Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo/malware Infection


  • Please log in to reply
24 replies to this topic

#1 knifley

knifley

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 13 August 2007 - 08:40 AM

Here's part of my problem--my dial up connects but Internet Explorer will not work. Any page I attempt to go to will result in saying Internet Exploror cannot open search page. Also Spybot and Hijack This keeps on shutting down before I can run it. Even after I renamed HJT to Analyze.exe, I had to rename the log file to analyze.txt just to open it. i performed steps 1, 2, 3, 4, 5 (Norton's 2004 & Superanti-spyware), 7, and 9.
When my computer starts up I get 2 error messages: ccApp:ccApp.exe Unable to locate component "This application has failed b/c mwsock.dll was not found. Reinstalling may fix this problem. and Symantec Ccapp "A necessary component for this function is missing or damaged C:\Progra~1\Common~1\symant~1\ccemlpxy.dll
When going into Add/Remove Windows Files I get sysocmgr.exe-ordinal not found "The ordinal 1118 could not be located in the dynamic link library wsock32.dll and Windows xp setup "setup library iis.dll could not be loaded or function OcEntry could not be found. Specific error code 0xb6.
I also did a ping test and I am 4 out of 4, so I am connected. I also downloaded and tried to do a winsock fix but didn't work.
Hope that helps! Here is my scan:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:01 AM, on 8/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\analyze.exe\analyze.exe\analyze.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\jazcrilc.dll
O2 - BHO: H - {75CBC5CA-AEDD-4280-A514-5CB78796D3C7} - geroez1.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [pipmon] pipmon.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [xrt_Shell] C:\Documents and Settings\AmandaLong\xrt_thwf.exe
O4 - HKUS\S-1-5-18\..\Run: [Network Security] C:\WINDOWS\System32\NSecurity.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [WMI Standard Event Consumer - Scripting] C:\WINDOWS\System32\wbem\scrcons32.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Network Security] C:\WINDOWS\System32\NSecurity.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [WMI Standard Event Consumer - Scripting] C:\WINDOWS\System32\wbem\scrcons32.exe (User 'Default user')
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\mswsock.dll' missing
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: iifdcaa - iifdcaa.dll (file missing)
O20 - Winlogon Notify: sysfldr - sysfldr.dll (file missing)
O20 - Winlogon Notify: xxyxwuu - xxyxwuu.dll (file missing)
O22 - SharedTaskScheduler: za - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\jazcrilc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dllmgr64 - Unknown owner - C:\WINDOWS\dllmgr64.exe (file missing)
O23 - Service: ipv7 - Unknown owner - C:\WINDOWS\ipv7.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Windows Protocol Deployment Manager (PDM) - Unknown owner - C:\WINDOWS\system32\1.tmp (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: sysmgr64 - Unknown owner - C:\WINDOWS\sysmgr64.exe (file missing)
O23 - Service: Windows System Service (SYSTEMSVC) - Unknown owner - C:\WINDOWS\system\system.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
O23 - Service: Windows Process Sevices - Unknown owner - C:\WINDOWS\System32\dllcache\prsc32.exe (file missing)
O23 - Service: Windows Service Monitor (winsvcmon) - Unknown owner - C:\WINDOWS\System32\winsvcmon.exe (file missing)

--
End of file - 5648 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 13 August 2007 - 08:49 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum knifley :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 knifley

knifley
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 14 August 2007 - 07:58 AM

SDFix: Version 1.98

Run by Administrator on Mon 08/13/2007 at 05:51 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
dllmgr64
PDM
sysmgr64
SYSTEMSVC
Windows Process Sevices
winsvcmon

ImagePath:
"C:\WINDOWS\dllmgr64.exe"
C:\WINDOWS\system32\1.tmp
"C:\WINDOWS\sysmgr64.exe"
"C:\WINDOWS\system\system.exe"
"C:\WINDOWS\System32\dllcache\prsc32.exe"
C:\WINDOWS\System32\winsvcmon.exe

dllmgr64 - Deleted
PDM - Deleted
sysmgr64 - Deleted
SYSTEMSVC - Deleted
Windows Process Sevices - Deleted
winsvcmon - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system\msdll.exe - Deleted
C:\WINDOWS\system32\dllcache\ivchost.exe - Deleted
C:\WINDOWS\system32\TFTP456 - Deleted
C:\WINDOWS\system32\TFTP928 - Deleted
C:\WINDOWS\system32\TFTP944 - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Documents and Settings\AmandaLong\Start Menu\Programs\Shortcut to McAfee.com\Desktop.ini
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc11927.dll
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc11928.dll
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc8358.dll
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc11923.exe
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc11924.exe
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc11925.exe
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc11926.exe
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc11929.exe
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc11930.exe
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc8392.exe
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc8349.tmp
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc8350.tmp
C:\WINDOWS\system32\orutv.tmp
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Finished
ComboFix 07-08-09 - "AmandaLong" 2007-08-13 18:10:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.83 [GMT -7:00]


((((((((((((((((((((((((( Files Created from 2007-07-14 to 2007-08-14 )))))))))))))))))))))))))))))))


