Jump to content


Photo

AdultFinder and others POPUPS


  • This topic is locked This topic is locked
11 replies to this topic

#1 aat

aat

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 29 June 2007 - 07:41 AM

Hello there,

Sometime ago my sun has gained Administrator rights in his personal account (I am not sure yet how he did that, and he won't tell), and then, downloading some woftware from the net, has infected the family computer.

The main phenomena we witness is the POPUP menus with Adultfinder and other site advertisment, but it might be that other more silent creatures entered as well.

We have the McAfee anti-virus which updates everyday, and scaning the entire machine it claims to not
being able to find any virus. Nevertheless, the machine was infected by other kinds of creatures.

In C:\Windows\tasks there are these files:

C:\WINDOWS\system32>cd ../tasks

C:\WINDOWS\Tasks>dir /a
Volume in drive C has no label.
Volume Serial Number is 300B-8A9A

Directory of C:\WINDOWS\Tasks

04/20/2007 03:34 PM <DIR> .
04/20/2007 03:34 PM <DIR> ..
06/29/2007 03:00 PM 262 AB824F2D919DC381.job
06/03/2007 10:00 AM 350 At1.job
06/03/2007 08:00 PM 350 At2.job
06/03/2007 02:00 PM 350 At3.job
03/31/2003 06:00 AM 65 desktop.ini
06/29/2007 01:56 AM 330 MP Scheduled Scan.job
06/28/2007 09:40 PM 6 SA.DAT
7 File(s) 1,713 bytes
2 Dir(s) 34,136,027,136 bytes free

Using notepad I found that these jobs invoke the following:

AB824F2D919DC381.job -> c : \ d o c u m e ~ 1 \ a l l o n \ a p p l i c ~ 1 \ f i l e f a ~ 1 \ k n o b h o l e p h o n e . e x e
At1.job, At2.job and At3.job -> C : \ W I N D O W S \ s y s t e m 3 2 \ w u n a u c l t . e x e
......... [I could not locate this file at that dir, still I found it in C:\Program Files\wunauclt.exe ]
MP Scheduled Scan.job -> C : \ P r o g r a m F i l e s \ W i n d o w s D e f e n d e r \ M p C m d R u n . e x e

I downloaded and installed HiJackThis from
http://www.trendsecu...p?page=download
and here is the log it created:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 13:40:22, on 29/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Babylon\Babylon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 6.0 ME\Distillr\acrotray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\mshta.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Dists\HiJackThis\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE PLEOMAX Web Camera
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [I downloaded pirated Software from P2P] Pro Evolution Soccer 6
O4 - HKLM\..\Run: [Windows Services] "C:\Program Files\svchosts.exe"
O4 - HKLM\..\Run: [Mpeg Body Log Meal] C:\Documents and Settings\All Users\Application Data\HideAntiMpegBody\greygram.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1177238915-261903793-839522115-1009\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'tomer')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0 ME\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1159227121856
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Windows Defender Service (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing)

--
End of file - 9605 bytes

Anybody's ideas before I completely re-format the entire hard disk? :D

Thank you in advance
aat

Edited by aat, 29 June 2007 - 07:44 AM.


#2 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 04 July 2007 - 09:55 AM

Hello,

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Find out if you have Netpumper or Bitgrabber or BitRoll installed? If so, uninstall them via start > Settings> Control Panel > add/remove programs. This because they are bundled with the malware you are dealing with (swizzor aka lop).
Also look if next are present in software > add/remove programs and uninstall them:

CiD Help / CiD Manager
Download Plugin for Internet Explorer
Zone Media


In case, during uninstall, when asked for the uninstall Verification, please enter the numbers that will appear in the window

Then reboot. Important!

=*=

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum). I will ask for it later.
Disable Microsoft Windows Defender:

We need to disable your Microsoft Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Microsoft Windows Defender. Click Start, Programs, Windows Defender
  • Click on Tools, General Settings.
  • Under Real-time protection options, unselect the Turn on real-time protection check box
  • Click Save

After all of the fixes are complete it is very important that you enable Real-time Protection again.

