Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Please Help


  • This topic is locked This topic is locked
8 replies to this topic

#1 vasa

vasa

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 25 November 2007 - 05:21 PM

I was just downloading music on limewire and next this I know my computer has pop up like crazy, Please help me

Logfile of HijackThis v1.99.1
Scan saved at 5:20:53 PM, on 11/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Documents and Settings\Owner\Desktop\Cheese\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=22028
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {38754bc7-4e9e-0eea-b3a4-de483f0c1158} - {8511c0f3-84ed-4a3b-aee0-e9e47cb45783} - C:\WINDOWS\system32\tclgnqwp.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [80139378] rundll32.exe "C:\WINDOWS\system32\vffsrwac.dll",b
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/pcpitstop.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1181176228599
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: fccywxv - fccywxv.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: irrsqxfi - irrsqxfi.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

    Advertisements

Register to Remove


#2 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 27 November 2007 - 03:17 PM

_________________________________
Welcome to the Forums.

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!

  • All hijackthis logs I ask for should be done in normal mode ( not safe mode)
  • These logs should be done last after you have followed my instructions in the previous post.



Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!



To help avoid this again lets update java first.
Then we will kill it.


You need to update SunJava for security reasons.
Updating Java:
Download the latest version of Java from
Java Updates

Your looking for
(JRE) update 3

  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 3
    ... allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the Posted Image icon next to it.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe
    to install the newest version.


_______________________________________

I see that you have msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure. This can be bad if they are malware, so we would like you to reenable those startup entries by doing the following:

Please click on start, then run, and type or copy msconfig and then press enter. When the window opens click on the startup tab and make sure there are checkmarks in every entry. Then press ok until you are out of the program. When it asks to restart please do so.

You can reset them again later after I tell you your all clean. But for now leave them running.


________________________________________




1. Download Combo fix from one of these locations. ( Please save it to your desktop )
http://www.techsuppo...Bs/ComboFix.exe
http://download.blee...Bs/ComboFix.exe

combofix.exe

2.Close all open windows
3. Double click combofix.exe & follow the prompts.
4. When finished, it shall produce a log for you. Post that log in your next reply . (c:\comboFix.txt)

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



_________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from ComboFix

Edited by bob4, 27 November 2007 - 03:18 PM.

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#3 vasa

vasa

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 27 November 2007 - 06:18 PM

Thankyou so much for your help so far I appreciate it so much.


ComboFix 07-11-19.4 - Owner 2007-11-27 18:02:19.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.251 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.