2007-08-13 17:50 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-12 11:15 <DIR> d-------- C:\Program Files\analyze.exe
2007-08-12 11:05 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-08-12 11:05 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-08-12 11:05 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-08-12 11:05 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-08-12 11:05 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-08-12 11:05 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-08-12 11:05 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-08-12 11:05 <DIR> d-------- C:\Program Files\Sygate
2007-08-08 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1.AMA\APPLIC~1\SUPERAntiSpyware.com
2007-08-08 20:13 <DIR> d-------- C:\Program Files\EarthLink TotalAccess
2007-08-08 17:56 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-08 17:55 <DIR> d-------- C:\Program Files\ACW
2007-08-07 22:16 468,480 --a------ C:\WINDOWS\system32\iis.dll
2007-08-07 21:50 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2007-08-07 21:50 8,064 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2007-08-07 21:50 7,680 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2007-08-07 21:50 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-08-07 21:50 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2007-08-07 21:50 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-08-07 21:50 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-08-07 21:50 18,688 --a--c--- C:\WINDOWS\system32\dllcache\wvchntxx.sys
2007-08-07 21:50 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-08-07 21:50 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-08-07 21:50 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys
2007-08-07 21:50 12,160 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys
2007-08-07 21:50 112,640 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-08-07 21:49 94,720 --a--c--- C:\WINDOWS\system32\dllcache\umaxud32.dll
2007-08-07 21:49 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-08-07 21:49 81,408 --a--c--- C:\WINDOWS\system32\dllcache\tgiul50.dll
2007-08-07 21:49 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2007-08-07 21:49 794,399 --a--c--- C:\WINDOWS\system32\dllcache\usr1806v.sys
2007-08-07 21:49 793,598 --a--c--- C:\WINDOWS\system32\dllcache\usr1806.sys
2007-08-07 21:49 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2007-08-07 21:49 765,884 --a--c--- C:\WINDOWS\system32\dllcache\usrti.sys
2007-08-07 21:49 75,264 --a--c--- C:\WINDOWS\system32\dllcache\tp4mon.exe
2007-08-07 21:49 701,386 --a--c--- C:\WINDOWS\system32\dllcache\wdhaalba.sys
2007-08-07 21:49 7,556 --a--c--- C:\WINDOWS\system32\dllcache\usroslba.sys
2007-08-07 21:49 7,040 --a--c--- C:\WINDOWS\system32\dllcache\tandqic.sys
2007-08-07 21:49 69,632 --a--c--- C:\WINDOWS\system32\dllcache\umaxu12.dll
2007-08-07 21:49 687,999 --a--c--- C:\WINDOWS\system32\dllcache\usrwdxjs.sys
2007-08-07 21:49 56,832 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2007-08-07 21:49 53,760 --a--c--- C:\WINDOWS\system32\dllcache\wiamsmud.dll
2007-08-07 21:49 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2007-08-07 21:49 50,688 --a--c--- C:\WINDOWS\system32\dllcache\umaxscan.dll
2007-08-07 21:49 50,176 --a--c--- C:\WINDOWS\system32\dllcache\umaxp60.dll
2007-08-07 21:49 49,664 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-08-07 21:49 47,616 --a--c--- C:\WINDOWS\system32\dllcache\umaxcam.dll
2007-08-07 21:49 440,576 --a--c--- C:\WINDOWS\system32\dllcache\tridkb.dll
2007-08-07 21:49 44,928 --a--c--- C:\WINDOWS\system32\dllcache\watv03nt.sys
2007-08-07 21:49 42,496 --a--c--- C:\WINDOWS\system32\dllcache\tp4res.dll
2007-08-07 21:49 4,992 --a--c--- C:\WINDOWS\system32\dllcache\toside.sys
2007-08-07 21:49 4,864 --a--c--- C:\WINDOWS\system32\dllcache\viaide.sys
2007-08-07 21:49 37,961 --a--c--- C:\WINDOWS\system32\dllcache\tdk100b.sys
2007-08-07 21:49 36,736 --a--c--- C:\WINDOWS\system32\dllcache\ultra.sys
2007-08-07 21:49 36,640 --a--c--- C:\WINDOWS\system32\dllcache\t2r4mini.sys
2007-08-07 21:49 35,871 --a--c--- C:\WINDOWS\system32\dllcache\wbfirdma.sys
2007-08-07 21:49 34,375 --a--c--- C:\WINDOWS\system32\dllcache\tpro4.sys
2007-08-07 21:49 32,384 --a--c--- C:\WINDOWS\system32\dllcache\usb101et.sys
2007-08-07 21:49 315,520 --a--c--- C:\WINDOWS\system32\dllcache\trid3d.dll
2007-08-07 21:49 31,744 --a--c--- C:\WINDOWS\system32\dllcache\tp4.dll
2007-08-07 21:49 31,104 --a--c--- C:\WINDOWS\system32\dllcache\watv04nt.sys
2007-08-07 21:49 30,464 --a--c--- C:\WINDOWS\system32\dllcache\tbatm155.sys
2007-08-07 21:49 30,208 --a--c--- C:\WINDOWS\system32\dllcache\wceusbsh.sys
2007-08-07 21:49 29,440 --a--c--- C:\WINDOWS\system32\dllcache\watv01nt.sys
2007-08-07 21:49 28,232 --a--c--- C:\WINDOWS\system32\dllcache\tos4mo.sys
2007-08-07 21:49 28,160 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-08-07 21:49 28,160 --a--c--- C:\WINDOWS\system32\dllcache\umaxu40.dll
2007-08-07 21:49 27,392 --a--c--- C:\WINDOWS\system32\dllcache\viaagp.sys
2007-08-07 21:49 26,624 --a--c--- C:\WINDOWS\system32\dllcache\umaxu22.dll
2007-08-07 21:49 249,402 --a--c--- C:\WINDOWS\system32\dllcache\vinwm.sys
2007-08-07 21:49 241,664 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd02.sys
2007-08-07 21:49 24,576 --a--c--- C:\WINDOWS\system32\dllcache\viairda.sys
2007-08-07 21:49 230,912 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd03.sys
2007-08-07 21:49 23,680 --a--c--- C:\WINDOWS\system32\dllcache\wch7xxnt.sys
2007-08-07 21:49 224,802 --a--c--- C:\WINDOWS\system32\dllcache\usr1807a.sys
2007-08-07 21:49 222,336 --a--c--- C:\WINDOWS\system32\dllcache\trid3dm.sys
2007-08-07 21:49 22,912 --a--c--- C:\WINDOWS\system32\dllcache\umaxpcls.sys
2007-08-07 21:49 216,064 --a--c--- C:\WINDOWS\system32\dllcache\um34scan.dll
2007-08-07 21:49 211,968 --a--c--- C:\WINDOWS\system32\dllcache\um54scan.dll
2007-08-07 21:49 19,528 --a--c--- C:\WINDOWS\system32\dllcache\w840nd.sys
2007-08-07 21:49 19,456 --a--c--- C:\WINDOWS\system32\dllcache\watv02nt.sys
2007-08-07 21:49 19,016 --a--c--- C:\WINDOWS\system32\dllcache\w926nd.sys
2007-08-07 21:49 17,129 --a--c--- C:\WINDOWS\system32\dllcache\tdkcd31.sys
2007-08-07 21:49 166,784 --a--c--- C:\WINDOWS\system32\dllcache\tridxpm.sys
2007-08-07 21:49 16,925 --a--c--- C:\WINDOWS\system32\dllcache\w940nd.sys
2007-08-07 21:49 159,232 --a--c--- C:\WINDOWS\system32\dllcache\tridkbm.sys
2007-08-07 21:49 15,744 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2007-08-07 21:49 143,104 --a--c--- C:\WINDOWS\system32\dllcache\tffsport.sys
2007-08-07 21:49 14,208 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-08-07 21:49 138,528 --a--c--- C:\WINDOWS\system32\dllcache\tgiulnt5.sys
2007-08-07 21:49 13,056 --a--c--- C:\WINDOWS\system32\dllcache\wacompen.sys
2007-08-07 21:49 123,995 --a--c--- C:\WINDOWS\system32\dllcache\tjisdn.sys
2007-08-07 21:49 12,672 --a--c--- C:\WINDOWS\system32\dllcache\wadv01nt.sys
2007-08-07 21:49 12,288 --a--c--- C:\WINDOWS\system32\dllcache\wadv02nt.sys
2007-08-07 21:49 12,032 --a--c--- C:\WINDOWS\system32\dllcache\wadv05nt.sys
2007-08-07 21:49 113,762 --a--c--- C:\WINDOWS\system32\dllcache\usrpda.sys
2007-08-07 21:49 11,520 --a--c--- C:\WINDOWS\system32\dllcache\twotrack.sys
2007-08-07 21:48 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-06 19:17 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-04 16:17 1392671 --a------ C:\WINDOWS\system32\msvbvm60.dll
