• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
spuncrazy

A kid got on our computer at a party, popups galore.

24 posts in this topic

Just got done cleaning with the help of Nasdaq. A kid got on our computer at a party and did something now

redirects and popups galore. I tried to put the log back to the most recent clean log but it is not working.

Here is my current log.

 

 

Logfile of HijackThis v1.99.1

Scan saved at 8:09:56 PM, on 6/13/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\QuickTime\bak\qttask.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\MBOLS~1\taskmgr.exe

C:\Program Files\CConnect\CConnect.exe

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

C:\Program Files\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cox.net

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\System32\jnfpcurk.dll",realset

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [unse] "C:\WINDOWS\System32\MBOLS~1\taskmgr.exe" -vt yazb

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe

O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1179187324923

O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - - (file missing)

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VG90aCBGYW1pbHk\command.exe (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hello,

 

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1 for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.

 

Click here to get Service Pack 1

 

Warning: You must only update to Service Pack 1, and not Service Pack 2. Doing this before your computer is clean can cause Windows to become unstable. We will update to SP2 after the log is clean.

 

After you have updated your computer to SP1, please restart your computer and post a new HJT log. Then we'll start from there.

Share this post


Link to post
Share on other sites

Hello,

I was given this computer from a relative who got a new system.

When I tried and add the service pack it said there was a validation problem.

My relative has put all the software and codes in the mail to me.

I will add the service packs after I receive the package.

 

Is there any work I can do to start the clean up.

Thanks

Share this post


Link to post
Share on other sites

Hmm, this rather smells like an illegal version of XP :(

 

Anyway, do next please..

 

* Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

 

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply together with a new hijackthislog.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Share this post


Link to post
Share on other sites

Here you go

 

ComboFix 07-06-13.3 - C:\Documents and Settings\Toth Family\Desktop\ComboFix.exe

"Toth Family" - 2007-06-17 17:49:52 NTFS

 

 

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\gqjyshoj.dll

C:\WINDOWS\system32\kuwejski.dll

C:\WINDOWS\system32\opyrrcmv.dll

C:\WINDOWS\system32\pvqefath.dll

C:\WINDOWS\system32\qbreonwc.dll

C:\WINDOWS\system32\fccyxwu.dll

C:\WINDOWS\system32\qomjjkh.dll

C:\WINDOWS\system32\urqomjj.dll

C:\WINDOWS\system32\johsyjqg.ini

C:\WINDOWS\system32\iksjewuk.ini

C:\WINDOWS\system32\htafeqvp.ini

C:\WINDOWS\system32\cwnoerbq.ini

C:\WINDOWS\system32\prsut.bak1

C:\WINDOWS\system32\prsut.bak2

C:\WINDOWS\system32\prsut.ini

C:\WINDOWS\system32\prsut.bak1

C:\WINDOWS\system32\prsut.bak2

C:\WINDOWS\system32\prsut.ini

C:\WINDOWS\system32\tusrp.dll

C:\WINDOWS\system32\opnlmnk.dll

 

 

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\Program Files\Common Files\icroso~1

