• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
aat

AdultFinder and others POPUPS

12 posts in this topic

Hello there,

 

Sometime ago my sun has gained Administrator rights in his personal account (I am not sure yet how he did that, and he won't tell), and then, downloading some woftware from the net, has infected the family computer.

 

The main phenomena we witness is the POPUP menus with Adultfinder and other site advertisment, but it might be that other more silent creatures entered as well.

 

We have the McAfee anti-virus which updates everyday, and scaning the entire machine it claims to not

being able to find any virus. Nevertheless, the machine was infected by other kinds of creatures.

 

In C:\Windows\tasks there are these files:

 

C:\WINDOWS\system32>cd ../tasks

 

C:\WINDOWS\Tasks>dir /a

Volume in drive C has no label.

Volume Serial Number is 300B-8A9A

 

Directory of C:\WINDOWS\Tasks

 

04/20/2007 03:34 PM <DIR> .

04/20/2007 03:34 PM <DIR> ..

06/29/2007 03:00 PM 262 AB824F2D919DC381.job

06/03/2007 10:00 AM 350 At1.job

06/03/2007 08:00 PM 350 At2.job

06/03/2007 02:00 PM 350 At3.job

03/31/2003 06:00 AM 65 desktop.ini

06/29/2007 01:56 AM 330 MP Scheduled Scan.job

06/28/2007 09:40 PM 6 SA.DAT

7 File(s) 1,713 bytes

2 Dir(s) 34,136,027,136 bytes free

 

Using notepad I found that these jobs invoke the following:

 

AB824F2D919DC381.job -> c : \ d o c u m e ~ 1 \ a l l o n \ a p p l i c ~ 1 \ f i l e f a ~ 1 \ k n o b h o l e p h o n e . e x e

At1.job, At2.job and At3.job -> C : \ W I N D O W S \ s y s t e m 3 2 \ w u n a u c l t . e x e

......... [i could not locate this file at that dir, still I found it in C:\Program Files\wunauclt.exe ]

MP Scheduled Scan.job -> C : \ P r o g r a m F i l e s \ W i n d o w s D e f e n d e r \ M p C m d R u n . e x e

 

I downloaded and installed HiJackThis from

http://www.trendsecure.com/portal/en-US/th...p?page=download

and here is the log it created:

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 13:40:22, on 29/06/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\WINDOWS\VM_STI.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Babylon\Babylon.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Adobe\Acrobat 6.0 ME\Distillr\acrotray.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\mshta.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Dists\HiJackThis\HiJackThis_v2.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE PLEOMAX Web Camera

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [i downloaded pirated Software from P2P] Pro Evolution Soccer 6

O4 - HKLM\..\Run: [Windows Services] "C:\Program Files\svchosts.exe"

O4 - HKLM\..\Run: [Mpeg Body Log Meal] C:\Documents and Settings\All Users\Application Data\HideAntiMpegBody\greygram.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-21-1177238915-261903793-839522115-1009\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'tomer')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0 ME\Distillr\acrotray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Bluetooth.lnk = ?

O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159227121856

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Windows Defender Service (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing)

 

--

End of file - 9605 bytes

 

Anybody's ideas before I completely re-format the entire hard disk? :D

 

Thank you in advance

aat

Edited by aat

Share this post


Link to post
Share on other sites

Hello,

 

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

 

Find out if you have Netpumper or Bitgrabber or BitRoll installed? If so, uninstall them via start > Settings> Control Panel > add/remove programs. This because they are bundled with the malware you are dealing with (swizzor aka lop).

Also look if next are present in software > add/remove programs and uninstall them:

 

CiD Help / CiD Manager

Download Plugin for Internet Explorer

Zone Media

 

In case, during uninstall, when asked for the uninstall Verification, please enter the numbers that will appear in the window

 

Then reboot. Important!

 

=*=

 

Download SDFix and save it to your Desktop.

 

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

 

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum). I will ask for it later.

Disable Microsoft Windows Defender:

 

We need to disable your Microsoft Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

  • Open Microsoft Windows Defender. Click Start, Programs, Windows Defender
  • Click on Tools, General Settings.
  • Under Real-time protection options, unselect the Turn on real-time protection check box
  • Click Save

 

After all of the fixes are complete it is very important that you enable Real-time Protection again.