2007-08-03 20:08 299008 --a------ C:\WINDOWS\uninst.exe
2007-08-03 20:08 266752 --a------ C:\WINDOWS\winhlp32.exe
2007-08-03 20:08 25600 --a------ C:\WINDOWS\twunk_32.exe
2007-08-03 20:08 11264 --a------ C:\WINDOWS\Ulead iPhoto Plus 4.SCR
2007-08-03 20:07 98304 --a------ C:\WINDOWS\system32\verifier.exe
2007-08-03 20:07 8192 --a------ C:\WINDOWS\system32\winhlp32.exe
2007-08-03 20:07 77824 --a------ C:\WINDOWS\system32\wmpstub.exe
2007-08-03 20:07 60416 --a------ C:\WINDOWS\system32\wextract.exe
2007-08-03 20:07 5632 --a------ C:\WINDOWS\system32\write.exe
2007-08-03 20:07 49664 --a------ C:\WINDOWS\system32\w32tm.exe
2007-08-03 20:07 47616 --a------ C:\WINDOWS\system32\utilman.exe
2007-08-03 20:07 47104 --a------ C:\WINDOWS\system32\uwdf.exe
2007-08-03 20:07 414720 --a------ C:\WINDOWS\system32\wiaacmgr.exe
2007-08-03 20:07 40960 --a------ C:\WINDOWS\system32\tscupgrd.exe
2007-08-03 20:07 4096 --a------ C:\WINDOWS\system32\winver.exe
2007-08-03 20:07 4096 --a------ C:\WINDOWS\system32\unlodctr.exe
2007-08-03 20:07 36352 --a------ C:\WINDOWS\system32\typeperf.exe
2007-08-03 20:07 33792 --a------ C:\WINDOWS\system32\vssadmin.exe
2007-08-03 20:07 32256 --a------ C:\WINDOWS\system32\wupdmgr.exe
2007-08-03 20:07 31744 --a------ C:\WINDOWS\system32\tracert6.exe
2007-08-03 20:07 31232 --a------ C:\WINDOWS\system32\wpabaln.exe
2007-08-03 20:07 29184 --a------ C:\WINDOWS\system32\wpnpinst.exe
2007-08-03 20:07 28160 --a------ C:\WINDOWS\system32\xcopy.exe
2007-08-03 20:07 275456 --a------ C:\WINDOWS\system32\vssvc.exe
2007-08-03 20:07 189952 --a------ C:\WINDOWS\system32\WISPTIS.EXE
2007-08-03 20:07 171520 --a------ C:\WINDOWS\system32\wjview.exe
2007-08-03 20:07 16896 --a------ C:\WINDOWS\system32\tsshutdn.exe
2007-08-03 20:07 16384 --a------ C:\WINDOWS\system32\ups.exe
2007-08-03 20:07 16384 --a------ C:\WINDOWS\system32\tskill.exe
2007-08-03 20:07 15360 --a------ C:\WINDOWS\TASKMAN.EXE
2007-08-03 20:07 14848 --a------ C:\WINDOWS\system32\upnpcont.exe
2007-08-03 20:07 14848 --a------ C:\WINDOWS\system32\tsdiscon.exe
2007-08-03 20:07 14848 --a------ C:\WINDOWS\system32\tscon.exe
2007-08-03 20:07 119808 --a------ C:\WINDOWS\system32\winmine.exe
2007-08-03 20:07 118784 --a------ C:\WINDOWS\system32\wscript.exe
2007-08-03 20:07 11776 --a------ C:\WINDOWS\system32\winmsd.exe
2007-08-03 20:07 10752 --a------ C:\WINDOWS\system32\tracert.exe
2007-08-03 20:06 9728 --a------ C:\WINDOWS\system32\sfc.exe
2007-08-03 20:06 9216 --a------ C:\WINDOWS\system32\subst.exe
2007-08-03 20:06 82944 --a------ C:\WINDOWS\system32\smlogsvc.exe
2007-08-03 20:06 73728 --a------ C:\WINDOWS\system32\tlntsess.exe
2007-08-03 20:06 72192 --a------ C:\WINDOWS\system32\tasklist.exe
2007-08-03 20:06 72192 --a------ C:\WINDOWS\system32\taskkill.exe
2007-08-03 20:06 71168 --a------ C:\WINDOWS\system32\telnet.exe
2007-08-03 20:06 69632 --a------ C:\WINDOWS\system32\shrpubw.exe
2007-08-03 20:06 68096 --a------ C:\WINDOWS\system32\systeminfo.exe
2007-08-03 20:06 67584 --a------ C:\WINDOWS\system32\tlntsvr.exe
2007-08-03 20:06 667648 --a------ C:\WINDOWS\system32\ss3dfo.scr
2007-08-03 20:06 66048 --a------ C:\WINDOWS\system32\sigverif.exe
2007-08-03 20:06 638976 --a------ C:\WINDOWS\system32\sstext3d.scr
2007-08-03 20:06 57856 --a------ C:\WINDOWS\system32\tlntadmn.exe
2007-08-03 20:06 569344 --a------ C:\WINDOWS\system32\sspipes.scr
2007-08-03 20:06 56832 --a------ C:\WINDOWS\system32\sol.exe
2007-08-03 20:06 534016 --a------ C:\WINDOWS\system32\spider.exe
2007-08-03 20:06 51200 --a------ C:\WINDOWS\system32\syncapp.exe
2007-08-03 20:06 43008 --a------ C:\WINDOWS\system32\ssmypics.scr
2007-08-03 20:06 36864 --a------ C:\WINDOWS\system32\syskey.exe
2007-08-03 20:06 364544 --a------ C:\WINDOWS\system32\ssflwbox.scr
2007-08-03 20:06 346624 --a------ C:\WINDOWS\system32\tourstart.exe
2007-08-03 20:06 33280 --a------ C:\WINDOWS\system32\shmgrate.exe
2007-08-03 20:06 3072 --a------ C:\WINDOWS\system32\systray.exe
2007-08-03 20:06 28672 --a------ C:\WINDOWS\system32\sethc.exe
2007-08-03 20:06 24064 --a------ C:\WINDOWS\system32\skeys.exe
2007-08-03 20:06 23552 --a------ C:\WINDOWS\system32\sort.exe
2007-08-03 20:06 231936 --a------ C:\WINDOWS\system32\tracerpt.exe
2007-08-03 20:06 20992 --a------ C:\WINDOWS\system32\setup.exe
2007-08-03 20:06 20480 --a------ C:\WINDOWS\system32\stimon.exe
2007-08-03 20:06 19456 --a------ C:\WINDOWS\system32\tcpsvcs.exe
2007-08-03 20:06 19456 --a------ C:\WINDOWS\system32\ssmarque.scr
2007-08-03 20:06 18944 --a------ C:\WINDOWS\system32\ssbezier.scr
2007-08-03 20:06 17920 --a------ C:\WINDOWS\system32\shutdown.exe
2007-08-03 20:06 17408 --a------ C:\WINDOWS\system32\ssmyst.scr
2007-08-03 20:06 16896 --a------ C:\WINDOWS\system32\tftp.exe
2007-08-03 20:06 15360 --a------ C:\WINDOWS\system32\taskman.exe
2007-08-03 20:06 14848 --a------ C:\WINDOWS\system32\shadow.exe
2007-08-03 20:06 138752 --a------ C:\WINDOWS\system32\sndvol32.exe
2007-08-03 20:06 13312 --a------ C:\WINDOWS\system32\ssstars.scr
2007-08-03 20:06 124416 --a------ C:\WINDOWS\system32\sndrec32.exe
2007-08-03 20:06 12288 --a------ C:\WINDOWS\system32\tcmsetup.exe
2007-08-03 20:06 10752 --a------ C:\WINDOWS\system32\spiisupd.exe
2007-08-03 20:06 103936 --a------ C:\WINDOWS\system32\sysocmgr.exe
2007-08-03 20:05 9728 --a------ C:\WINDOWS\system32\reset.exe
2007-08-03 20:05 9728 --a------ C:\WINDOWS\system32\regsvr32.exe
2007-08-03 20:05 93184 --a------ C:\WINDOWS\system32\scardsvr.exe
2007-08-03 20:05 9216 --a------ C:\WINDOWS\system32\print.exe
2007-08-03 20:05 8192 --a------ C:\WINDOWS\system32\scrnsave.scr
2007-08-03 20:05 74240 --a------ C:\WINDOWS\system32\rtcshare.exe
2007-08-03 20:05 7168 --a------ C:\WINDOWS\system32\recover.exe
2007-08-03 20:05 71168 --a------ C:\WINDOWS\system32\sdbinst.exe
2007-08-03 20:05 62976 --a------ C:\WINDOWS\system32\rsopprov.exe
2007-08-03 20:05 61952 --a------ C:\WINDOWS\system32\rdshost.exe
2007-08-03 20:05 61440 --a------ C:\WINDOWS\system32\openfiles.exe
2007-08-03 20:05 54272 --a------ C:\WINDOWS\system32\rasphone.exe
2007-08-03 20:05 53248 --a------ C:\WINDOWS\system32\packager.exe
2007-08-03 20:05 53248 --a------ C:\WINDOWS\system32\odbcconf.exe
2007-08-03 20:05 49152 --a------ C:\WINDOWS\system32\rsmui.exe
2007-08-03 20:05 49152 --a------ C:\WINDOWS\system32\rsm.exe
2007-08-03 20:05 48128 --a------ C:\WINDOWS\system32\reg.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53B5F2B1-94DD-43E5-8187-EB4E31F00701}]
2007-07-15 18:23 68608 --a------ C:\WINDOWS\jazcrilc.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-08-03 18:26]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-11-10 06:30]
"pipmon"="pipmon.exe" []
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"xrt_Shell"="C:\Documents and Settings\AmandaLong\xrt_thwf.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"WMI Standard Event Consumer - Scripting"=C:\WINDOWS\System32\wbem\scrcons32.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Network Security"=C:\WINDOWS\System32\NSecurity.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{53B5F2B1-94DD-43E5-8187-EB4E31F00701}"= C:\WINDOWS\jazcrilc.dll [2007-07-15 18:23 68608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifdcaa]
iifdcaa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxwuu]
xxyxwuu.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"WMI Standard Event Consumer - Scripting"= C:\WINDOWS\System32\wbem\scrcons32.exe