C:\Program Files\Common Files\icroso~1\s?oolsv.exe

C:\Program Files\Common Files\pppatc~1

C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe

C:\Program Files\Common Files\Yazzle1281OinAdmin.exe

C:\Program Files\outerinfo

C:\Program Files\outerinfo\OiUninstaller.exe

C:\Program Files\outerinfo\outerinfo.ico

C:\Program Files\outerinfo\Terms.rtf

C:\Temp\0b9

C:\Temp\0b9\tmpTF.log

C:\Temp\tn3

C:\WINDOWS\b136.exe

C:\WINDOWS\cs_cache.ini

C:\WINDOWS\rau001978.exe

C:\WINDOWS\retadpu1000106.exe

C:\WINDOWS\server.exe

C:\WINDOWS\svchost.exe

C:\WINDOWS\system32\0p45Ao47.exe

C:\WINDOWS\system32\bA43g3b6.exe

C:\WINDOWS\system32\driverl.dll

C:\WINDOWS\system32\driverl.exe

C:\WINDOWS\system32\drivers\core.cache.dsk

C:\WINDOWS\system32\drivers\core.sys

C:\WINDOWS\system32\mbols~1

C:\WINDOWS\system32\mbols~1\taskmgr.exe

C:\WINDOWS\system32\mp43.exe

C:\WINDOWS\system32\pog

C:\WINDOWS\system32\T3

C:\WINDOWS\system32\T3\am67.exe

C:\WINDOWS\system32\T4

C:\WINDOWS\system32\T4\amst5.exe

C:\WINDOWS\system32\wnsapisv.exe

C:\WINDOWS\tasks\At1.job

C:\WINDOWS\tasks\At10.job

C:\WINDOWS\tasks\At11.job

C:\WINDOWS\tasks\At12.job

C:\WINDOWS\tasks\At13.job

C:\WINDOWS\tasks\At14.job

C:\WINDOWS\tasks\At15.job

C:\WINDOWS\tasks\At16.job

C:\WINDOWS\tasks\At17.job

C:\WINDOWS\tasks\At18.job

C:\WINDOWS\tasks\At19.job

C:\WINDOWS\tasks\At2.job

C:\WINDOWS\tasks\At20.job

C:\WINDOWS\tasks\At21.job

C:\WINDOWS\tasks\At22.job

C:\WINDOWS\tasks\At23.job

C:\WINDOWS\tasks\At24.job

C:\WINDOWS\tasks\At25.job

C:\WINDOWS\tasks\At26.job

C:\WINDOWS\tasks\At27.job

C:\WINDOWS\tasks\At28.job

C:\WINDOWS\tasks\At29.job

C:\WINDOWS\tasks\At3.job

C:\WINDOWS\tasks\At30.job

C:\WINDOWS\tasks\At31.job

C:\WINDOWS\tasks\At32.job

C:\WINDOWS\tasks\At33.job

C:\WINDOWS\tasks\At34.job

C:\WINDOWS\tasks\At35.job

C:\WINDOWS\tasks\At36.job

C:\WINDOWS\tasks\At37.job

C:\WINDOWS\tasks\At38.job

C:\WINDOWS\tasks\At39.job

C:\WINDOWS\tasks\At4.job

C:\WINDOWS\tasks\At40.job

C:\WINDOWS\tasks\At41.job

C:\WINDOWS\tasks\At42.job

C:\WINDOWS\tasks\At43.job

C:\WINDOWS\tasks\At44.job

C:\WINDOWS\tasks\At45.job

C:\WINDOWS\tasks\At46.job

C:\WINDOWS\tasks\At47.job

C:\WINDOWS\tasks\At48.job

C:\WINDOWS\tasks\At5.job

C:\WINDOWS\tasks\At6.job

C:\WINDOWS\tasks\At7.job

C:\WINDOWS\tasks\At8.job

C:\WINDOWS\tasks\At9.job

C:\WINDOWS\wr.txt

 

 

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

-------\LEGACY_CMDSERVICE

-------\LEGACY_CORE

-------\LEGACY_NETWORK_MONITOR

-------\LEGACY_NET_AGENT

-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS

-------\cmdService

-------\core

-------\Net Agent

 

 

((((((((((((((((((((((((( Files Created from 2007-05-18 to 2007-06-18 )))))))))))))))))))))))))))))))

 

 