Please set your system to show all files;
To delete the files/folders in the next steps, you may need to show hidden Files/Folders: How to.
At the end of the fix you can return the files to hidden status if you want..

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [I downloaded pirated Software from P2P] Pro Evolution Soccer 6
O4 - HKLM\..\Run: [Windows Services] "C:\Program Files\svchosts.exe"
O4 - HKLM\..\Run: [Mpeg Body Log Meal] C:\Documents and Settings\All Users\Application Data\HideAntiMpegBody\greygram.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O23 - Service: Windows Defender Service (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing)


Click on Fix Checked when finished and exit HijackThis.

Delete these files/folders in bold if found.

File
C:\Program Files\svchosts.exe

Folders
C:\Documents and Settings\All Users\Application Data\HideAntiMpegBody\

Restart the computer normally to reset the registry.

Enable Windows Defender.

* Download Deljob.exe and save it on your desktop.
Doubleclick Deljob.exe.

A log, (logit.txt) should open afterwards. This log will be present on your desktop
Post the contents of the logfile in your next reply.

Include the contents of the Report.txt from the SDFix.

A fresh Hijackthis log.

Use more than one post if too long for a single post.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#3 aat

aat

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 05 July 2007 - 03:38 PM

Hello nasdaq
Thank you very much for you attention and useful advices and help. Follows a report of the actions I did according to your suggestions, and then the three logs you requested, each in a separate post.

1. add/remove programs
  • None of those programs Netpumper or Bitgrabber or BitRoll was found there.
  • Neither did I see any of:
    • CiD Help / CiD Manager
    • Download Plugin for Internet Explorer
    • Zone Media
  • However I later found a folder named Netpumper somewhere, and deleted it manually.
  • At this time, since no software was deleted, I didn't reboot yet.
2. SDFix
  • I downloaded SDFix and run SDFix.exe and then in Safe Mode activated the script RunThis.bat.
  • It run, rebooted and finished.
  • The Report.txt file follows in subsequent post.
  • I looked at the log, and in the last section I found a list of hidden/system files, all of which looked suspicious to me, and I have manually removed them all:
  • C:\Documents and Settings\SON\My Documents\SON\w\Uninstall.exe
  • C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
  • C:\Documents and Settings\SON\Local Settings\Temp\~$RD1106.tmp
  • C:\Program Files\serial.zip
  • C:\Program Files\wunauclt.zip
3. Microsoft Windows Defender
  • Trying to activate the program in order to shut down the Real-time Protection I got an error the the link points to a missing file ("C:\Program Files\Windows Defender\MSASCui.exe"), I looked at the folder and indeed this file was missing.
  • At that point I decided to use add/remove programs in the control panel to remove the Windows Defender completely, then downloaded the latest version from Microsoft site and installed it.
  • After installation the Defender suggested a quick scan and I accepted.
  • It found 2 malware programs (the log is posted in subsequent post):
    • RemoteAccess:Win32/Cyn
    • Trojan:Win32/C2Lop.C
  • I ordered the defender to remove them both.
  • The defender was able to remove the second one, but encountered a problem with the first (see the error message in the log). I complained about a file named: C:\WINDOWS\user32.exe and suggested I manually remove it.
  • I couldn't find user32.exe in C:\WINDOWS but I found such a file in C:\Program Files, along with some other suspicious programs (not placed in a subfolder as usual, but directly under C:\Program Files.
  • I moved the all to folder C:\quarantine and added .mal to their names.
  • I made a second quick scan and now the defender claimed the machine is clean.
  • Then using the Tools Settings, I temporarily disabled the Real-time protection.
  • Later on (after completing the fix operations) I enabled it back.
4. Hidden/System files/folders
  • I never hide them, so there was nothing to change.
5. HiJackThis
  • I closed all programs anf ran HijackThis.
  • Out of the 8 lines suggested to remove I found now only 5, which I check and let HiJackThis to fix.
  • The 3 missing lines were:
    • O4 - HKLM\..\Run: [Windows Services] "C:\Program Files\svchosts.exe"
    • O4 - HKLM\..\Run: [Mpeg Body Log Meal] C:\Documents and Settings\All Users\Application Data\HideAntiMpegBody\greygram.exe
    • O23 - Service: Windows Defender Service (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing).
  • I think the third one disappeared since after reinstalling the Defender the file MsMpEng.exe was not missing any more.
  • The second line disappeared probably since the Defender itself has fixed this malware as I ordered it (see the log in subsequent post).
  • I do not know why the first line did show at that time.
6. Deleting files
  • I could't find a file named C:\Program Files\svchosts.exe (however, as I said before I found other creatures in C:\Program Files and quarantined them.
  • I don't remember whether I found folder C:\Documents and Settings\All Users\Application Data\HideAntiMpegBody\ and deleted it. Nevertheless, now there is no such folder any more.
7. Restart
  • I restarted the computer.
  • And enabled Windows Defender Realtime Protection.
8. Deljob
  • I downloaded Deljob.exe and ran it.
  • The log is posted in a subsequent post.
  • Since I knew the 3 At?.job which deljob didn't remove were also of malware (see my original post), I decided to manually delete them.
  • Currently, the only job left in C:\Windows\tasks now is the hidden file which is named MP Scheduled Scan.job which activates the program C : \Program Files\Windows Defender\MpCmdRun.exe.
9. HiJackThis log
  • I re-run Hijackthis.
  • The log is in subsequent post.