R0 Teefer;Teefer for NT;C:\WINDOWS\System32\Drivers\Teefer.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R1 wpsdrvnt;wpsdrvnt;\??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys
R2 A4SII300;A4SII300;C:\WINDOWS\System32\drivers\A4SII300.SYS
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
R2 wg3n;SyGate for NT, wg3n;C:\WINDOWS\System32\Drivers\wg3n.sys
R2 wg4n;SyGate for NT, wg4n;C:\WINDOWS\System32\Drivers\wg4n.sys
R2 wg5n;SyGate for NT, wg5n;C:\WINDOWS\System32\Drivers\wg5n.sys
R2 wg6n;SyGate for NT, wg6n;C:\WINDOWS\System32\Drivers\wg6n.sys
R3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\System32\Drivers\RootMdm.sys
R3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
S2 ipv7;ipv7;"C:\WINDOWS\ipv7.exe"
S3 Ptserli;PCTEL Serial Device Driver for INTEL;C:\WINDOWS\System32\DRIVERS\ptserli.sys
S3 usbsermptxp;Motorola USB Modem Driver for MPT XP;C:\WINDOWS\System32\DRIVERS\usbsermptxp.sys

*Newly Created Service* - ALG

Contents of the 'Scheduled Tasks' folder
2007-08-04 00:02:13 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - AmandaLong.job
2007-08-14 01:16:13 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
2007-08-14 00:00:02 C:\WINDOWS\Tasks\XoftSpySE 2.job - C:\Program Files\XoftSpySE\XoftSpy.exe
2007-08-07 15:05:39 C:\WINDOWS\Tasks\XoftSpySE.job - C:\Program Files\XoftSpySE\XoftSpy.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-13 18:14:06
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-13 18:16:49
C:\ComboFix-quarantined-files.txt ... 2007-08-13 18:16
C:\ComboFix2.txt ... 2007-08-08 18:08

--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:20:06 PM, on 8/13/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\analyze.exe\analyze.exe\analyze.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\jazcrilc.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [pipmon] pipmon.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [xrt_Shell] C:\Documents and Settings\AmandaLong\xrt_thwf.exe
O4 - HKUS\S-1-5-18\..\Run: [Network Security] C:\WINDOWS\System32\NSecurity.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [WMI Standard Event Consumer - Scripting] C:\WINDOWS\System32\wbem\scrcons32.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Network Security] C:\WINDOWS\System32\NSecurity.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [WMI Standard Event Consumer - Scripting] C:\WINDOWS\System32\wbem\scrcons32.exe (User 'Default user')
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\mswsock.dll' missing
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: iifdcaa - iifdcaa.dll (file missing)
O20 - Winlogon Notify: xxyxwuu - xxyxwuu.dll (file missing)
O22 - SharedTaskScheduler: za - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\jazcrilc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ipv7 - Unknown owner - C:\WINDOWS\ipv7.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

--
End of file - 4820 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 14 August 2007 - 03:31 PM

Copy and paste the following blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop.
Then double click on the fix.bat file on your desktopPosted Image
You'll see a black screen flash,thats normal.