2007-06-17 17:26 <DIR> d-------- C:\Program Files\SymNetDrv

2007-06-17 12:21 4,608 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys

2007-06-17 12:21 <DIR> d-------- C:\Program Files\Norton AntiVirus

2007-06-16 20:56 6,743 --a------ C:\syshfbr.exe

2007-06-16 20:43 60,928 --a------ C:\WINDOWS\system32\rsgb.dll

2007-06-16 04:28 97,792 --a-s---- C:\WINDOWS\system32\monterreyl_ingen.exe

2007-06-16 04:28 8,704 --a------ C:\WINDOWS\system32\regapi.exe

2007-06-14 22:58 14,390 --a------ C:\sysscio.exe

2007-06-13 18:31 62,516 --a------ C:\WINDOWS\system32\cboyejuh.dll

2007-06-13 12:10 122,880 --a------ C:\WINDOWS\xmlhelper.dll

2007-06-12 11:29 <DIR> d-------- C:\WINDOWS\miuu

2007-06-12 11:29 <DIR> d-------- C:\Program Files\Common Files\miuu

2007-06-12 11:14 <DIR> d--hs---- C:\WINDOWS\VG90aCBGYW1pbHk

2007-06-09 18:34 2,580 --a------ C:\WINDOWS\system32\ajuofriy.exe

2007-06-09 18:19 929 --a------ C:\WINDOWS\system32\winpfz32.sys

2007-06-09 18:14 102,400 --a------ C:\WINDOWS\MBDownloader_876916.exe

2007-06-09 18:14 <DIR> d-------- C:\WINDOWS\system32\TQ0

2007-06-09 18:14 <DIR> d-------- C:\WINDOWS\system32\T7

2007-06-09 18:14 <DIR> d-------- C:\WINDOWS\system32\T6

2007-06-09 18:14 <DIR> d-------- C:\WINDOWS\system32\T5

2007-06-09 18:14 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ

2007-06-09 18:14 <DIR> d-------- C:\Temp\x2b

2007-06-09 18:14 <DIR> d-------- C:\Temp

2007-06-06 10:00 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-18 00:34:26 -------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-06-18 00:26:33 -------- d-----w C:\Program Files\Symantec

2007-06-10 13:25:23 1,632 ----a-w C:\WINDOWS\system32\d3d8caps.dat

2007-05-18 01:51:21 -------- d-----w C:\Program Files\TrojanHunter 4.6

2007-05-15 00:02:46 -------- d--h--w C:\Program Files\WindowsUpdate

2007-05-10 23:51:58 -------- d-----w C:\DOCUME~1\TOTHFA~1\APPLIC~1\AdobeUM

2007-05-08 01:44:27 126,464 ----a-w C:\WINDOWS\system32\vemrndma.dll

2007-05-01 12:41:50 99,840 ----a-w C:\WINDOWS\system32\rlbtpcun.dll

2007-05-01 12:41:49 43,520 ----a-w C:\WINDOWS\system32\nyvcyffa.dll

2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-04-09 22:59:29 21,244 ---ha-w C:\WINDOWS\system32\mlfcache.dat

2007-03-29 01:41:32 517,848 ----a-w C:\WINDOWS\system32\SymNeti.dll

2007-03-29 01:41:28 132,824 ----a-w C:\WINDOWS\system32\SymRedir.dll

2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\VG90aCBGYW1pbHk\p36XuF13sqYDvJ4.vbs

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-06-07 11:09]

{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 02:04]

{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}=C:\WINDOWS\System32\cboyejuh.dll [2007-06-13 18:31]

{85589B5D-D53D-4237-A677-46B82EA275F3}=C:\WINDOWS\xmlhelper.dll [2007-06-13 12:10]

{93781A6E-D4AF-FA2F-D907-8CADDB91219F}=C:\WINDOWS\System32\rsgb.dll [2007-05-21 06:59]

{9577C9FD-7E78-487E-A9E0-23B8C5799A04}=C:\WINDOWS\System32\xtatelwp.dll []

{A379A635-9340-4BCA-8E44-F33F0C55E172}=C:\WINDOWS\System32\xtatelwp.dll []

{BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton AntiVirus\NavShExt.dll [2005-01-10 12:20]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" []

"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" []

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []

"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" [2006-10-25 19:58]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" []

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32]

"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2005-07-29 10:35]

"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-06-17 17:26]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 07:14]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe" []

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45]

"Unse"="C:\WINDOWS\System32\MBOLS~1\taskmgr.exe" []

"Kmggsn"="C:\Program Files\Common Files\?icrosoft\s?oolsv.exe" []

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

"svchost"=C:\WINDOWS\svchost.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs

dmfdjzjr

 

 

Contents of the 'Scheduled Tasks' folder

2007-04-04 13:07:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

2007-06-16 03:00:01 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Toth Family.job

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-17 18:02:46

Windows 5.1.2600 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

C:\WINDOWS\temp

 

scan completed successfully

hidden files: 1

 

**************************************************************************

 

Completion time: 2007-06-17 18:03:32 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-06-17 18:03

 

--- E O F ---

Share this post


Link to post
Share on other sites

Hello,

I can't get a HJT log. I run the scan and save a log. As soon as it is finished it just disappears. If I run just the scan I can't save or copy. My hjt has never done this before.