Edited by aat, 05 July 2007 - 03:48 PM.


#4 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 05 July 2007 - 03:45 PM

Looking good. I need to see a fresh HijackThis log and for you to tell me what problems persists.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#5 aat

aat

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 05 July 2007 - 04:01 PM

SDFix - Report.txt


SDFix: Version 1.89

Run by USER on Thu 07/05/2007 at 07:09 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

Checking C:\WINDOWS
C:\WINDOWS
No streams found.

Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.

Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Documents and Settings\\SON\\My Documents\\?\\eMule\\emule.exe"="C:\\Documents and Settings\\SON\\My Documents\\?\\eMule\\emule.exe:*:Disabled:eMule"
"C:\\Documents and Settings\\SON\\My Documents\\?\\aoe\\empires2.exe"="C:\\Documents and Settings\\SON\\My Documents\\?\\aoe\\empires2.exe:*:Enabled:Age of Empires II"
"C:\\Program Files\\ICQLite\\ICQLite.exe"="C:\\Program Files\\ICQLite\\ICQLite.exe:*:Enabled:ICQ Lite"
"C:\\Documents and Settings\\SON\\My Documents\\?\\pes6\\PES6.exe"="C:\\Documents and Settings\\SON\\My Documents\\?\\pes6\\PES6.exe:*:Disabled:pes6.exe"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Documents and Settings\\SON\\My Documents\\?\\TVUPlayer\\TVUPlayer.exe"="C:\\Documents and Settings\\SON\\My Documents\\?\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVU Player Component"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Documents and Settings\\SON\\My Documents\\?\\music\\eMule\\emule.exe"="C:\\Documents and Settings\\SON\\My Documents\\?\\music\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Documents and Settings\\SON\\My Documents\\?\\SopCast\\SopCast.exe"="C:\\Documents and Settings\\SON\\My Documents\\?\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\\Documents and Settings\\SON\\Application Data\\SopCast\\adv\\SopAdver.exe"="C:\\Documents and Settings\\SON\\Application Data\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\Documents and Settings\\SON\\My Documents\\?\\worms\\WF.exe"="C:\\Documents and Settings\\SON\\My Documents\\?\\worms\\WF.exe:*:Enabled:WF"
"C:\\Documents and Settings\\SON\\My Documents\\?\\multy\\emule.exe"="C:\\Documents and Settings\\SON\\My Documents\\?\\multy\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------


Files with Hidden Attributes:

C:\Documents and Settings\SON\My Documents\SON\w\Uninstall.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\SON\Local Settings\Temp\~$RD1106.tmp
C:\Program Files\serial.zip
C:\Program Files\wunauclt.zip


Finished



Windows Defender Scan Log

RemoteAccess:Win32/Cyn
--------------------------
Category:
Backdoor

Description:
This program has potentially unwanted behavior.