@echo off
sc stop ipv7
sc stop UMWdf
sc delete ipv7
sc delete UMWdf

Restart your pc.

------------------------------------------------

Copy and paste ALL the following blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\jazcrilc.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53B5F2B1-94DD-43E5-8187-EB4E31F00701}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xrt_Shell"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Network Security"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{53B5F2B1-94DD-43E5-8187-EB4E31F00701}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifdcaa]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxwuu]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"WMI Standard Event Consumer - Scripting"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"WMI Standard Event Consumer - Scripting"=-

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 knifley

knifley
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 15 August 2007 - 09:45 AM

As you requested. I also wanted to thank you for the help so far.


ComboFix 07-08-09 - "AmandaLong" 2007-08-14 18:33:45.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.62 [GMT -7:00]
Command switches used :: C:\Documents and Settings\AmandaLong\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\jazcrilc.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\jazcrilc.dll


((((((((((((((((((((((((( Files Created from 2007-07-15 to 2007-08-15 )))))))))))))))))))))))))))))))


2007-08-13 17:50 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-12 11:15 <DIR> d-------- C:\Program Files\analyze.exe
2007-08-12 11:05 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-08-12 11:05 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-08-12 11:05 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-08-12 11:05 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-08-12 11:05 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-08-12 11:05 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-08-12 11:05 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-08-12 11:05 <DIR> d-------- C:\Program Files\Sygate
2007-08-08 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1.AMA\APPLIC~1\SUPERAntiSpyware.com
2007-08-08 20:13 <DIR> d-------- C:\Program Files\EarthLink TotalAccess
2007-08-08 17:56 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-08 17:55 <DIR> d-------- C:\Program Files\ACW
2007-08-07 22:16 468,480 --a------ C:\WINDOWS\system32\iis.dll
2007-08-07 21:50 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2007-08-07 21:50 8,064 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2007-08-07 21:50 7,680 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2007-08-07 21:50 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-08-07 21:50 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2007-08-07 21:50 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-08-07 21:50 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-08-07 21:50 18,688 --a--c--- C:\WINDOWS\system32\dllcache\wvchntxx.sys
2007-08-07 21:50 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-08-07 21:50 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-08-07 21:50 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys
2007-08-07 21:50 12,160 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys
2007-08-07 21:50 112,640 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-08-07 21:49 94,720 --a--c--- C:\WINDOWS\system32\dllcache\umaxud32.dll
2007-08-07 21:49 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-08-07 21:49 81,408 --a--c--- C:\WINDOWS\system32\dllcache\tgiul50.dll
2007-08-07 21:49 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2007-08-07 21:49 794,399 --a--c--- C:\WINDOWS\system32\dllcache\usr1806v.sys
2007-08-07 21:49 793,598 --a--c--- C:\WINDOWS\system32\dllcache\usr1806.sys
2007-08-07 21:49 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2007-08-07 21:49 765,884 --a--c--- C:\WINDOWS\system32\dllcache\usrti.sys
2007-08-07 21:49 75,264 --a--c--- C:\WINDOWS\system32\dllcache\tp4mon.exe
2007-08-07 21:49 701,386 --a--c--- C:\WINDOWS\system32\dllcache\wdhaalba.sys
2007-08-07 21:49 7,556 --a--c--- C:\WINDOWS\system32\dllcache\usroslba.sys
2007-08-07 21:49 7,040 --a--c--- C:\WINDOWS\system32\dllcache\tandqic.sys
2007-08-07 21:49 69,632 --a--c--- C:\WINDOWS\system32\dllcache\umaxu12.dll
2007-08-07 21:49 687,999 --a--c--- C:\WINDOWS\system32\dllcache\usrwdxjs.sys
2007-08-07 21:49 56,832 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2007-08-07 21:49 53,760 --a--c--- C:\WINDOWS\system32\dllcache\wiamsmud.dll
2007-08-07 21:49 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2007-08-07 21:49 50,688 --a--c--- C:\WINDOWS\system32\dllcache\umaxscan.dll
2007-08-07 21:49 50,176 --a--c--- C:\WINDOWS\system32\dllcache\umaxp60.dll
2007-08-07 21:49 49,664 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-08-07 21:49 47,616 --a--c--- C:\WINDOWS\system32\dllcache\umaxcam.dll
2007-08-07 21:49 440,576 --a--c--- C:\WINDOWS\system32\dllcache\tridkb.dll
2007-08-07 21:49 44,928 --a--c--- C:\WINDOWS\system32\dllcache\watv03nt.sys
2007-08-07 21:49 42,496 --a--c--- C:\WINDOWS\system32\dllcache\tp4res.dll
2007-08-07 21:49 4,992 --a--c--- C:\WINDOWS\system32\dllcache\toside.sys