Share this post


Link to post
Share on other sites

Hi,

 

This is a really nasty log.... I see more malware present than anything else...

Is Norton still up to date here? Because I actually cannot believe it left so many malware undetected...

 

Your system is terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.

Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.

So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

 

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

 

 

We'll see afterwards if HijackThis will open after performing next steps...

 

Do next in the right order please..

 

Instructions removed to upload the xmlhelper.dll file - This to prevent that many people who are watching this thread are uploading it as well..

 

*Please download SvcQuery.exe

  • Save it to your desktop.
  • Double click SvcQuery.exe
  • When prompted to enter a service name, enter dmfdjzjr
  • Type "y" to confirm.
  • When done, it shall present a log, I need that log later.

Then,

 

* Open notepad and copy/paste the text in the quotebox below into it:

 

File::

C:\syshfbr.exe

C:\WINDOWS\system32\rsgb.dll

C:\WINDOWS\system32\monterreyl_ingen.exe

C:\WINDOWS\system32\regapi.exe

C:\sysscio.exe

C:\WINDOWS\system32\cboyejuh.dll

C:\WINDOWS\xmlhelper.dll

C:\WINDOWS\system32\ajuofriy.exe

C:\WINDOWS\system32\winpfz32.sys

C:\WINDOWS\MBDownloader_876916.exe

C:\WINDOWS\system32\vemrndma.dll

C:\WINDOWS\system32\rlbtpcun.dll

C:\WINDOWS\system32\nyvcyffa.dll

 

Folder::

C:\WINDOWS\system32\TQ0

C:\WINDOWS\system32\T7

C:\WINDOWS\system32\T6

C:\WINDOWS\system32\T5

C:\WINDOWS\system32\T1QaSQ

C:\Temp

C:\WINDOWS\VG90aCBGYW1pbHk

C:\WINDOWS\miuu

C:\Program Files\Common Files\miuu

 

Registry::

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{93781A6E-D4AF-FA2F-D907-8CADDB91219F}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9577C9FD-7E78-487E-A9E0-23B8C5799A04}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A379A635-9340-4BCA-8E44-F33F0C55E172}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Unse"=-

"Kmggsn"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

"svchost"=-

 

Save this as ComboFix-Do.txt

 

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

 

Combo-Do.gif

 

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog and the log from svcQuery

Edited by miekiemoes

Share this post


Link to post
Share on other sites

Hello,

 

I made it up to the service name dmfdjzjr. After I typed in "y" I got a prompt that stated it didn't know what program to open, and pick and manual or automatic search. I picked auto and it brought me to a windows page that would not do any thing. I tried againd with the service code dmfdjzjr, and got a service not found message.

 

Yesterday I did load a current norton antivirus and it detected and removed a ton of stuff.

 

It looks like my notepad is missing, may that why I scanand save a log file and wht the service name would not make a log????? Where else would I look to find notepad? It us to have a button.

 

 

Remember all the computer software is on it's way to me, If that might help.

Share this post


Link to post
Share on other sites

notepad.exe is present in your C:\Windows folder and C:\Windows\system32 folder.

 

It may be a good idea to run next tool as well, this to make sure all associations are set properly:

 

Download DAFT and save it to your desktop:

  1. Double-click the daft.exe icon. Read the disclaimer and click OK.
  2. Click on the Scan button.
  3. If anything found, select them.
  4. Then Click the Fix button.
  5. Rescan again and it should say that all associations are OK.

By the way, did you enter the service name in the program SvcQuery.exe as requested? Because when you doubleclick SvcQuery.exe, it will open a command window. There it says: "Please enter the servicename by the helper as requested" (or something similar). There you'll have to type: dmfdjzjr and hit enter.

Not sure why you typed : "y" there. You have to type: dmfdjzjr

 

So I cannot stress enough how important it is you follow my instructions to the letter.