 

Please set your system to show all files;

To delete the files/folders in the next steps, you may need to show hidden Files/Folders: How to.

At the end of the fix you can return the files to hidden status if you want..

 

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

 

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [i downloaded pirated Software from P2P] Pro Evolution Soccer 6

O4 - HKLM\..\Run: [Windows Services] "C:\Program Files\svchosts.exe"

O4 - HKLM\..\Run: [Mpeg Body Log Meal] C:\Documents and Settings\All Users\Application Data\HideAntiMpegBody\greygram.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O23 - Service: Windows Defender Service (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing)

 

Click on Fix Checked when finished and exit HijackThis.

 

Delete these files/folders in bold if found.

 

File

C:\Program Files\svchosts.exe

 

Folders

C:\Documents and Settings\All Users\Application Data\HideAntiMpegBody\

 

Restart the computer normally to reset the registry.

 

Enable Windows Defender.

 

* Download Deljob.exe and save it on your desktop.

Doubleclick Deljob.exe.

 

A log, (logit.txt) should open afterwards. This log will be present on your desktop

Post the contents of the logfile in your next reply.

 

Include the contents of the Report.txt from the SDFix.

 

A fresh Hijackthis log.

 

Use more than one post if too long for a single post.

Share this post


Link to post
Share on other sites

Hello nasdaq

Thank you very much for you attention and useful advices and help. Follows a report of the actions I did according to your suggestions, and then the three logs you requested, each in a separate post.

 

1. add/remove programs

  • None of those programs Netpumper or Bitgrabber or BitRoll was found there.
  • Neither did I see any of:
    • CiD Help / CiD Manager
    • Download Plugin for Internet Explorer
    • Zone Media

    [*] However I later found a folder named Netpumper somewhere, and deleted it manually.

    [*] At this time, since no software was deleted, I didn't reboot yet.

2. SDFix

  • I downloaded SDFix and run SDFix.exe and then in Safe Mode activated the script RunThis.bat.
  • It run, rebooted and finished.
  • The Report.txt file follows in subsequent post.
  • I looked at the log, and in the last section I found a list of hidden/system files, all of which looked suspicious to me, and I have manually removed them all:
    • C:\Documents and Settings\SON\My Documents\SON\w\Uninstall.exe
    • C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
    • C:\Documents and Settings\SON\Local Settings\Temp\~$RD1106.tmp
    • C:\Program Files\serial.zip
    • C:\Program Files\wunauclt.zip

3. Microsoft Windows Defender

  • Trying to activate the program in order to shut down the Real-time Protection I got an error the the link points to a missing file ("C:\Program Files\Windows Defender\MSASCui.exe"), I looked at the folder and indeed this file was missing.
  • At that point I decided to use add/remove programs in the control panel to remove the Windows Defender completely, then downloaded the latest version from Microsoft site and installed it.
  • After installation the Defender suggested a quick scan and I accepted.
  • It found 2 malware programs (the log is posted in subsequent post):
    • RemoteAccess:Win32/Cyn
    • Trojan:Win32/C2Lop.C

    [*] I ordered the defender to remove them both.

    [*] The defender was able to remove the second one, but encountered a problem with the first (see the error message in the log). I complained about a file named: C:\WINDOWS\user32.exe and suggested I manually remove it.

    [*] I couldn't find user32.exe in C:\WINDOWS but I found such a file in C:\Program Files, along with some other suspicious programs (not placed in a subfolder as usual, but directly under C:\Program Files.

    [*] I moved the all to folder C:\quarantine and added .mal to their names.

    [*] I made a second quick scan and now the defender claimed the machine is clean.

    [*] Then using the Tools Settings, I temporarily disabled the Real-time protection.

    [*] Later on (after completing the fix operations) I enabled it back.

4. Hidden/System files/folders

  • I never hide them, so there was nothing to change.

5. HiJackThis

  • I closed all programs anf ran HijackThis.
  • Out of the 8 lines suggested to remove I found now only 5, which I check and let HiJackThis to fix.
  • The 3 missing lines were:
    • O4 - HKLM\..\Run: [Windows Services] "C:\Program Files\svchosts.exe"
    • O4 - HKLM\..\Run: [Mpeg Body Log Meal] C:\Documents and Settings\All Users\Application Data\HideAntiMpegBody\greygram.exe
    • O23 - Service: Windows Defender Service (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing).