2007-08-07 21:49 4,864 --a--c--- C:\WINDOWS\system32\dllcache\viaide.sys
2007-08-07 21:49 37,961 --a--c--- C:\WINDOWS\system32\dllcache\tdk100b.sys
2007-08-07 21:49 36,736 --a--c--- C:\WINDOWS\system32\dllcache\ultra.sys
2007-08-07 21:49 36,640 --a--c--- C:\WINDOWS\system32\dllcache\t2r4mini.sys
2007-08-07 21:49 35,871 --a--c--- C:\WINDOWS\system32\dllcache\wbfirdma.sys
2007-08-07 21:49 34,375 --a--c--- C:\WINDOWS\system32\dllcache\tpro4.sys
2007-08-07 21:49 32,384 --a--c--- C:\WINDOWS\system32\dllcache\usb101et.sys
2007-08-07 21:49 315,520 --a--c--- C:\WINDOWS\system32\dllcache\trid3d.dll
2007-08-07 21:49 31,744 --a--c--- C:\WINDOWS\system32\dllcache\tp4.dll
2007-08-07 21:49 31,104 --a--c--- C:\WINDOWS\system32\dllcache\watv04nt.sys
2007-08-07 21:49 30,464 --a--c--- C:\WINDOWS\system32\dllcache\tbatm155.sys
2007-08-07 21:49 30,208 --a--c--- C:\WINDOWS\system32\dllcache\wceusbsh.sys
2007-08-07 21:49 29,440 --a--c--- C:\WINDOWS\system32\dllcache\watv01nt.sys
2007-08-07 21:49 28,232 --a--c--- C:\WINDOWS\system32\dllcache\tos4mo.sys
2007-08-07 21:49 28,160 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-08-07 21:49 28,160 --a--c--- C:\WINDOWS\system32\dllcache\umaxu40.dll
2007-08-07 21:49 27,392 --a--c--- C:\WINDOWS\system32\dllcache\viaagp.sys
2007-08-07 21:49 26,624 --a--c--- C:\WINDOWS\system32\dllcache\umaxu22.dll
2007-08-07 21:49 249,402 --a--c--- C:\WINDOWS\system32\dllcache\vinwm.sys
2007-08-07 21:49 241,664 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd02.sys
2007-08-07 21:49 24,576 --a--c--- C:\WINDOWS\system32\dllcache\viairda.sys
2007-08-07 21:49 230,912 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd03.sys
2007-08-07 21:49 23,680 --a--c--- C:\WINDOWS\system32\dllcache\wch7xxnt.sys
2007-08-07 21:49 224,802 --a--c--- C:\WINDOWS\system32\dllcache\usr1807a.sys
2007-08-07 21:49 222,336 --a--c--- C:\WINDOWS\system32\dllcache\trid3dm.sys
2007-08-07 21:49 22,912 --a--c--- C:\WINDOWS\system32\dllcache\umaxpcls.sys
2007-08-07 21:49 216,064 --a--c--- C:\WINDOWS\system32\dllcache\um34scan.dll
2007-08-07 21:49 211,968 --a--c--- C:\WINDOWS\system32\dllcache\um54scan.dll
2007-08-07 21:49 19,528 --a--c--- C:\WINDOWS\system32\dllcache\w840nd.sys
2007-08-07 21:49 19,456 --a--c--- C:\WINDOWS\system32\dllcache\watv02nt.sys
2007-08-07 21:49 19,016 --a--c--- C:\WINDOWS\system32\dllcache\w926nd.sys
2007-08-07 21:49 17,129 --a--c--- C:\WINDOWS\system32\dllcache\tdkcd31.sys
2007-08-07 21:49 166,784 --a--c--- C:\WINDOWS\system32\dllcache\tridxpm.sys
2007-08-07 21:49 16,925 --a--c--- C:\WINDOWS\system32\dllcache\w940nd.sys
2007-08-07 21:49 159,232 --a--c--- C:\WINDOWS\system32\dllcache\tridkbm.sys
2007-08-07 21:49 15,744 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2007-08-07 21:49 143,104 --a--c--- C:\WINDOWS\system32\dllcache\tffsport.sys
2007-08-07 21:49 14,208 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-08-07 21:49 138,528 --a--c--- C:\WINDOWS\system32\dllcache\tgiulnt5.sys
2007-08-07 21:49 13,056 --a--c--- C:\WINDOWS\system32\dllcache\wacompen.sys
2007-08-07 21:49 123,995 --a--c--- C:\WINDOWS\system32\dllcache\tjisdn.sys
2007-08-07 21:49 12,672 --a--c--- C:\WINDOWS\system32\dllcache\wadv01nt.sys
2007-08-07 21:49 12,288 --a--c--- C:\WINDOWS\system32\dllcache\wadv02nt.sys
2007-08-07 21:49 12,032 --a--c--- C:\WINDOWS\system32\dllcache\wadv05nt.sys
2007-08-07 21:49 113,762 --a--c--- C:\WINDOWS\system32\dllcache\usrpda.sys
2007-08-07 21:49 11,520 --a--c--- C:\WINDOWS\system32\dllcache\twotrack.sys
2007-08-07 21:48 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-06 19:17 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-04 16:17 1392671 --a------ C:\WINDOWS\system32\msvbvm60.dll
2007-08-03 20:08 299008 --a------ C:\WINDOWS\uninst.exe
2007-08-03 20:08 266752 --a------ C:\WINDOWS\winhlp32.exe
2007-08-03 20:08 25600 --a------ C:\WINDOWS\twunk_32.exe
2007-08-03 20:08 11264 --a------ C:\WINDOWS\Ulead iPhoto Plus 4.SCR
2007-08-03 20:07 98304 --a------ C:\WINDOWS\system32\verifier.exe
2007-08-03 20:07 8192 --a------ C:\WINDOWS\system32\winhlp32.exe
2007-08-03 20:07 77824 --a------ C:\WINDOWS\system32\wmpstub.exe
2007-08-03 20:07 60416 --a------ C:\WINDOWS\system32\wextract.exe
2007-08-03 20:07 5632 --a------ C:\WINDOWS\system32\write.exe
2007-08-03 20:07 49664 --a------ C:\WINDOWS\system32\w32tm.exe
2007-08-03 20:07 47616 --a------ C:\WINDOWS\system32\utilman.exe
2007-08-03 20:07 47104 --a------ C:\WINDOWS\system32\uwdf.exe
2007-08-03 20:07 414720 --a------ C:\WINDOWS\system32\wiaacmgr.exe
2007-08-03 20:07 40960 --a------ C:\WINDOWS\system32\tscupgrd.exe
2007-08-03 20:07 4096 --a------ C:\WINDOWS\system32\winver.exe
2007-08-03 20:07 4096 --a------ C:\WINDOWS\system32\unlodctr.exe
2007-08-03 20:07 36352 --a------ C:\WINDOWS\system32\typeperf.exe
2007-08-03 20:07 33792 --a------ C:\WINDOWS\system32\vssadmin.exe
2007-08-03 20:07 32256 --a------ C:\WINDOWS\system32\wupdmgr.exe
2007-08-03 20:07 31744 --a------ C:\WINDOWS\system32\tracert6.exe
2007-08-03 20:07 31232 --a------ C:\WINDOWS\system32\wpabaln.exe
2007-08-03 20:07 29184 --a------ C:\WINDOWS\system32\wpnpinst.exe
2007-08-03 20:07 28160 --a------ C:\WINDOWS\system32\xcopy.exe
2007-08-03 20:07 275456 --a------ C:\WINDOWS\system32\vssvc.exe
2007-08-03 20:07 189952 --a------ C:\WINDOWS\system32\WISPTIS.EXE
