Jump to content


Photo

A kid got on our computer at a party, popups galore.


  • This topic is locked This topic is locked
23 replies to this topic

#1 spuncrazy

spuncrazy

    Member

  • Full Member
  • Pip
  • 48 posts

Posted 13 June 2007 - 10:15 PM

Just got done cleaning with the help of Nasdaq. A kid got on our computer at a party and did something now
redirects and popups galore. I tried to put the log back to the most recent clean log but it is not working.
Here is my current log.


Logfile of HijackThis v1.99.1
Scan saved at 8:09:56 PM, on 6/13/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\MBOLS~1\taskmgr.exe
C:\Program Files\CConnect\CConnect.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cox.net
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\System32\jnfpcurk.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Unse] "C:\WINDOWS\System32\MBOLS~1\taskmgr.exe" -vt yazb
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1179187324923
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - - (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VG90aCBGYW1pbHk\command.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 16 June 2007 - 06:31 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 16 June 2007 - 09:49 AM

Hello,

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1 for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.

Click here to get Service Pack 1

Warning: You must only update to Service Pack 1, and not Service Pack 2. Doing this before your computer is clean can cause Windows to become unstable. We will update to SP2 after the log is clean.

After you have updated your computer to SP1, please restart your computer and post a new HJT log. Then we'll start from there.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#4 spuncrazy

spuncrazy

    Member

  • Full Member
  • Pip
  • 48 posts

Posted 17 June 2007 - 12:41 PM

Hello,
I was given this computer from a relative who got a new system.
When I tried and add the service pack it said there was a validation problem.
My relative has put all the software and codes in the mail to me.
I will add the service packs after I receive the package.

Is there any work I can do to start the clean up.
Thanks

#5 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 17 June 2007 - 12:47 PM

Hmm, this rather smells like an illegal version of XP :(

Anyway, do next please..

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#6 spuncrazy

spuncrazy

    Member

  • Full Member
  • Pip
  • 48 posts

Posted 17 June 2007 - 08:09 PM

Here you go

ComboFix 07-06-13.3 - C:\Documents and Settings\Toth Family\Desktop\ComboFix.exe
"Toth Family" - 2007-06-17 17:49:52 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\gqjyshoj.dll
C:\WINDOWS\system32\kuwejski.dll
C:\WINDOWS\system32\opyrrcmv.dll
C:\WINDOWS\system32\pvqefath.dll
C:\WINDOWS\system32\qbreonwc.dll
C:\WINDOWS\system32\fccyxwu.dll
C:\WINDOWS\system32\qomjjkh.dll
C:\WINDOWS\system32\urqomjj.dll
C:\WINDOWS\system32\johsyjqg.ini
C:\WINDOWS\system32\iksjewuk.ini
C:\WINDOWS\system32\htafeqvp.ini
C:\WINDOWS\system32\cwnoerbq.ini
C:\WINDOWS\system32\prsut.bak1
C:\WINDOWS\system32\prsut.bak2
C:\WINDOWS\system32\prsut.ini
C:\WINDOWS\system32\prsut.bak1
C:\WINDOWS\system32\prsut.bak2
C:\WINDOWS\system32\prsut.ini
C:\WINDOWS\system32\tusrp.dll
C:\WINDOWS\system32\opnlmnk.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\icroso~1
C:\Program Files\Common Files\icroso~1\s?oolsv.exe
C:\Program Files\Common Files\pppatc~1
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\Temp\tn3
C:\WINDOWS\b136.exe
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\rau001978.exe
C:\WINDOWS\retadpu1000106.exe
C:\WINDOWS\server.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\0p45Ao47.exe
C:\WINDOWS\system32\bA43g3b6.exe
C:\WINDOWS\system32\driverl.dll
C:\WINDOWS\system32\driverl.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\mbols~1
C:\WINDOWS\system32\mbols~1\taskmgr.exe
C:\WINDOWS\system32\mp43.exe
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T3\am67.exe
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T4\amst5.exe
C:\WINDOWS\system32\wnsapisv.exe
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At30.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At40.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\cmdService
-------\core
-------\Net Agent


((((((((((((((((((((((((( Files Created from 2007-05-18 to 2007-06-18 )))))))))))))))))))))))))))))))