2007-11-27 17:55 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-27 17:53 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-25 15:46 83,085 --a------ C:\WINDOWS\system32\oliyktns.dll
2007-11-25 14:40 78,705 --a------ C:\WINDOWS\system32\refmqbaa.dll
2007-11-20 13:25 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2007-11-19 21:44 810,333 ---hs---- C:\WINDOWS\system32\cawrsffv.ini
2007-11-18 21:44 83,085 --a------ C:\WINDOWS\system32\knnlsccl.dll
2007-11-18 01:14 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-18 01:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-17 21:36 677,920 --ahs---- C:\WINDOWS\system32\wykngwhi.ini
2007-11-17 21:35 84,545 --a------ C:\WINDOWS\system32\ihwgnkyw.dll
2007-11-16 21:36 84,545 --a------ C:\WINDOWS\system32\oylexnxt.dll
2007-11-16 21:27 <DIR> d-------- C:\Program Files\Ventrilo
2007-11-16 21:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-15 22:35 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-14 22:22 79,424 --a------ C:\WINDOWS\system32\aqekgcyu.dll
2007-11-14 22:20 672,687 --ahs---- C:\WINDOWS\system32\eewatbmo.ini
2007-11-14 22:05 672,910 --ahs---- C:\WINDOWS\system32\mpjaasel.ini
2007-11-14 16:47 79,424 --a------ C:\WINDOWS\system32\lyagprss.dll
2007-11-14 16:44 671,205 --ahs---- C:\WINDOWS\system32\wdyxacfq.ini
2007-11-13 17:06 669,122 --ahs---- C:\WINDOWS\system32\qwdifpwy.ini
2007-11-13 16:37 <DIR> d-------- C:\Program Files\PCPitstop
2007-11-13 16:04 673,061 --ahs---- C:\WINDOWS\system32\bxccobfs.ini
2007-11-11 19:39 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-10 17:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Turbine
2007-11-10 13:15 <DIR> d-------- C:\Program Files\Turbine
2007-11-10 09:22 584,615 --ahs---- C:\WINDOWS\system32\dswlccey.ini
2007-11-10 09:21 81,472 --a------ C:\WINDOWS\system32\ojgrdrst.dll
2007-11-09 04:14 294 --ahs---- C:\WINDOWS\system32\cmfulpob.ini
2007-11-09 04:11 77,888 --a------ C:\WINDOWS\system32\beiaopag.dll
2007-11-08 18:55 164 --a------ C:\install.dat
2007-11-07 15:57 <DIR> d-------- C:\WINDOWS\system32\Mz18r
2007-11-07 15:57 <DIR> d-------- C:\Temp\mZOr
2007-11-07 15:57 <DIR> d-------- C:\Temp
2007-10-29 06:52 <DIR> d-------- C:\Program Files\War2Combat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 23:55 --------- d-----w C:\Program Files\Java
2007-11-27 23:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-27 23:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-25 21:43 79,936 ----a-w C:\WINDOWS\system32\tclgnqwp.dll
2007-11-25 20:46 79,936 ----a-w C:\WINDOWS\system32\uvykanon.dll
2007-11-20 19:27 --------- d-----w C:\Program Files\QuickTime
2007-11-20 03:44 84,545 ----a-w C:\WINDOWS\system32\vffsrwac.dll
2007-11-16 04:56 --------- d-----w C:\Program Files\Norton Internet Security
2007-11-15 04:08 79,424 ----a-w C:\WINDOWS\system32\tiffqxvj.dll
2007-11-12 02:23 22 ----a-w C:\WINDOWS\Fonts\a.zip
2007-11-10 22:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-10 18:48 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-09 02:44 --------- d-----w C:\Program Files\MorpheusBar
2007-11-09 02:44 --------- d-----w C:\Program Files\Google
2007-11-08 01:15 --------- d-----w C:\Program Files\Warcraft III
2007-11-07 22:15 --------- d-----w C:\Program Files\LimeWire
2007-11-07 22:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2007-11-07 21:59 147,456 ----a-w C:\WINDOWS\system32\vbzip10.dll
2007-10-25 16:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-10 08:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2007-10-05 02:20 --------- d-----w C:\Program Files\Windows Media Connect 2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8511c0f3-84ed-4a3b-aee0-e9e47cb45783}]
2007-11-25 15:43 79936 --a------ C:\WINDOWS\system32\tclgnqwp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 15:17]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-01-13 14:07]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-01-13 13:53]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 20:22]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"80139378"="C:\WINDOWS\system32\vffsrwac.dll" [2007-11-19 21:44]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 08:14]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccywxv]
fccywxv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\irrsqxfi]
irrsqxfi.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
FastUserSwitchingCompatibility
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Schedule
Seclogon
SRService
Themes
TrkWks
W32Time
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-15 23:28:19 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-17 02:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 18:04:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-27 18:05:54
C:\ComboFix2.txt ... 2007-11-25 16:07
C:\ComboFix3.txt ... 2007-11-11 13:35
.
--- E O F ---






Logfile of HijackThis v1.99.1
Scan saved at 6:18:42 PM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\Cheese\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=22028
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {38754bc7-4e9e-0eea-b3a4-de483f0c1158} - {8511c0f3-84ed-4a3b-aee0-e9e47cb45783} - C:\WINDOWS\system32\tclgnqwp.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [80139378] rundll32.exe "C:\WINDOWS\system32\vffsrwac.dll",b
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/pcpitstop.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1181176228599
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: fccywxv - fccywxv.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: irrsqxfi - irrsqxfi.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

#4 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 27 November 2007 - 07:37 PM

Don't use limewire at all while we are working on your computer.
Don't use anything you have downloaded untill we have you clean.

After we are all clean you should reconsider ever using it. It's not the program itself it's what you download that's infected.
I see way to many people here with a peer to peer program (such as lime wire or others) that are seriously infected.
Your not to serious this time but next time could be different.
Please keep that in mind.