Advice:
Remove this software immediately.

Resources:
file:
C:\WINDOWS\user32.exe

View more information about this item online
------------------------------------------------------

Error encountered:
Code 0x80508017. Some actions couldn't be applied to potentially harmful items. The items might be stored in a read-only location. Delete the files or folders that contains the items or, for information on removing read-only permissions from files and folders, see Help and Support.


================================================

Trojan:Win32/C2Lop.C
-----------------------------
Category:
Trojan

Description:
This program monitors user information, such as Web browsing habits.

Advice:
Remove this software immediately.

Resources:
regkey:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\Mpeg Body Log Meal

regkey:
HKCU@S-1-5-21-1177238915-261903793-839522115-1006\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\EachIsoAxis

regkey:
HKCU@S-1-5-21-1177238915-261903793-839522115-1006\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\bags view

runkey:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\Mpeg Body Log Meal

runkey:
HKCU@S-1-5-21-1177238915-261903793-839522115-1006\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\bags view

uninstall:
HKCU@S-1-5-21-1177238915-261903793-839522115-1006\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\EachIsoAxis

file:
C:\Documents and Settings\All Users\Application Data\HideAntiMpegBody\greygram.exe

file:
c:\Documents and Settings\SON\Application Data\file face ooze\knobholephone.exe

file:
C:\WINDOWS\Tasks\AB824F2D919DC381.job

file:
C:\Documents and Settings\SON\Application Data\file face ooze\BOOBTHIRD.exe

taskscheduler:
C:\WINDOWS\Tasks\AB824F2D919DC381.job

View more information about this item online


Deljob logit.txt

--------------------------------------------------------
No LOP jobs found
--------------------------------------------------------
Files remaining after cleaning

At1.job
At2.job
At3.job
MP Scheduled Scan.job
--------------------------------------------------------
App data folders

Volume in drive C has no label.
Volume Serial Number is 300B-8A9A

Directory of C:\Documents and Settings\USER\Application Data

11/28/2006 12:14 AM <DIR> .
11/28/2006 12:14 AM <DIR> ..
11/28/2006 08:44 PM <DIR> Adobe
11/28/2006 08:44 PM <DIR> AdobeUM
11/28/2006 12:16 AM <DIR> Babylon
11/28/2006 12:06 AM <DIR> Google
09/26/2006 04:16 AM <DIR> ICQLite
09/26/2006 02:03 AM <DIR> IDENTI~1 Identities
09/26/2006 04:09 AM <DIR> MACROM~1 Macromedia
11/28/2006 08:40 PM <DIR> MICROS~1 Microsoft
12/21/2006 02:32 PM <DIR> Skype
09/26/2006 04:49 AM <DIR> SSH
11/28/2006 12:08 AM <DIR> Sun
11/11/2006 05:39 PM <DIR> Winamp
0 File(s) 0 bytes
14 Dir(s) 34,072,334,336 bytes free
Volume in drive C has no label.
Volume Serial Number is 300B-8A9A