2007-06-17 17:26 <DIR> d-------- C:\Program Files\SymNetDrv
2007-06-17 12:21 4,608 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-06-17 12:21 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-06-16 20:56 6,743 --a------ C:\syshfbr.exe
2007-06-16 20:43 60,928 --a------ C:\WINDOWS\system32\rsgb.dll
2007-06-16 04:28 97,792 --a-s---- C:\WINDOWS\system32\monterreyl_ingen.exe
2007-06-16 04:28 8,704 --a------ C:\WINDOWS\system32\regapi.exe
2007-06-14 22:58 14,390 --a------ C:\sysscio.exe
2007-06-13 18:31 62,516 --a------ C:\WINDOWS\system32\cboyejuh.dll
2007-06-13 12:10 122,880 --a------ C:\WINDOWS\xmlhelper.dll
2007-06-12 11:29 <DIR> d-------- C:\WINDOWS\miuu
2007-06-12 11:29 <DIR> d-------- C:\Program Files\Common Files\miuu
2007-06-12 11:14 <DIR> d--hs---- C:\WINDOWS\VG90aCBGYW1pbHk
2007-06-09 18:34 2,580 --a------ C:\WINDOWS\system32\ajuofriy.exe
2007-06-09 18:19 929 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-06-09 18:14 102,400 --a------ C:\WINDOWS\MBDownloader_876916.exe
2007-06-09 18:14 <DIR> d-------- C:\WINDOWS\system32\TQ0
2007-06-09 18:14 <DIR> d-------- C:\WINDOWS\system32\T7
2007-06-09 18:14 <DIR> d-------- C:\WINDOWS\system32\T6
2007-06-09 18:14 <DIR> d-------- C:\WINDOWS\system32\T5
2007-06-09 18:14 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ
2007-06-09 18:14 <DIR> d-------- C:\Temp\x2b
2007-06-09 18:14 <DIR> d-------- C:\Temp
2007-06-06 10:00 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-18 00:34:26 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-18 00:26:33 -------- d-----w C:\Program Files\Symantec
2007-06-10 13:25:23 1,632 ----a-w C:\WINDOWS\system32\d3d8caps.dat
2007-05-18 01:51:21 -------- d-----w C:\Program Files\TrojanHunter 4.6
2007-05-15 00:02:46 -------- d--h--w C:\Program Files\WindowsUpdate
2007-05-10 23:51:58 -------- d-----w C:\DOCUME~1\TOTHFA~1\APPLIC~1\AdobeUM
2007-05-08 01:44:27 126,464 ----a-w C:\WINDOWS\system32\vemrndma.dll
2007-05-01 12:41:50 99,840 ----a-w C:\WINDOWS\system32\rlbtpcun.dll
2007-05-01 12:41:49 43,520 ----a-w C:\WINDOWS\system32\nyvcyffa.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-09 22:59:29 21,244 ---ha-w C:\WINDOWS\system32\mlfcache.dat
2007-03-29 01:41:32 517,848 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-03-29 01:41:28 132,824 ----a-w C:\WINDOWS\system32\SymRedir.dll
2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\VG90aCBGYW1pbHk\p36XuF13sqYDvJ4.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-06-07 11:09]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 02:04]
{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}=C:\WINDOWS\System32\cboyejuh.dll [2007-06-13 18:31]
{85589B5D-D53D-4237-A677-46B82EA275F3}=C:\WINDOWS\xmlhelper.dll [2007-06-13 12:10]
{93781A6E-D4AF-FA2F-D907-8CADDB91219F}=C:\WINDOWS\System32\rsgb.dll [2007-05-21 06:59]
{9577C9FD-7E78-487E-A9E0-23B8C5799A04}=C:\WINDOWS\System32\xtatelwp.dll []
{A379A635-9340-4BCA-8E44-F33F0C55E172}=C:\WINDOWS\System32\xtatelwp.dll []
{BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton AntiVirus\NavShExt.dll [2005-01-10 12:20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" []
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" [2006-10-25 19:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2005-07-29 10:35]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-06-17 17:26]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 07:14]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45]
"Unse"="C:\WINDOWS\System32\MBOLS~1\taskmgr.exe" []
"Kmggsn"="C:\Program Files\Common Files\?icrosoft\s?oolsv.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"svchost"=C:\WINDOWS\svchost.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
dmfdjzjr


Contents of the 'Scheduled Tasks' folder
2007-04-04 13:07:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-16 03:00:01 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Toth Family.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-17 18:02:46
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\temp

scan completed successfully
hidden files: 1

**************************************************************************

Completion time: 2007-06-17 18:03:32 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-17 18:03

--- E O F ---

#7 spuncrazy

spuncrazy

    Member

  • Full Member
  • Pip
  • 48 posts

Posted 17 June 2007 - 08:25 PM

Hello,
I can't get a HJT log. I run the scan and save a log. As soon as it is finished it just disappears. If I run just the scan I can't save or copy. My hjt has never done this before.