______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {38754bc7-4e9e-0eea-b3a4-de483f0c1158} - {8511c0f3-84ed-4a3b-aee0-e9e47cb45783} - C:\WINDOWS\system32\tclgnqwp.dll
O4 - HKLM\..\Run: [80139378] rundll32.exe "C:\WINDOWS\system32\vffsrwac.dll",b
O20 - Winlogon Notify: fccywxv - fccywxv.dll (file missing)
O20 - Winlogon Notify: irrsqxfi - irrsqxfi.dll (file missing)



________________________________________
Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\vffsrwac.dll
C:\WINDOWS\system32\oliyktns.dll
C:\WINDOWS\system32\refmqbaa.dll
C:\WINDOWS\system32\cawrsffv.ini
C:\WINDOWS\system32\knnlsccl.dll
C:\WINDOWS\system32\wykngwhi.ini
C:\WINDOWS\system32\ihwgnkyw.dll
C:\WINDOWS\system32\oylexnxt.dll
C:\WINDOWS\system32\aqekgcyu.dll
C:\WINDOWS\system32\eewatbmo.ini
C:\WINDOWS\system32\mpjaasel.ini
C:\WINDOWS\system32\lyagprss.dll
C:\WINDOWS\system32\wdyxacfq.ini
C:\WINDOWS\system32\qwdifpwy.ini
C:\WINDOWS\system32\bxccobfs.ini
C:\WINDOWS\system32\dswlccey.ini
C:\WINDOWS\system32\ojgrdrst.dll
C:\WINDOWS\system32\cmfulpob.ini
C:\WINDOWS\system32\beiaopag.dll
C:\install.dat
C:\WINDOWS\system32\tclgnqwp.dll
C:\WINDOWS\system32\uvykanon.dll
C:\WINDOWS\system32\vffsrwac.dll
C:\WINDOWS\system32\tiffqxvj.dll

Folder::
C:\Temp\mZOr
C:\WINDOWS\system32\Mz18r



Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:ComboFix.txt which I will need in your next reply.

______________________________

Download and install CCleaner from here


If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla.

  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Reset Temp File Removal for Regular Use.
    Click on the Options block on the left. Select the Advanced button.
    Check "Only delete files in Windows Temp folders older than 48 hours".


    Now run the program and click on Run Cleaner
    ( Do not use the Registry function to clean anything with this program. Having anything auto clean your regisrty is risky).


_________________________________
Please do an online scan with Kaspersky Online Scanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database:

Extended (If available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK

Now under select a target to scan select My Computer


The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Copy and paste that information in your next post.


_________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from Kasperskys
  • The report from Combo Fix

Edited by bob4, 27 November 2007 - 07:38 PM.

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#5 vasa

vasa

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 28 November 2007 - 07:43 AM

Logfile of HijackThis v1.99.1
Scan saved at 7:42:07 AM, on 11/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Cheese\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=22028
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/pcpitstop.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1181176228599
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe








ComboFix 07-11-19.4 - Owner 2007-11-27 21:56:22.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.235 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\install.dat
C:\WINDOWS\system32\aqekgcyu.dll
C:\WINDOWS\system32\beiaopag.dll
C:\WINDOWS\system32\bxccobfs.ini
C:\WINDOWS\system32\cawrsffv.ini
C:\WINDOWS\system32\cmfulpob.ini
C:\WINDOWS\system32\dswlccey.ini
C:\WINDOWS\system32\eewatbmo.ini
C:\WINDOWS\system32\ihwgnkyw.dll
C:\WINDOWS\system32\knnlsccl.dll
C:\WINDOWS\system32\lyagprss.dll
C:\WINDOWS\system32\mpjaasel.ini
C:\WINDOWS\system32\ojgrdrst.dll
C:\WINDOWS\system32\oliyktns.dll
C:\WINDOWS\system32\oylexnxt.dll
C:\WINDOWS\system32\qwdifpwy.ini
C:\WINDOWS\system32\refmqbaa.dll
C:\WINDOWS\system32\tclgnqwp.dll
C:\WINDOWS\system32\tiffqxvj.dll
C:\WINDOWS\system32\uvykanon.dll
C:\WINDOWS\system32\vffsrwac.dll
C:\WINDOWS\system32\wdyxacfq.ini
C:\WINDOWS\system32\wykngwhi.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.dat
C:\Temp\mZOr
C:\WINDOWS\system32\aqekgcyu.dll
C:\WINDOWS\system32\beiaopag.dll
C:\WINDOWS\system32\bxccobfs.ini
C:\WINDOWS\system32\cawrsffv.ini
C:\WINDOWS\system32\cmfulpob.ini
C:\WINDOWS\system32\dswlccey.ini
C:\WINDOWS\system32\eewatbmo.ini
C:\WINDOWS\system32\ihwgnkyw.dll
C:\WINDOWS\system32\knnlsccl.dll
C:\WINDOWS\system32\lyagprss.dll
C:\WINDOWS\system32\mpjaasel.ini
C:\WINDOWS\system32\Mz18r
C:\WINDOWS\system32\ojgrdrst.dll
C:\WINDOWS\system32\oliyktns.dll
C:\WINDOWS\system32\oylexnxt.dll
C:\WINDOWS\system32\qwdifpwy.ini
C:\WINDOWS\system32\refmqbaa.dll
C:\WINDOWS\system32\tclgnqwp.dll
C:\WINDOWS\system32\tiffqxvj.dll
C:\WINDOWS\system32\uvykanon.dll
C:\WINDOWS\system32\vffsrwac.dll
C:\WINDOWS\system32\wdyxacfq.ini
C:\WINDOWS\system32\wykngwhi.ini

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.