Share this post


Link to post
Share on other sites

Hmm.. just rereading..

Not sure what you are trying here or tried here... But notepad is used to open text files. If you were missing it, then it wouldn't open the log from Combofix either.

 

To open notepad, I meant, to open an empty txt file. To do this, rightclick your desktop, select "new textfile"

Share this post


Link to post
Share on other sites

The DAFT fixed the HJT log issues.

 

I still get a "service not found" when I type in dmfdjzjr and hit enter.

 

 

Logfile of HijackThis v1.99.1

Scan saved at 7:54:11 AM, on 6/18/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\Program Files\QuickTime\bak\qttask.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\CConnect\CConnect.exe

C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\WgaTray.exe

C:\WINDOWS\explorer.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cox.net

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe

O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1179187324923

O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

 

Here is the Combo

 

ComboFix 07-06-13.3 - C:\Documents and Settings\Toth Family\Desktop\ComboFix.exe

"Toth Family" - 2007-06-18 7:38:30 NTFS

Command switches used :: C:\Documents and Settings\Toth Family\Desktop\ComboFix-Do.txt

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\Program Files\Common Files\miuu

C:\Program Files\Common Files\miuu\miuua.lck

C:\Program Files\Common Files\miuu\miuud\class-barrel

C:\Program Files\Common Files\miuu\miuud\vocabulary

C:\Program Files\Common Files\miuu\miuuh

C:\Program Files\Common Files\miuu\miuul.lck

C:\Program Files\Common Files\miuu\miuum.lck

C:\syshfbr.exe

C:\sysscio.exe

C:\Temp

C:\Temp\x2b\tmpZTF.log

C:\WINDOWS\MBDownloader_876916.exe

C:\WINDOWS\miuu

C:\WINDOWS\miuu\miuu.dat

C:\WINDOWS\miuu\wu

C:\WINDOWS\system32\monterreyl_ingen.exe

C:\WINDOWS\system32\nyvcyffa.dll

C:\WINDOWS\system32\regapi.exe

C:\WINDOWS\system32\rlbtpcun.dll

C:\WINDOWS\system32\T1QaSQ

C:\WINDOWS\system32\T5

C:\WINDOWS\system32\T6

C:\WINDOWS\system32\T7

C:\WINDOWS\system32\TQ0

C:\WINDOWS\system32\vemrndma.dll

C:\WINDOWS\system32\winpfz32.sys

C:\WINDOWS\VG90aCBGYW1pbHk

C:\WINDOWS\xmlhelper.dll

 

 

((((((((((((((((((((((((( Files Created from 2007-05-18 to 2007-06-18 )))))))))))))))))))))))))))))))

 

 

2007-06-17 18:07 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Symantec

2007-06-17 17:26 <DIR> d-------- C:\Program Files\SymNetDrv

2007-06-17 12:21 4,608 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys

2007-06-17 12:21 <DIR> d-------- C:\Program Files\Norton AntiVirus

2007-06-06 10:00 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-18 01:40:14 -------- d-----w C:\Program Files\CConnect

2007-06-18 00:34:26 -------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-06-18 00:26:33 -------- d-----w C:\Program Files\Symantec

2007-06-10 13:25:23 1,632 ----a-w C:\WINDOWS\system32\d3d8caps.dat

2007-05-18 01:51:21 -------- d-----w C:\Program Files\TrojanHunter 4.6

2007-05-15 00:02:46 -------- d--h--w C:\Program Files\WindowsUpdate

2007-05-10 23:51:58 -------- d-----w C:\DOCUME~1\TOTHFA~1\APPLIC~1\AdobeUM

2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-04-09 22:59:29 21,244 ---ha-w C:\WINDOWS\system32\mlfcache.dat

2007-03-29 01:41:32 517,848 ----a-w C:\WINDOWS\system32\SymNeti.dll

2007-03-29 01:41:28 132,824 ----a-w C:\WINDOWS\system32\SymRedir.dll

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-06-07 11:09]

{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 02:04]

{BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton AntiVirus\NavShExt.dll [2005-01-10 12:20]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" []

"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" []

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []

"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" [2006-10-25 19:58]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" []