    [*] I think the third one disappeared since after reinstalling the Defender the file MsMpEng.exe was not missing any more.

    [*] The second line disappeared probably since the Defender itself has fixed this malware as I ordered it (see the log in subsequent post).

    [*] I do not know why the first line did show at that time.

6. Deleting files

  • I could't find a file named C:\Program Files\svchosts.exe (however, as I said before I found other creatures in C:\Program Files and quarantined them.
  • I don't remember whether I found folder C:\Documents and Settings\All Users\Application Data\HideAntiMpegBody\ and deleted it. Nevertheless, now there is no such folder any more.

7. Restart

  • I restarted the computer.
  • And enabled Windows Defender Realtime Protection.

8. Deljob

  • I downloaded Deljob.exe and ran it.
  • The log is posted in a subsequent post.
  • Since I knew the 3 At?.job which deljob didn't remove were also of malware (see my original post), I decided to manually delete them.
  • Currently, the only job left in C:\Windows\tasks now is the hidden file which is named MP Scheduled Scan.job which activates the program C : \Program Files\Windows Defender\MpCmdRun.exe.

9. HiJackThis log

  • I re-run Hijackthis.
  • The log is in subsequent post.

Edited by aat

Share this post


Link to post
Share on other sites

Looking good. I need to see a fresh HijackThis log and for you to tell me what problems persists.

Share this post


Link to post
Share on other sites

SDFix - Report.txt

 

 

SDFix: Version 1.89

 

Run by USER on Thu 07/05/2007 at 07:09 PM

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\SDFix

 

Safe Mode:

Checking Services:

 

 

 

 

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Rebooting...

 

 

Normal Mode:

Checking Files:

 

No Trojan Files Found

 

 

 

 

Removing Temp Files...

 

ADS Check:

 

Checking C:\WINDOWS

C:\WINDOWS

No streams found.

 

Checking C:\WINDOWS\system32

C:\WINDOWS\system32

No streams found.

 

Checking C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

No streams found.

 

Checking C:\WINDOWS\system32\ntoskrnl.exe

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

 

 

 

Final Check:

 

Remaining Services:

------------------

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"

"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

"C:\\Documents and Settings\\SON\\My Documents\\€Œ…?\\eMule\\emule.exe"="C:\\Documents and Settings\\SON\\My Documents\\€Œ…?\\eMule\\emule.exe:*:Disabled:eMule"

"C:\\Documents and Settings\\SON\\My Documents\\€Œ…?\\aoe\\empires2.exe"="C:\\Documents and Settings\\SON\\My Documents\\€Œ…?\\aoe\\empires2.exe:*:Enabled:Age of Empires II"

"C:\\Program Files\\ICQLite\\ICQLite.exe"="C:\\Program Files\\ICQLite\\ICQLite.exe:*:Enabled:ICQ Lite"

"C:\\Documents and Settings\\SON\\My Documents\\€Œ…?\\pes6\\PES6.exe"="C:\\Documents and Settings\\SON\\My Documents\\€Œ…?\\pes6\\PES6.exe:*:Disabled:pes6.exe"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

"C:\\Documents and Settings\\SON\\My Documents\\€Œ…?\\TVUPlayer\\TVUPlayer.exe"="C:\\Documents and Settings\\SON\\My Documents\\€Œ…?\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVU Player Component"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Documents and Settings\\SON\\My Documents\\€Œ…?\\music\\eMule\\emule.exe"="C:\\Documents and Settings\\SON\\My Documents\\€Œ…?\\music\\eMule\\emule.exe:*:Enabled:eMule"

"C:\\Documents and Settings\\SON\\My Documents\\€Œ…?\\SopCast\\SopCast.exe"="C:\\Documents and Settings\\SON\\My Documents\\€Œ…?\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"

"C:\\Documents and Settings\\SON\\Application Data\\SopCast\\adv\\SopAdver.exe"="C:\\Documents and Settings\\SON\\Application Data\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"

"C:\\Documents and Settings\\SON\\My Documents\\€Œ…?\\worms\\WF.exe"="C:\\Documents and Settings\\SON\\My Documents\\€Œ…?\\worms\\WF.exe:*:Enabled:WF"