Directory of C:\Documents and Settings\All Users\Application Data

07/05/2007 09:04 PM <DIR> .
07/05/2007 09:04 PM <DIR> ..
01/30/2007 10:43 PM <DIR> Adobe
11/28/2006 12:16 AM <DIR> Babylon
11/11/2006 04:10 PM <DIR> BVRPSO~1 BVRP Software
11/11/2006 04:04 PM <DIR> CYBERL~1 CyberLink
11/28/2006 12:04 AM <DIR> Google
09/26/2006 02:19 AM <DIR> McAfee.com
07/05/2007 08:18 PM <DIR> MICROS~1 Microsoft
09/26/2006 03:13 AM <DIR> NETWOR~1 Network Associates
09/26/2006 03:03 AM <DIR> WINDOW~1 Windows Genuine Advantage
0 File(s) 0 bytes
11 Dir(s) 34,072,334,336 bytes free
--------------------------------------------------------


HiJackThis Fresh Log
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:02:12, on 05/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Babylon\Babylon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 6.0 ME\Distillr\acrotray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Dists\HiJackThis\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE PLEOMAX Web Camera
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0 ME\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1159227121856
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8539 bytes

End of Logs

#6 aat

aat

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 05 July 2007 - 04:06 PM

Hi nasdaq,

It seems the POPUPs are not any more. I think the defender was the one to remove them.

I suspect that since the defender is capable to destroy these creatures, the original software my son downloaded had first creepled the defender, then installed it's malware.

Thanks again for your help.

#7 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 06 July 2007 - 07:16 AM

Nice work the log is clean.

I suspect that Defender does a poor job of delete these files/folders.
If these folders in bold are still present then delete them.

C:\Documents and Settings\All Users\Application Data\HideAntiMpegBody\
c:\Documents and Settings\SON\Application Data\file face ooze\

=*=

Let me know if this .job file is still in the \task folder.

C:\WINDOWS\Tasks\AB824F2D919DC381.job

If it is then execute this.

Download: Microsoft Task Scheduler Command Line Utility from http://mvps.org/winhelp2002/jt.zip

Unzip and copy jt.exe to your C:\Windows folder.

Open Notepad, copy and paste the text below and "Save As" KillJobs.bat
In the "Save as type" select: All Files

@echo off
jt /sd AB824F2D919DC381.job

Copy KillJobs.bat to your C:\Windows folder.
Double-click on "KillJobs.bat"
(when prompted, allow the file to run)
If you need help on "How to Make a .Bat File"
See: http://www.nellie2.co.uk/file.htm

=*=

Finally, I need to see if this is still in the registry.

Download the Registry Search Tool from here:
http://www.billsway....les/RegSrch.zip

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:
Mpeg Body Log Meal

Press 'OK'

The search will run for a while then alert you when it is finished.

Press 'OK' and copy the contents of the WordPad window and post in this thread.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#8 aat

aat

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 06 July 2007 - 05:12 PM

Reagrding the following folders,


C:\Documents and Settings\All Users\Application Data\HideAntiMpegBody\
C:\Documents and Settings\SON\Application Data\file face ooze\


I have already deleted them yesterday.

------------------------------------------------------

Regarding the job C:\WINDOWS\Tasks\AB824F2D919DC381.job

It was gone yesterday. Either the Defender, or the deljob have removed it, and it didn't come back again.

So, I didn't run jt.exe after all. Nevertheless, am I missing a point, or could I have run it directly from the command line prompt, as in (assuming jt.exe is placed in the current dir or any dir in %PATH%):

C>jt /sd AB824F2D919DC381.job


------------------------------------------------------

Regarding the registry entries, I used regedit to search the entire registry (key, values and data) for the string "Mpeg Body Log Meal", but it didn't find any.

Then again, I ran the script RegSrch.vps and fed it with the string "Mpeg Body Log Meal". The result was:

No instances of "Mpeg Body Log Meal" found

and naturally there was no output to WordPad.

#9 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 07 July 2007 - 07:07 AM

Nice Work your log is clean.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
http://users.telenet...prevention.html
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#10 aat

aat

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 08 July 2007 - 05:09 AM

So I guess this case is closed.

I will read the suggestions in the link you mentioned, firthermore I will have my son memories them.

Thank you very much for your kind help.

#11 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 08 July 2007 - 07:30 AM

Glad we could help.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#12 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 20 July 2007 - 08:02 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button