-12 1655552]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"Lexmark X5100 Series"="c:\program files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 86100]
"!AVG Anti-Spyware"="c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-21 451896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-01 282624]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-09-27 162304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-09-01 118784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Laptop User\\My Documents\\My Music\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\Drivers\NAV\1001000.021\BHDrvx86.sys [2008-11-04 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\Drivers\NAV\1001000.021\ccHPx86.sys [2008-11-11 362544]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2008-08-12 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2008-08-12 24208]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081112.001\IDSxpx86.sys [2008-11-11 274808]
R2 ACDaemon;ArcSoft Connect Daemon;c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [2008-09-23 109056]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe /s Norton AntiVirus /m c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll [ ]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\DRIVERS\gtipci21.sys [2005-05-31 87936]
S2 zumbus;Zune Bus Enumerator Driver;c:\windows\system32\DRIVERS\zumbus.sys [ ]
S3 PCX504;Cisco Systems Wireless LAN Adapter Driver;c:\windows\system32\DRIVERS\PCX504.sys [2004-05-04 119296]
S3 PNDIS5;PNDIS5 NDIS Protocol Driver;D:\PNDIS5.SYS [ ]
.
Contents of the 'Scheduled Tasks' folder

2008-11-07 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2004-08-04 07:00]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-bascstray - BascsTray.exe

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKLM-Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 -: HKCU-SearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O8 -: &Search
O8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: {D2349304-8F9E-4A54-ACF6-0F6104B44209} - hxxp://auditor.cuyahogacounty.us/repi/sketch/Sketch.ocx
c:\windows\Downloaded Program Files\Sketch.ocx
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-14 12:47:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll\" /prefetch:1"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\windows\system32\BAsfIpM.exe
c:\program files\COMODO\Firewall\cmdagent.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Lexmark X5100 Series\lxbabmon.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
.
**************************************************************************
.
Completion time: 2008-11-14 12:57:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-14 17:56:24

Pre-Run: 23,694,188,544 bytes free
Post-Run: 23,678,750,720 bytes free

204 --- E O F --- 2008-11-13 20:54:31

Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:43:21 PM, on 11/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Laptop User\Desktop\FIX\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1220400588330&h=a9678326cebcb227a0d34b123daee7ad/&filename=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D2349304-8F9E-4A54-ACF6-0F6104B44209} (SketchCtl.Pic1) - http://auditor.cuyahogacounty.us/repi/sketch/Sketch.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8814 bytes

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 11-15-2008 8:39 (GMT +1)

How are things runnng now ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

pepperbell12
New Member

Date Joined Nov 2008
Total Posts : 4

Posted 11-15-2008 2:35 (GMT +1)

The computer is still pretty slow, but I haven't gotten anything popped up from Norton saying it has removed the pinfi. I didn't remove anything when I ran hijackthis, I didn't know if I was suppose to or not.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 11-16-2008 6:48 (GMT +1)

No need to fix anything in the hijackthis log, as it looks clean.

See if these tips can improve performance ->

http://home.comcast.net/~SupportCD/OptimizeXP.html

If your computer problems are solved, it is time for the clean-up procedure. Download this file and save it on desktop as FIX_removal.exe

http://www.ctrlaltdel.dk/FIX_removal.exe

Double click FIX_removal.exe and follow the instructions - this will remove the programs that you have used during the cleaning process. Once the program is finished, reboot your computer to finalise the clean-up procedure.

I also suggest you read Tony Klein´s article :

So_how_did_I_get_infected_in_the_first_place.html

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

pepperbell12
New Member

Date Joined Nov 2008
Total Posts : 4

Posted 11-18-2008 10:22 (GMT +1)

Thank you so much! Seems to run a little better and faster now that I did what they say in the article. Thank you for your help, I appreciate it.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 11-19-2008 1:35 (GMT +1)

My pleasure smile

Since this issue appears to be resolved ... this Topic has been closed.

If you need this topic reopened, please contact Me with the address of the thread.
Thank you !

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Forum Information

Currently it is Friday, January 09, 2009 4:27 AM (GMT +1)
There are a total of 65.964 posts in 16.185 threads.
In the last 3 days there were 23 new threads and 96 reply posts. View Active Threads