2007-08-03 20:07 171520 --a------ C:\WINDOWS\system32\wjview.exe
2007-08-03 20:07 16896 --a------ C:\WINDOWS\system32\tsshutdn.exe
2007-08-03 20:07 16384 --a------ C:\WINDOWS\system32\ups.exe
2007-08-03 20:07 16384 --a------ C:\WINDOWS\system32\tskill.exe
2007-08-03 20:07 15360 --a------ C:\WINDOWS\TASKMAN.EXE
2007-08-03 20:07 14848 --a------ C:\WINDOWS\system32\upnpcont.exe
2007-08-03 20:07 14848 --a------ C:\WINDOWS\system32\tsdiscon.exe
2007-08-03 20:07 14848 --a------ C:\WINDOWS\system32\tscon.exe
2007-08-03 20:07 119808 --a------ C:\WINDOWS\system32\winmine.exe
2007-08-03 20:07 118784 --a------ C:\WINDOWS\system32\wscript.exe
2007-08-03 20:07 11776 --a------ C:\WINDOWS\system32\winmsd.exe
2007-08-03 20:07 10752 --a------ C:\WINDOWS\system32\tracert.exe
2007-08-03 20:06 9728 --a------ C:\WINDOWS\system32\sfc.exe
2007-08-03 20:06 9216 --a------ C:\WINDOWS\system32\subst.exe
2007-08-03 20:06 82944 --a------ C:\WINDOWS\system32\smlogsvc.exe
2007-08-03 20:06 73728 --a------ C:\WINDOWS\system32\tlntsess.exe
2007-08-03 20:06 72192 --a------ C:\WINDOWS\system32\tasklist.exe
2007-08-03 20:06 72192 --a------ C:\WINDOWS\system32\taskkill.exe
2007-08-03 20:06 71168 --a------ C:\WINDOWS\system32\telnet.exe
2007-08-03 20:06 69632 --a------ C:\WINDOWS\system32\shrpubw.exe
2007-08-03 20:06 68096 --a------ C:\WINDOWS\system32\systeminfo.exe
2007-08-03 20:06 67584 --a------ C:\WINDOWS\system32\tlntsvr.exe
2007-08-03 20:06 667648 --a------ C:\WINDOWS\system32\ss3dfo.scr
2007-08-03 20:06 66048 --a------ C:\WINDOWS\system32\sigverif.exe
2007-08-03 20:06 638976 --a------ C:\WINDOWS\system32\sstext3d.scr
2007-08-03 20:06 57856 --a------ C:\WINDOWS\system32\tlntadmn.exe
2007-08-03 20:06 569344 --a------ C:\WINDOWS\system32\sspipes.scr
2007-08-03 20:06 56832 --a------ C:\WINDOWS\system32\sol.exe
2007-08-03 20:06 534016 --a------ C:\WINDOWS\system32\spider.exe
2007-08-03 20:06 51200 --a------ C:\WINDOWS\system32\syncapp.exe
2007-08-03 20:06 43008 --a------ C:\WINDOWS\system32\ssmypics.scr
2007-08-03 20:06 36864 --a------ C:\WINDOWS\system32\syskey.exe
2007-08-03 20:06 364544 --a------ C:\WINDOWS\system32\ssflwbox.scr
2007-08-03 20:06 346624 --a------ C:\WINDOWS\system32\tourstart.exe
2007-08-03 20:06 33280 --a------ C:\WINDOWS\system32\shmgrate.exe
2007-08-03 20:06 3072 --a------ C:\WINDOWS\system32\systray.exe
2007-08-03 20:06 28672 --a------ C:\WINDOWS\system32\sethc.exe
2007-08-03 20:06 24064 --a------ C:\WINDOWS\system32\skeys.exe
2007-08-03 20:06 23552 --a------ C:\WINDOWS\system32\sort.exe
2007-08-03 20:06 231936 --a------ C:\WINDOWS\system32\tracerpt.exe
2007-08-03 20:06 20992 --a------ C:\WINDOWS\system32\setup.exe
2007-08-03 20:06 20480 --a------ C:\WINDOWS\system32\stimon.exe
2007-08-03 20:06 19456 --a------ C:\WINDOWS\system32\tcpsvcs.exe
2007-08-03 20:06 19456 --a------ C:\WINDOWS\system32\ssmarque.scr
2007-08-03 20:06 18944 --a------ C:\WINDOWS\system32\ssbezier.scr
2007-08-03 20:06 17920 --a------ C:\WINDOWS\system32\shutdown.exe
2007-08-03 20:06 17408 --a------ C:\WINDOWS\system32\ssmyst.scr
2007-08-03 20:06 16896 --a------ C:\WINDOWS\system32\tftp.exe
2007-08-03 20:06 15360 --a------ C:\WINDOWS\system32\taskman.exe
2007-08-03 20:06 14848 --a------ C:\WINDOWS\system32\shadow.exe
2007-08-03 20:06 138752 --a------ C:\WINDOWS\system32\sndvol32.exe
2007-08-03 20:06 13312 --a------ C:\WINDOWS\system32\ssstars.scr
2007-08-03 20:06 124416 --a------ C:\WINDOWS\system32\sndrec32.exe
2007-08-03 20:06 12288 --a------ C:\WINDOWS\system32\tcmsetup.exe
2007-08-03 20:06 10752 --a------ C:\WINDOWS\system32\spiisupd.exe
2007-08-03 20:06 103936 --a------ C:\WINDOWS\system32\sysocmgr.exe
2007-08-03 20:05 9728 --a------ C:\WINDOWS\system32\reset.exe
2007-08-03 20:05 9728 --a------ C:\WINDOWS\system32\regsvr32.exe
2007-08-03 20:05 93184 --a------ C:\WINDOWS\system32\scardsvr.exe
2007-08-03 20:05 9216 --a------ C:\WINDOWS\system32\print.exe
2007-08-03 20:05 8192 --a------ C:\WINDOWS\system32\scrnsave.scr
2007-08-03 20:05 74240 --a------ C:\WINDOWS\system32\rtcshare.exe
2007-08-03 20:05 7168 --a------ C:\WINDOWS\system32\recover.exe
2007-08-03 20:05 71168 --a------ C:\WINDOWS\system32\sdbinst.exe
2007-08-03 20:05 62976 --a------ C:\WINDOWS\system32\rsopprov.exe
2007-08-03 20:05 61952 --a------ C:\WINDOWS\system32\rdshost.exe
2007-08-03 20:05 61440 --a------ C:\WINDOWS\system32\openfiles.exe
2007-08-03 20:05 54272 --a------ C:\WINDOWS\system32\rasphone.exe
2007-08-03 20:05 53248 --a------ C:\WINDOWS\system32\packager.exe
2007-08-03 20:05 53248 --a------ C:\WINDOWS\system32\odbcconf.exe
2007-08-03 20:05 49152 --a------ C:\WINDOWS\system32\rsmui.exe
2007-08-03 20:05 49152 --a------ C:\WINDOWS\system32\rsm.exe
2007-08-03 20:05 48128 --a------ C:\WINDOWS\system32\reg.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-08-03 18:26]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-11-10 06:30]
"pipmon"="pipmon.exe" []
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:13:22 PM, on 8/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\analyze.exe\analyze.exe\analyze.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [pipmon] pipmon.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\mswsock.dll' missing
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 3729 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 15 August 2007 - 10:50 AM