#8 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 18 June 2007 - 02:52 AM

Hi,

This is a really nasty log.... I see more malware present than anything else...
Is Norton still up to date here? Because I actually cannot believe it left so many malware undetected...

Your system is terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.


We'll see afterwards if HijackThis will open after performing next steps...

Do next in the right order please..

Instructions removed to upload the xmlhelper.dll file - This to prevent that many people who are watching this thread are uploading it as well..


*Please download SvcQuery.exe
  • Save it to your desktop.
  • Double click SvcQuery.exe
  • When prompted to enter a service name, enter dmfdjzjr
  • Type "y" to confirm.
  • When done, it shall present a log, I need that log later.
Then,

* Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\syshfbr.exe
C:\WINDOWS\system32\rsgb.dll
C:\WINDOWS\system32\monterreyl_ingen.exe
C:\WINDOWS\system32\regapi.exe
C:\sysscio.exe
C:\WINDOWS\system32\cboyejuh.dll
C:\WINDOWS\xmlhelper.dll
C:\WINDOWS\system32\ajuofriy.exe
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\MBDownloader_876916.exe
C:\WINDOWS\system32\vemrndma.dll
C:\WINDOWS\system32\rlbtpcun.dll
C:\WINDOWS\system32\nyvcyffa.dll

Folder::
C:\WINDOWS\system32\TQ0
C:\WINDOWS\system32\T7
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T5
C:\WINDOWS\system32\T1QaSQ
C:\Temp
C:\WINDOWS\VG90aCBGYW1pbHk
C:\WINDOWS\miuu
C:\Program Files\Common Files\miuu

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{93781A6E-D4AF-FA2F-D907-8CADDB91219F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9577C9FD-7E78-487E-A9E0-23B8C5799A04}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A379A635-9340-4BCA-8E44-F33F0C55E172}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Unse"=-
"Kmggsn"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"svchost"=-


Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog and the log from svcQuery

Edited by miekiemoes, 20 June 2007 - 06:59 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#9 spuncrazy

spuncrazy

    Member

  • Full Member
  • Pip
  • 48 posts

Posted 18 June 2007 - 08:49 AM

Hello,

I made it up to the service name dmfdjzjr. After I typed in "y" I got a prompt that stated it didn't know what program to open, and pick and manual or automatic search. I picked auto and it brought me to a windows page that would not do any thing. I tried againd with the service code dmfdjzjr, and got a service not found message.

Yesterday I did load a current norton antivirus and it detected and removed a ton of stuff.

It looks like my notepad is missing, may that why I scanand save a log file and wht the service name would not make a log????? Where else would I look to find notepad? It us to have a button.


Remember all the computer software is on it's way to me, If that might help.

#10 spuncrazy

spuncrazy

    Member

  • Full Member
  • Pip
  • 48 posts

Posted 18 June 2007 - 08:54 AM

I found notepad.

#11 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 18 June 2007 - 09:39 AM

notepad.exe is present in your C:\Windows folder and C:\Windows\system32 folder.

It may be a good idea to run next tool as well, this to make sure all associations are set properly:

Download DAFT and save it to your desktop:
  • Double-click the daft.exe icon. Read the disclaimer and click OK.
  • Click on the Scan button.
  • If anything found, select them.
  • Then Click the Fix button.
  • Rescan again and it should say that all associations are OK.
By the way, did you enter the service name in the program SvcQuery.exe as requested? Because when you doubleclick SvcQuery.exe, it will open a command window. There it says: "Please enter the servicename by the helper as requested" (or something similar). There you'll have to type: dmfdjzjr and hit enter.
Not sure why you typed : "y" there. You have to type: dmfdjzjr

So I cannot stress enough how important it is you follow my instructions to the letter.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#12 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 18 June 2007 - 09:50 AM

Hmm.. just rereading..
Not sure what you are trying here or tried here... But notepad is used to open text files. If you were missing it, then it wouldn't open the log from Combofix either.