2007-11-27 17:55 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-27 17:53 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-20 13:25 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2007-11-18 01:14 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-18 01:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-16 21:37 677,998 --ahs---- C:\WINDOWS\system32\txnxelyo.ini
2007-11-16 21:27 <DIR> d-------- C:\Program Files\Ventrilo
2007-11-16 21:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-15 22:35 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-13 16:37 <DIR> d-------- C:\Program Files\PCPitstop
2007-11-12 19:30 2,886 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-11 19:39 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-10 17:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Turbine
2007-11-10 13:15 <DIR> d-------- C:\Program Files\Turbine
2007-11-08 04:15 569,981 --ahs---- C:\WINDOWS\system32\tdviwxml.ini
2007-11-07 15:59 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-07 15:57 <DIR> d-------- C:\Temp
2007-10-29 06:52 <DIR> d-------- C:\Program Files\War2Combat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 03:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-27 23:55 --------- d-----w C:\Program Files\Java
2007-11-27 23:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-20 19:27 --------- d-----w C:\Program Files\QuickTime
2007-11-16 04:56 --------- d-----w C:\Program Files\Norton Internet Security
2007-11-12 02:23 22 ----a-w C:\WINDOWS\Fonts\a.zip
2007-11-10 22:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-10 18:48 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-09 02:44 --------- d-----w C:\Program Files\MorpheusBar
2007-11-09 02:44 --------- d-----w C:\Program Files\Google
2007-11-08 01:15 --------- d-----w C:\Program Files\Warcraft III
2007-11-07 22:15 --------- d-----w C:\Program Files\LimeWire
2007-11-07 22:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2007-10-25 16:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-10 08:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2007-10-05 02:20 --------- d-----w C:\Program Files\Windows Media Connect 2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 15:17]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-01-13 14:07]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-01-13 13:53]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 20:22]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 08:14]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)


*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-15 23:28:19 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-17 02:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 22:06:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-27 22:09:12 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-27 18:05
C:\ComboFix3.txt ... 2007-11-25 16:07
.
--- E O F ---










KASPERSKY ONLINE SCANNER REPORT
Wednesday, November 28, 2007 7:40:07 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/11/2007
Kaspersky Anti-Virus database records: 467458


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 34160
Number of viruses found 4
Number of infected objects 16
Number of suspicious objects 0
Duration of the scan process 01:09:36

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-11-27_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\43F63F50.TMP Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\95377E5D.TMP Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Morpheus\morpheustoolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\ihwgnkyw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\knnlsccl.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\ojgrdrst.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.i skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\oliyktns.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\oylexnxt.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\refmqbaa.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\vffsrwac.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{CA39A44E-8F5A-4352-965E-B824069FB966}\RP196\A0035192.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped

C:\System Volume Information\_restore{CA39A44E-8F5A-4352-965E-B824069FB966}\RP196\A0035193.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped

C:\System Volume Information\_restore{CA39A44E-8F5A-4352-965E-B824069FB966}\RP196\A0035196.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.i skipped

C:\System Volume Information\_restore{CA39A44E-8F5A-4352-965E-B824069FB966}\RP196\A0035197.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped

C:\System Volume Information\_restore{CA39A44E-8F5A-4352-965E-B824069FB966}\RP196\A0035198.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped

C:\System Volume Information\_restore{CA39A44E-8F5A-4352-965E-B824069FB966}\RP196\A0035200.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped

C:\System Volume Information\_restore{CA39A44E-8F5A-4352-965E-B824069FB966}\RP196\A0035204.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped

C:\System Volume Information\_restore{CA39A44E-8F5A-4352-965E-B824069FB966}\RP196\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{EC614FAB-4B86-4978-9706-EA0F7682F945}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\cmdow.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#6 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 28 November 2007 - 03:57 PM

It's bundled with adware.
________________________________

Go to
Start/control panel/add remove programs ;
And Uninstall

Morpheus toolbar It's bundled with adware.