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32]

"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2005-07-29 10:35]

"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-06-17 17:26]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 07:14]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe" []

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45]

 

 

Contents of the 'Scheduled Tasks' folder

2007-04-04 13:07:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

2007-06-16 03:00:01 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Toth Family.job

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-18 07:40:30

Windows 5.1.2600 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-06-18 7:40:55

C:\ComboFix-quarantined-files.txt ... 2007-06-18 07:40

C:\ComboFix2.txt ... 2007-06-17 18:03

 

--- E O F ---

Share this post


Link to post
Share on other sites

Hi,

 

I still get a "service not found" when I type in dmfdjzjr and hit enter.

That's ok. I already see from your Combofix log it was removed. So maybe it already was in your first attempt to use the svcquery.exe tool.

 

Your log is looking much better, but we have to restore some files to their original location as well. This because I see you were also dealing with the AWF infection since I see a quicktime component running from a bak folder.

 

But first, delete next folder:

 

C:\Qoobox

 

Then, Please download the following file to your desktop:

http://noahdfear.geekstogo.com/FindAWF.exe

 

Run the file and copy and paste the output text here.

Share this post


Link to post
Share on other sites

When I tried to delete the C:\Qoobox, I would get this message:

Cannot delete xmlhelper.dll.vir access denied.

 

Here is the log

 

 

Find AWF report by noahdfear ©2006

 

 

bak folders found

~~~~~~~~~~~

 

 

Directory of C:\PROGRA~1\ITUNES\BAK

 

10/30/2006 10:36 AM 256,576 iTunesHelper.exe

1 File(s) 256,576 bytes

 

Directory of C:\PROGRA~1\MESSEN~1\BAK

 

0 File(s) 0 bytes

 

Directory of C:\PROGRA~1\QUICKT~1\BAK

 

10/25/2006 07:58 PM 282,624 qttask.exe

1 File(s) 282,624 bytes

 

Directory of C:\WINDOWS\SYSTEM32\BAK

 

07/09/2001 11:50 AM 155,648 NeroCheck.exe

1 File(s) 155,648 bytes

 

Directory of C:\PROGRA~1\BROADJ~1\CLIENT~1\BAK

 

10/18/2001 01:37 PM 483,394 CFD.exe

1 File(s) 483,394 bytes

 

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

 

12/13/2004 03:30 PM 58,992 ccApp.exe

1 File(s) 58,992 bytes

 

Directory of C:\PROGRA~1\SUPPORT.COM\BIN\BAK

 

0 File(s) 0 bytes

 

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

 

09/25/2006 07:48 AM 180,269 realsched.exe

1 File(s) 180,269 bytes

 

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK

 

11/02/2004 04:59 PM 218,240 UsrPrmpt.exe

1 File(s) 218,240 bytes

 

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\121128~1.248\BAK

 

02/01/2007 11:20 AM 170,424 GoogleToolbarNotifier.exe

1 File(s) 170,424 bytes

 

 

Duplicate files of bak directory contents

~~~~~~~~~~~~~~~~~~~~~~~

 

256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"

102400 Feb 10 2007 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"

108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"

282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"

155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"

483394 Oct 18 2001 "C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe"

58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE"

58992 Dec 13 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"

180269 Sep 25 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"

218240 Jul 29 2005 "C:\Program Files\Common Files\Symantec Shared\Security Center\usrprmpt.exe"

218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"

124152 Mar 29 2007 "C:\Program Files\Google\Google Updater\GoogleUpdater.exe"

4935680 Aug 15 2006 "C:\Program Files\Google\Google Video Player\GoogleVideoPlayer.exe"

458820 Nov 17 2005 "C:\Program Files\Google\Google Earth\GoogleEarth.exe"

645880 Apr 3 2007 "C:\Documents and Settings\Toth Family\DoctorWeb\Quarantine\GoogleUpdaterInstallMgr.exe"

559784 Sep 25 2006 "C:\Program Files\Common Files\Real\GToolbar\googletoolbarinstaller.exe"

136952 Mar 29 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"

124152 Mar 29 2007 "C:\Program Files\Google\Google Updater\2.1.810.31257\GoogleUpdaterRestartManager.exe"

11817800 Sep 25 2006 "C:\Documents and Settings\All Users\Application Data\Google Updater\cache\GoogleEarth.exe"

170424 Feb 1 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\bak\GoogleToolbarNotifier.exe"

 

 

end of report

Share this post


Link to post
Share on other sites

Hi,

 

Reboot your computer and then try to delete the Qoobox folder again.