To open notepad, I meant, to open an empty txt file. To do this, rightclick your desktop, select "new textfile"
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#13 spuncrazy

spuncrazy

    Member

  • Full Member
  • Pip
  • 48 posts

Posted 18 June 2007 - 09:59 AM

The DAFT fixed the HJT log issues.

I still get a "service not found" when I type in dmfdjzjr and hit enter.


Logfile of HijackThis v1.99.1
Scan saved at 7:54:11 AM, on 6/18/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CConnect\CConnect.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cox.net
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1179187324923
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Here is the Combo

ComboFix 07-06-13.3 - C:\Documents and Settings\Toth Family\Desktop\ComboFix.exe
"Toth Family" - 2007-06-18 7:38:30 NTFS
Command switches used :: C:\Documents and Settings\Toth Family\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\miuu
C:\Program Files\Common Files\miuu\miuua.lck
C:\Program Files\Common Files\miuu\miuud\class-barrel
C:\Program Files\Common Files\miuu\miuud\vocabulary
C:\Program Files\Common Files\miuu\miuuh
C:\Program Files\Common Files\miuu\miuul.lck
C:\Program Files\Common Files\miuu\miuum.lck
C:\syshfbr.exe
C:\sysscio.exe
C:\Temp
C:\Temp\x2b\tmpZTF.log
C:\WINDOWS\MBDownloader_876916.exe
C:\WINDOWS\miuu
C:\WINDOWS\miuu\miuu.dat
C:\WINDOWS\miuu\wu
C:\WINDOWS\system32\monterreyl_ingen.exe
C:\WINDOWS\system32\nyvcyffa.dll
C:\WINDOWS\system32\regapi.exe
C:\WINDOWS\system32\rlbtpcun.dll
C:\WINDOWS\system32\T1QaSQ
C:\WINDOWS\system32\T5
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T7
C:\WINDOWS\system32\TQ0
C:\WINDOWS\system32\vemrndma.dll
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\VG90aCBGYW1pbHk
C:\WINDOWS\xmlhelper.dll


((((((((((((((((((((((((( Files Created from 2007-05-18 to 2007-06-18 )))))))))))))))))))))))))))))))


2007-06-17 18:07 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Symantec
2007-06-17 17:26 <DIR> d-------- C:\Program Files\SymNetDrv
2007-06-17 12:21 4,608 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-06-17 12:21 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-06-06 10:00 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-18 01:40:14 -------- d-----w C:\Program Files\CConnect
2007-06-18 00:34:26 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-18 00:26:33 -------- d-----w C:\Program Files\Symantec
2007-06-10 13:25:23 1,632 ----a-w C:\WINDOWS\system32\d3d8caps.dat
2007-05-18 01:51:21 -------- d-----w C:\Program Files\TrojanHunter 4.6
2007-05-15 00:02:46 -------- d--h--w C:\Program Files\WindowsUpdate
2007-05-10 23:51:58 -------- d-----w C:\DOCUME~1\TOTHFA~1\APPLIC~1\AdobeUM
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-09 22:59:29 21,244 ---ha-w C:\WINDOWS\system32\mlfcache.dat
2007-03-29 01:41:32 517,848 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-03-29 01:41:28 132,824 ----a-w C:\WINDOWS\system32\SymRedir.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-06-07 11:09]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 02:04]
{BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton AntiVirus\NavShExt.dll [2005-01-10 12:20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" []
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" [2006-10-25 19:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2005-07-29 10:35]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-06-17 17:26]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 07:14]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45]


Contents of the 'Scheduled Tasks' folder
2007-04-04 13:07:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-16 03:00:01 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Toth Family.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-18 07:40:30
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-18 7:40:55
C:\ComboFix-quarantined-files.txt ... 2007-06-18 07:40
C:\ComboFix2.txt ... 2007-06-17 18:03

--- E O F ---

#14 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 18 June 2007 - 10:05 AM

Hi,

I still get a "service not found" when I type in dmfdjzjr and hit enter.

That's ok. I already see from your Combofix log it was removed. So maybe it already was in your first attempt to use the svcquery.exe tool.

Your log is looking much better, but we have to restore some files to their original location as well. This because I see you were also dealing with the AWF infection since I see a quicktime component running from a bak folder.