"C:\\Documents and Settings\\SON\\My Documents\\€Œ…?\\multy\\emule.exe"="C:\\Documents and Settings\\SON\\My Documents\\€Œ…?\\multy\\emule.exe:*:Enabled:eMule"

"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

 

Remaining Files:

---------------

 

 

Files with Hidden Attributes:

 

C:\Documents and Settings\SON\My Documents\SON\w\Uninstall.exe

C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp

C:\Documents and Settings\SON\Local Settings\Temp\~$RD1106.tmp

C:\Program Files\serial.zip

C:\Program Files\wunauclt.zip

 

 

Finished

 

 

 

Windows Defender Scan Log

 

RemoteAccess:Win32/Cyn

--------------------------

Category:

Backdoor

 

Description:

This program has potentially unwanted behavior.

 

Advice:

Remove this software immediately.

 

Resources:

file:

C:\WINDOWS\user32.exe

 

View more information about this item online

------------------------------------------------------

 

Error encountered:

Code 0x80508017. Some actions couldn't be applied to potentially harmful items. The items might be stored in a read-only location. Delete the files or folders that contains the items or, for information on removing read-only permissions from files and folders, see Help and Support.

 

 

================================================

 

Trojan:Win32/C2Lop.C

-----------------------------

Category:

Trojan

 

Description:

This program monitors user information, such as Web browsing habits.

 

Advice:

Remove this software immediately.

 

Resources:

regkey:

HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\Mpeg Body Log Meal

 

regkey:

HKCU@S-1-5-21-1177238915-261903793-839522115-1006\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\EachIsoAxis

 

regkey:

HKCU@S-1-5-21-1177238915-261903793-839522115-1006\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\bags view

 

runkey:

HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\Mpeg Body Log Meal

 

runkey:

HKCU@S-1-5-21-1177238915-261903793-839522115-1006\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\bags view

 

uninstall:

HKCU@S-1-5-21-1177238915-261903793-839522115-1006\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\EachIsoAxis

 

file:

C:\Documents and Settings\All Users\Application Data\HideAntiMpegBody\greygram.exe

 

file:

c:\Documents and Settings\SON\Application Data\file face ooze\knobholephone.exe

 

file:

C:\WINDOWS\Tasks\AB824F2D919DC381.job

 

file:

C:\Documents and Settings\SON\Application Data\file face ooze\BOOBTHIRD.exe

 

taskscheduler:

C:\WINDOWS\Tasks\AB824F2D919DC381.job

 

View more information about this item online

 

 

Deljob logit.txt

 

--------------------------------------------------------

No LOP jobs found

--------------------------------------------------------

Files remaining after cleaning

 

At1.job

At2.job

At3.job

MP Scheduled Scan.job

--------------------------------------------------------

App data folders

 

Volume in drive C has no label.

Volume Serial Number is 300B-8A9A

 

Directory of C:\Documents and Settings\USER\Application Data

 

11/28/2006 12:14 AM <DIR> .

11/28/2006 12:14 AM <DIR> ..

11/28/2006 08:44 PM <DIR> Adobe

11/28/2006 08:44 PM <DIR> AdobeUM

11/28/2006 12:16 AM <DIR> Babylon

11/28/2006 12:06 AM <DIR> Google

09/26/2006 04:16 AM <DIR> ICQLite

09/26/2006 02:03 AM <DIR> IDENTI~1 Identities

09/26/2006 04:09 AM <DIR> MACROM~1 Macromedia

11/28/2006 08:40 PM <DIR> MICROS~1 Microsoft

12/21/2006 02:32 PM <DIR> Skype

09/26/2006 04:49 AM <DIR> SSH

11/28/2006 12:08 AM <DIR> Sun

11/11/2006 05:39 PM <DIR> Winamp

0 File(s) 0 bytes

14 Dir(s) 34,072,334,336 bytes free

Volume in drive C has no label.

Volume Serial Number is 300B-8A9A

 

Directory of C:\Documents and Settings\All Users\Application Data

 

07/05/2007 09:04 PM <DIR> .

07/05/2007 09:04 PM <DIR> ..