 

In a meanwhile I'll make a next fix.

Share this post


Link to post
Share on other sites

First of all, go to start > run and type: taskmgr.exe

This should open your Taskmanager.

Select the tab "processes" and end next process: qttask.exe

This because we need to replace it to its default location again - and when in use, it won't work.

 

Then,

* Open notepad and copy and paste next present in the quotebox in it:

 

copy /y "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\bak\GoogleToolbarNotifier.exe" "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480"

copy /y "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" "C:\Program Files\Common Files\Real\Update_OB"

copy /y "C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe" "C:\Program Files\BroadJump\Client Foundation"

copy /y "C:\WINDOWS\system32\bak\NeroCheck.exe" "C:\WINDOWS\system32"

copy /y "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime"

copy /y "C:\Program Files\iTunes\bak\iTunesHelper.exe" "C:\Program Files\iTunes"

Save this as replace.bat , choose to save as *all files and place it on your desktop.

It should look like this: bat.gif

(In case you are unsure how to create a bat file, take a look here with screenshots.)

 

Doubleclick replace.bat you created previously.

 

Then, we'll also have to restore the default startup value for quicktime again and also delete some registry leftovers related with xmlhelper.dll

To do this,

Open notepad and copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

 

[-HKEY_CLASSES_ROOT\AppID\bho_adw.DLL]

 

[-HKEY_CLASSES_ROOT\bho_adw.BHOAd]

 

[-HKEY_CLASSES_ROOT\bho_adw.BHOAd.1]

 

[-HKEY_CLASSES_ROOT\AppID\{91C9CE76-9EB1-4A77-92A1-27C44DBBFEEE}]

 

[-HKEY_CLASSES_ROOT\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}]

 

[-HKEY_CLASSES_ROOT\Interface\{9CA1536D-5689-40CA-B92A-F646301517D7}]

 

[-HKEY_CLASSES_ROOT\TypeLib\{09DC28C6-BCE2-42B1-B3EA-8AB82F0F3B0A}]

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this: reg.gif

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

(In case you are unsure how to create a reg file, take a look here with screenshots.)

 

* Clean your Cache and Cookies in IE:

  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click "Delete".
  • Click "Delete Files", "Delete cookies" and "Delete history"
  • Click Close below.

* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window

* Clean other Temporary files + Recycle bin

  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.

Reboot back to normal mode.

 

* download http://www.mvps.org/winhelp2002/DelDomains.inf and place it on desktop

right click the file and select install, that will reset the zone settings that have been altered

 

and also

 

* Download: ResetProtocolDefaults.reg

http://www.mvps.org/winhelp2002/ResetProtocolDefaults.reg

 

Locate "ResetProtocolDefaults.reg"

Right-click and select: Merge (Ok the prompt)

 

Rescan with FindAWF and post the log in your next reply together with a new Hijackthislog.

Share this post


Link to post
Share on other sites

OK,,

My task manager is not working properly. When I open it up it is now a simple box with (2) headings at the top (1) TASK the other STATUS. It then list what is open. At the bottom is (3) buttons, END TASK, SWITCH TO, & NEW TASK. Also, I can not close it except for a reboot.

 

I did not do the other steps until this is resolved.

Share this post


Link to post
Share on other sites

Ok, open your Taskmanager again and doubleclick the borders. This should show the other tabs and the rest. :)

Share this post


Link to post
Share on other sites

Here are the (2) logs.

I have to step out for a while.