But first, delete next folder:

C:\Qoobox

Then, Please download the following file to your desktop:
http://noahdfear.gee...com/FindAWF.exe

Run the file and copy and paste the output text here.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#15 spuncrazy

spuncrazy

    Member

  • Full Member
  • Pip
  • 48 posts

Posted 18 June 2007 - 10:23 AM

When I tried to delete the C:\Qoobox, I would get this message:
Cannot delete xmlhelper.dll.vir access denied.

Here is the log


Find AWF report by noahdfear 2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 10:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/25/2006 07:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

07/09/2001 11:50 AM 155,648 NeroCheck.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\BROADJ~1\CLIENT~1\BAK

10/18/2001 01:37 PM 483,394 CFD.exe
1 File(s) 483,394 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

12/13/2004 03:30 PM 58,992 ccApp.exe
1 File(s) 58,992 bytes

Directory of C:\PROGRA~1\SUPPORT.COM\BIN\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

09/25/2006 07:48 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK

11/02/2004 04:59 PM 218,240 UsrPrmpt.exe
1 File(s) 218,240 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\121128~1.248\BAK

02/01/2007 11:20 AM 170,424 GoogleToolbarNotifier.exe
1 File(s) 170,424 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Feb 10 2007 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
483394 Oct 18 2001 "C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE"
58992 Dec 13 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
180269 Sep 25 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
218240 Jul 29 2005 "C:\Program Files\Common Files\Symantec Shared\Security Center\usrprmpt.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"
124152 Mar 29 2007 "C:\Program Files\Google\Google Updater\GoogleUpdater.exe"
4935680 Aug 15 2006 "C:\Program Files\Google\Google Video Player\GoogleVideoPlayer.exe"
458820 Nov 17 2005 "C:\Program Files\Google\Google Earth\GoogleEarth.exe"
645880 Apr 3 2007 "C:\Documents and Settings\Toth Family\DoctorWeb\Quarantine\GoogleUpdaterInstallMgr.exe"
559784 Sep 25 2006 "C:\Program Files\Common Files\Real\GToolbar\googletoolbarinstaller.exe"
136952 Mar 29 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
124152 Mar 29 2007 "C:\Program Files\Google\Google Updater\2.1.810.31257\GoogleUpdaterRestartManager.exe"
11817800 Sep 25 2006 "C:\Documents and Settings\All Users\Application Data\Google Updater\cache\GoogleEarth.exe"
170424 Feb 1 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\bak\GoogleToolbarNotifier.exe"


end of report

#16 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 18 June 2007 - 10:46 AM

Hi,

Reboot your computer and then try to delete the Qoobox folder again.

In a meanwhile I'll make a next fix.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#17 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 18 June 2007 - 10:56 AM

First of all, go to start > run and type: taskmgr.exe
This should open your Taskmanager.
Select the tab "processes" and end next process: qttask.exe
This because we need to replace it to its default location again - and when in use, it won't work.

Then,
* Open notepad and copy and paste next present in the quotebox in it:

copy /y "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\bak\GoogleToolbarNotifier.exe" "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480"
copy /y "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" "C:\Program Files\Common Files\Real\Update_OB"
copy /y "C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe" "C:\Program Files\BroadJump\Client Foundation"
copy /y "C:\WINDOWS\system32\bak\NeroCheck.exe" "C:\WINDOWS\system32"
copy /y "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime"
copy /y "C:\Program Files\iTunes\bak\iTunesHelper.exe" "C:\Program Files\iTunes"

Save this as replace.bat , choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
(In case you are unsure how to create a bat file, take a look here with screenshots.)

Doubleclick replace.bat you created previously.

Then, we'll also have to restore the default startup value for quicktime again and also delete some registry leftovers related with xmlhelper.dll
To do this,
Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[-HKEY_CLASSES_ROOT\AppID\bho_adw.DLL]

[-HKEY_CLASSES_ROOT\bho_adw.BHOAd]

[-HKEY_CLASSES_ROOT\bho_adw.BHOAd.1]

[-HKEY_CLASSES_ROOT\AppID\{91C9CE76-9EB1-4A77-92A1-27C44DBBFEEE}]

[-HKEY_CLASSES_ROOT\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}]

[-HKEY_CLASSES_ROOT\Interface\{9CA1536D-5689-40CA-B92A-F646301517D7}]

[-HKEY_CLASSES_ROOT\TypeLib\{09DC28C6-BCE2-42B1-B3EA-8AB82F0F3B0A}]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click "Delete".
  • Click "Delete Files", "Delete cookies" and "Delete history"
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Reboot back to normal mode.