Then navigate to C:\Program Files\MorpheusBar and delete this folder and all it's contents.



________________________________________
Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\txnxelyo.ini
C:\WINDOWS\system32\tdviwxml.ini



Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:ComboFix.txt which I will need in your next reply.

_________________________________________

Please post the combo fix log.

Let me know how things seem to be running.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#7 vasa

vasa

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 28 November 2007 - 08:07 PM

Well my computer is running really well now. All of the symptoms are gone now too. My internet doesnt lower the privacy to "Accept All Cookies" anymore. Also Id like to thankyou for all your help



ComboFix 07-11-19.4 - Owner 2007-11-28 18:10:41.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.262 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\tdviwxml.ini
C:\WINDOWS\system32\txnxelyo.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\tdviwxml.ini
C:\WINDOWS\system32\txnxelyo.ini

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.

2007-11-27 22:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-27 22:16 <DIR> d-------- C:\Program Files\CCleaner
2007-11-27 17:55 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-27 17:53 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-20 13:25 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2007-11-18 01:14 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-18 01:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-16 21:27 <DIR> d-------- C:\Program Files\Ventrilo
2007-11-16 21:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-13 16:37 <DIR> d-------- C:\Program Files\PCPitstop
2007-11-12 19:30 2,886 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-10 17:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Turbine
2007-11-10 13:15 <DIR> d-------- C:\Program Files\Turbine
2007-11-07 15:59 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-07 15:57 <DIR> d-------- C:\Temp
2007-10-29 06:52 <DIR> d-------- C:\Program Files\War2Combat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 23:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-28 23:18 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-28 22:57 --------- d-----w C:\Program Files\Warcraft III
2007-11-27 23:55 --------- d-----w C:\Program Files\Java
2007-11-20 19:27 --------- d-----w C:\Program Files\QuickTime
2007-11-16 04:56 --------- d-----w C:\Program Files\Norton Internet Security
2007-11-12 02:23 22 ----a-w C:\WINDOWS\Fonts\a.zip
2007-11-10 22:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-10 18:48 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-09 02:44 --------- d-----w C:\Program Files\Google
2007-11-07 22:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2007-10-25 16:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-10 08:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2007-10-05 02:20 --------- d-----w C:\Program Files\Windows Media Connect 2
.

((((((((((((((((((((((((((((( snapshot@2007-11-27_18.05.03.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 18:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 21:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 21:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 15:17]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-01-13 14:07]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-01-13 13:53]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 20:22]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 08:14]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]


*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-15 23:28:19 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-17 02:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 18:13:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-28 18:13:59
C:\ComboFix2.txt ... 2007-11-27 22:09
C:\ComboFix3.txt ... 2007-11-27 18:05
.
--- E O F ---

#8 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 29 November 2007 - 05:52 AM

Great news ! Posted Image
Your log now appears to be clean.

Lets do a few things to tidy up.
Please do these in the order I suggest!


__________________________________________
Go to start > run and copy and paste this in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the
system/hidden files and resets System Restore again.










A few things to help with possible threats

These are optional . But will help protect you further.
___________________________________

SpywareBlaster

Install SpywareBlaster

SpywareBlaster will add a large list of programs and sites to your Internet Explorer settings that will protect you from accidentally running or downloading known malicious programs.
After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.




___________________________________
Download and keep this updated and run weekly if you don't already have it.

spybot seach & destroy
Tutorial




___________________________________
Download and Install a HOSTS File
A Hosts file is a plain text file which prevents your computer from connecting to malware and spyware sites by redirecting the connection request to 127.0.0.1, which is your local address. If you use a proxy server, or if you are on AOL, be sure to read the special instructions.
You can download the MVPS Hosts File and see a HOSTS file tutorial here :
This website also contains useful tips, and links to other resources and utilities.


___________________________________
Make your Internet Explorer more secure
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click on the Security tab
3. Click the Internet icon so it becomes highlighted.
4. Click on Default Level and click Ok
5. Click on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

6. Next press the Apply button and then the OK to exit the Internet Properties page.


Here's a site with great advise on how to AVOID malware. Much easier to do than removing it.


___________________________________
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you do not have to be registered to post.. just find your country room and register your complaint.
The infections you had was Vundo

Safe and Happy Surfing. :)

Edited by bob4, 29 November 2007 - 05:53 AM.

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#9 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 02 December 2007 - 04:06 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users