 

 

 

Find AWF report by noahdfear ©2006

 

 

bak folders found

~~~~~~~~~~~

 

 

Directory of C:\PROGRA~1\ITUNES\BAK

 

10/30/2006 10:36 AM 256,576 iTunesHelper.exe

1 File(s) 256,576 bytes

 

Directory of C:\PROGRA~1\MESSEN~1\BAK

 

0 File(s) 0 bytes

 

Directory of C:\PROGRA~1\QUICKT~1\BAK

 

10/25/2006 07:58 PM 282,624 qttask.exe

1 File(s) 282,624 bytes

 

Directory of C:\WINDOWS\SYSTEM32\BAK

 

07/09/2001 11:50 AM 155,648 NeroCheck.exe

1 File(s) 155,648 bytes

 

Directory of C:\PROGRA~1\BROADJ~1\CLIENT~1\BAK

 

10/18/2001 01:37 PM 483,394 CFD.exe

1 File(s) 483,394 bytes

 

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

 

12/13/2004 03:30 PM 58,992 ccApp.exe

1 File(s) 58,992 bytes

 

Directory of C:\PROGRA~1\SUPPORT.COM\BIN\BAK

 

0 File(s) 0 bytes

 

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

 

09/25/2006 07:48 AM 180,269 realsched.exe

1 File(s) 180,269 bytes

 

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK

 

11/02/2004 04:59 PM 218,240 UsrPrmpt.exe

1 File(s) 218,240 bytes

 

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\121128~1.248\BAK

 

02/01/2007 11:20 AM 170,424 GoogleToolbarNotifier.exe

1 File(s) 170,424 bytes

 

 

Duplicate files of bak directory contents

~~~~~~~~~~~~~~~~~~~~~~~

 

256576 Oct 30 2006 "C:\Program Files\iTunes\iTunesHelper.exe"

256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"

102400 Feb 10 2007 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"

108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"

282624 Oct 25 2006 "C:\Program Files\QuickTime\qttask.exe"

282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"

155648 Jul 9 2001 "C:\WINDOWS\system32\NeroCheck.exe"

155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"

483394 Oct 18 2001 "C:\Program Files\BroadJump\Client Foundation\CFD.exe"

483394 Oct 18 2001 "C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe"

58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE"

58992 Dec 13 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"

180269 Sep 25 2006 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

180269 Sep 25 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"

218240 Jul 29 2005 "C:\Program Files\Common Files\Symantec Shared\Security Center\usrprmpt.exe"

218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"

124152 Mar 29 2007 "C:\Program Files\Google\Google Updater\GoogleUpdater.exe"

4935680 Aug 15 2006 "C:\Program Files\Google\Google Video Player\GoogleVideoPlayer.exe"

458820 Nov 17 2005 "C:\Program Files\Google\Google Earth\GoogleEarth.exe"

645880 Apr 3 2007 "C:\Documents and Settings\Toth Family\DoctorWeb\Quarantine\GoogleUpdaterInstallMgr.exe"

559784 Sep 25 2006 "C:\Program Files\Common Files\Real\GToolbar\googletoolbarinstaller.exe"

136952 Mar 29 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"

124152 Mar 29 2007 "C:\Program Files\Google\Google Updater\2.1.810.31257\GoogleUpdaterRestartManager.exe"

170424 Feb 1 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe"

11817800 Sep 25 2006 "C:\Documents and Settings\All Users\Application Data\Google Updater\cache\GoogleEarth.exe"

170424 Feb 1 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\bak\GoogleToolbarNotifier.exe"

 

 

end of report

 

 

Logfile of HijackThis v1.99.1

Scan saved at 10:26:28 AM, on 6/18/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe

C:\Program Files\CConnect\CConnect.exe

C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\WgaTray.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cox.net

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe

O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1179187324923

O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

 

Thanks

Share this post


Link to post
Share on other sites

Great job!

 

The files were replaced properly and malware is gone now.

Your logs look clean.

 

Delete the tools we have been using previously: DAFT, Combofix, FindAWF and SvcQuery.exe

 

Let me know in your next reply how things are now....

Share this post


Link to post
Share on other sites

You can go ahead and update to Service Pack 2.

 

Glad I could help. :)

 

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

 

Happy Surfing again!

Share this post


Link to post
Share on other sites

Since this issue appears resolved ... this Topic is closed.

 

If you need this topic reopened for continuations of existing problems, please tell the moderating team by replying here

This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0