01/30/2007 10:43 PM <DIR> Adobe

11/28/2006 12:16 AM <DIR> Babylon

11/11/2006 04:10 PM <DIR> BVRPSO~1 BVRP Software

11/11/2006 04:04 PM <DIR> CYBERL~1 CyberLink

11/28/2006 12:04 AM <DIR> Google

09/26/2006 02:19 AM <DIR> McAfee.com

07/05/2007 08:18 PM <DIR> MICROS~1 Microsoft

09/26/2006 03:13 AM <DIR> NETWOR~1 Network Associates

09/26/2006 03:03 AM <DIR> WINDOW~1 Windows Genuine Advantage

0 File(s) 0 bytes

11 Dir(s) 34,072,334,336 bytes free

--------------------------------------------------------

 

 

HiJackThis Fresh Log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 22:02:12, on 05/07/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\WINDOWS\VM_STI.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Babylon\Babylon.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Adobe\Acrobat 6.0 ME\Distillr\acrotray.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Dists\HiJackThis\HiJackThis_v2.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE PLEOMAX Web Camera

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0 ME\Distillr\acrotray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Bluetooth.lnk = ?

O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159227121856

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

--

End of file - 8539 bytes

 

End of Logs

Share this post


Link to post
Share on other sites

Hi nasdaq,

 

It seems the POPUPs are not any more. I think the defender was the one to remove them.

 

I suspect that since the defender is capable to destroy these creatures, the original software my son downloaded had first creepled the defender, then installed it's malware.

 

Thanks again for your help.

Share this post


Link to post
Share on other sites

Nice work the log is clean.

 

I suspect that Defender does a poor job of delete these files/folders.

If these folders in bold are still present then delete them.

 

C:\Documents and Settings\All Users\Application Data\HideAntiMpegBody\

c:\Documents and Settings\SON\Application Data\file face ooze\

 

=*=

 

Let me know if this .job file is still in the \task folder.

 

C:\WINDOWS\Tasks\AB824F2D919DC381.job

 

If it is then execute this.

 

Download: Microsoft Task Scheduler Command Line Utility from http://mvps.org/winhelp2002/jt.zip

 

Unzip and copy jt.exe to your C:\Windows folder.

 

Open Notepad, copy and paste the text below and "Save As" KillJobs.bat

In the "Save as type" select: All Files

 

@echo off

jt /sd AB824F2D919DC381.job

Copy KillJobs.bat to your C:\Windows folder.

Double-click on "KillJobs.bat"

(when prompted, allow the file to run)

If you need help on "How to Make a .Bat File"

See: http://www.nellie2.co.uk/file.htm

 

=*=

 

Finally, I need to see if this is still in the registry.

 

Download the Registry Search Tool from here:

http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip

 

Unzip to your Desktop and double click on regsrch.vbs

(if you have script protection, please allow this to run)

 

In the dialog that opens enter the following:

Mpeg Body Log Meal

 

Press 'OK'

 

The search will run for a while then alert you when it is finished.

 

Press 'OK' and copy the contents of the WordPad window and post in this thread.

Share this post


Link to post
Share on other sites

Reagrding the following folders,

 

C:\Documents and Settings\All Users\Application Data\
HideAntiMpegBody
\

C:\Documents and Settings\SON\Application Data\
file face ooze
\

 

I have already deleted them yesterday.

 

------------------------------------------------------

 

Regarding the job C:\WINDOWS\Tasks\AB824F2D919DC381.job

 

It was gone yesterday. Either the Defender, or the deljob have removed it, and it didn't come back again.

 

So, I didn't run jt.exe after all. Nevertheless, am I missing a point, or could I have run it directly from the command line prompt, as in (assuming jt.exe is placed in the current dir or any dir in %PATH%):

 

C>
jt /sd AB824F2D919DC381.job

 

------------------------------------------------------

 

Regarding the registry entries, I used regedit to search the entire registry (key, values and data) for the string "Mpeg Body Log Meal", but it didn't find any.

 

Then again, I ran the script RegSrch.vps and fed it with the string "Mpeg Body Log Meal". The result was:

No instances of "Mpeg Body Log Meal" found

and naturally there was no output to WordPad.

Share this post


Link to post
Share on other sites

So I guess this case is closed.

 

I will read the suggestions in the link you mentioned, firthermore I will have my son memories them.

 

Thank you very much for your kind help.

Share this post


Link to post
Share on other sites

Glad we could help.

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0