* download http://www.mvps.org/.../DelDomains.inf and place it on desktop
right click the file and select install, that will reset the zone settings that have been altered

and also

* Download: ResetProtocolDefaults.reg
http://www.mvps.org/...colDefaults.reg

Locate "ResetProtocolDefaults.reg"
Right-click and select: Merge (Ok the prompt)

Rescan with FindAWF and post the log in your next reply together with a new Hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#18 spuncrazy

spuncrazy

    Member

  • Full Member
  • Pip
  • 48 posts

Posted 18 June 2007 - 11:18 AM

OK,,
My task manager is not working properly. When I open it up it is now a simple box with (2) headings at the top (1) TASK the other STATUS. It then list what is open. At the bottom is (3) buttons, END TASK, SWITCH TO, & NEW TASK. Also, I can not close it except for a reboot.

I did not do the other steps until this is resolved.

#19 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 18 June 2007 - 11:31 AM

Ok, open your Taskmanager again and doubleclick the borders. This should show the other tabs and the rest. :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#20 spuncrazy

spuncrazy

    Member

  • Full Member
  • Pip
  • 48 posts

Posted 18 June 2007 - 12:31 PM

Here are the (2) logs.
I have to step out for a while.



Find AWF report by noahdfear 2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 10:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/25/2006 07:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

07/09/2001 11:50 AM 155,648 NeroCheck.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\BROADJ~1\CLIENT~1\BAK

10/18/2001 01:37 PM 483,394 CFD.exe
1 File(s) 483,394 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

12/13/2004 03:30 PM 58,992 ccApp.exe
1 File(s) 58,992 bytes

Directory of C:\PROGRA~1\SUPPORT.COM\BIN\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

09/25/2006 07:48 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK

11/02/2004 04:59 PM 218,240 UsrPrmpt.exe
1 File(s) 218,240 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\121128~1.248\BAK

02/01/2007 11:20 AM 170,424 GoogleToolbarNotifier.exe
1 File(s) 170,424 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

256576 Oct 30 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Feb 10 2007 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
483394 Oct 18 2001 "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
483394 Oct 18 2001 "C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE"
58992 Dec 13 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
180269 Sep 25 2006 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Sep 25 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
218240 Jul 29 2005 "C:\Program Files\Common Files\Symantec Shared\Security Center\usrprmpt.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"
124152 Mar 29 2007 "C:\Program Files\Google\Google Updater\GoogleUpdater.exe"
4935680 Aug 15 2006 "C:\Program Files\Google\Google Video Player\GoogleVideoPlayer.exe"
458820 Nov 17 2005 "C:\Program Files\Google\Google Earth\GoogleEarth.exe"
645880 Apr 3 2007 "C:\Documents and Settings\Toth Family\DoctorWeb\Quarantine\GoogleUpdaterInstallMgr.exe"
559784 Sep 25 2006 "C:\Program Files\Common Files\Real\GToolbar\googletoolbarinstaller.exe"
136952 Mar 29 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
124152 Mar 29 2007 "C:\Program Files\Google\Google Updater\2.1.810.31257\GoogleUpdaterRestartManager.exe"
170424 Feb 1 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe"
11817800 Sep 25 2006 "C:\Documents and Settings\All Users\Application Data\Google Updater\cache\GoogleEarth.exe"
170424 Feb 1 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\bak\GoogleToolbarNotifier.exe"


end of report


Logfile of HijackThis v1.99.1
Scan saved at 10:26:28 AM, on 6/18/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe
C:\Program Files\CConnect\CConnect.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cox.net
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1179187324923
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Thanks

#21 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 18 June 2007 - 12:38 PM

Great job!

The files were replaced properly and malware is gone now.
Your logs look clean.

Delete the tools we have been using previously: DAFT, Combofix, FindAWF and SvcQuery.exe

Let me know in your next reply how things are now....
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#22 spuncrazy

spuncrazy

    Member

  • Full Member
  • Pip
  • 48 posts

Posted 18 June 2007 - 02:57 PM

Thanks for the cleaning.

Should i still add windows service packs 1 & 2 ?
Or just 2

#23 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 18 June 2007 - 02:59 PM

You can go ahead and update to Service Pack 2.

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#24 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 20 June 2007 - 09:14 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please tell the moderating team by replying here
This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button