Download and run WinSock XP Fix:
http://www.snapfiles.com/get/winsockxpfix.html
------------------------------------------------------
Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - HKLM\..\Run: [pipmon] pipmon.exe
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreloa d.ocx

Exit Hijackthis.

Now run AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

1) Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

2) Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done,then restart your pc.

Also post a new Hijackthis log.
Let me know how your pc is running now.

Edited by RichieUK, 15 August 2007 - 10:50 AM.

Posted Image
Posted Image

#7 knifley

knifley
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 16 August 2007 - 08:01 AM

The winsock xp fix did not download properly and I discovered that when I took the cd home and tried to install it. However I had downloaded it earlier when I tried to fix this on my own but I got it at a different site. Looking at the pic of it, it looked the same. It's icon is like an American Red Cross and it labeled winsockxpfix. Properties title it as winsockfix.exe ) Also I downloanded avg and the update but after installing the update the program still said it had never been updated.
Hijack This runs without shutting down. I still get the ccApp:ccApp.exe error message along with the other error messages when I start up. Still cannot get into Add/Remove Windows components and when you stry to run Spybot it still flashes and disappears.
PC does go a lot faster, but still cannot get online.

Here are my scans

Thanks.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:00:49 PM 8/15/2007

+ Scan result:



C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc8415.exe -> Backdoor.Rizo.b : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc8417.exe -> Backdoor.Rizo.b : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/TFTP456 -> Backdoor.Sdbot : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc10798.htm -> Downloader.Agent.bhl : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\jazcrilc.dll.vir -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B6079DB9-22E3-4760-B040-2C29710FED2B}\RP7\A0003730.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\WINDOWS\system32\protect.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rsh.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\asc3550u.sys.vir -> Proxy.Agent.mx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B6079DB9-22E3-4760-B040-2C29710FED2B}\RP1\A0000004.sys -> Proxy.Agent.mx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B6079DB9-22E3-4760-B040-2C29710FED2B}\RP1\A0000011.sys -> Proxy.Agent.mx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B6079DB9-22E3-4760-B040-2C29710FED2B}\RP1\A0000018.sys -> Proxy.Agent.mx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B6079DB9-22E3-4760-B040-2C29710FED2B}\RP1\A0002318.sys -> Proxy.Agent.mx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B6079DB9-22E3-4760-B040-2C29710FED2B}\RP2\A0002367.sys -> Proxy.Agent.mx : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc11964.exe -> Proxy.Ranky : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc8483.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc8448.txt -> TrackingCookie.Advertising : Cleaned.
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc400.txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc8453.txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc8464.txt -> TrackingCookie.Enhance : Cleaned.
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc8505.txt -> TrackingCookie.Paypal : Cleaned.
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc8446.txt -> TrackingCookie.Pointroll : Cleaned.
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc8484.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc8486.txt -> TrackingCookie.Realmedia : Cleaned.
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc8494.txt -> TrackingCookie.Reliablestats : Cleaned.
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc8489.txt -> TrackingCookie.Revsci : Cleaned.
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc8496.txt -> TrackingCookie.Tacoda : Cleaned.
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc8498.txt -> TrackingCookie.Trafficmp : Cleaned.
C:\RECYCLER\S-1-5-21-1708537768-1645522239-725345543-500\Dc8445.txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:09 PM, on 8/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\analyze.exe\analyze.exe\analyze.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\mswsock.dll' missing
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 3887 bytes

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 16 August 2007 - 09:02 AM

You've had the following Backdoor Trojans present on your pc.
Backdoor.Rizo.b
Backdoor.Sdbot

A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

They are typically installed without user interaction through security exploits, and may allow an attacker to remotely control the infected machine. Such risks may allow the attacker to install additional malware and use the compromised machine to participate in denial of service attacks, spamming, and bot nets, or to transmit sensitive data to a remote server. The malware may be cloaked and not visible to the user. These risks severely compromise the system by lowering security settings, installing 'backdoors,' infecting system files, or spreading to other networked machines.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one,if not an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech.

----------------------------------------------------

Download LSPFix from:
http://www.bleepingcomputer.com/files/spyware/lspfix.zip
Once LSP-Fix is downloaded, extract it to your desktop.
Close all windows on your computer.
Launch/start lspfix.
Put a checkmark in the 'I know what I'm doing' checkbox.
Now move any instances of "c:\windows\system32\mswsock.dll" into the remove box using the >> button.
Press the finish button.
Then reboot.

----------------------------------------------------

ccapp.exe is a process belonging to Norton AntiVirus.
If you have the NAV install disk try uninstalling/reinstalling Norton AntiVirus.

Restart your pc.
Post a new Hijackthis log.
Let me know whats happening now.
Posted Image
Posted Image

#9 knifley

knifley
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 17 August 2007 - 07:58 AM

I still cannot use Internet Explorer. I reinstalled Norton's but I still get the same error message. It says b/c mwsock.dll is missing and cannot get into windows add/remove b/c wsock32.dll is missing.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:41:01 PM, on 8/16/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\analyze.exe\analyze.exe\analyze.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 3672 bytes

#10 knifley

knifley
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 17 August 2007 - 08:26 AM

I forgot to mention that my ebay account did get compromised a few months back and I had to change my password and info. Since then I have been using it only at work and billpay I have only used at work b/c it is a much faster connection. Thanks for the info! I think I will continue any transactions I need to do at work.

Amanda

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 17 August 2007 - 08:33 AM

Download/unzip mswsock.dll to your System32 folder,overwriting any file present.
Restart your pc,let me know whats happening now.
The file is attached below.
Posted Image
Posted Image

#12 knifley

knifley
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 18 August 2007 - 07:13 PM

I can now get into add/remove windows components. The ccApp error is gone. I now have another one that says symantec email proxy "tcp/ip is not installed"

Internet still does not work.

Thank you for all the help you been doing!

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 18 August 2007 - 07:24 PM

Click Start/Control Panel/Network Connections.
Right click on 'Local Area Connection',and select 'Properties'.
Make sure 'Internet Protocol(TCP/IP)' is checked.
If it's already checked,you might have to uninstall and then reinstall it.
If the box is not checked,then check it,Ok your way out,restart your pc.
Posted Image
Posted Image

#14 knifley

knifley
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 21 August 2007 - 08:18 AM

With dial-up would I need to go through networking? I did and had it checked. Also had it checked on dial-up. I am not for sure if I know how to do that correctly. When I went to windows components, it asked for disk.
Also when I clicked on msn messenger and did a troubleshooting on it. It passed the ip address test and then I had an error on the Default Gateway section. 80072ee7

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 21 August 2007 - 08:24 AM

I suggest you start a new topic in the forum below,please give as much detail as possible regarding your issue:
Networking:
http://www.bleepingcomputer.com/forums/f/21/networking/

Post back into this topic if you manage to get the problem resolved.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users