Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

This Is A Hard One...highly Infected


  • This topic is locked This topic is locked
41 replies to this topic

#1 kartoon

kartoon

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 19 August 2007 - 10:28 AM

well, i come to you today beacuse, recenly my girlfriend asked me to come check her computer out...said it was acting funny.


well, it sure it...its the worst infection i have ever seen. im decent at getting rid of spyware but this is just out of control...more stuff then i know what to do with. if anyone out there is up to helping me with a big one...i could really use it. below is the hijack this log.

thank you in advance



Logfile of HijackThis v1.99.1
Scan saved at 11:21:24 AM, on 8/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchosts.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton Internet Security\cfgwiz.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\retadpu11.exe
C:\Program Files\Common Files\{7CCC92F3-0710-1033-0420-050624040001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\ISM\ISMModule2.exe
C:\DOCUME~1\COMPAQ~1\APPLIC~1\MBOLS~1\attrib.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
c:\program files\aol\aol toolbar 4.0\AolTbServer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\retadpu11.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Owner\Application Data\?racle\m?iexec.exe
C:\Documents and Settings\Compaq_Owner\My Documents\hijackthis\HijackThis.exe
c:\program files\aim6\anotify.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\cohix.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,mjomjka.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: TB Class - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\WinBudget\bin\matrix.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O2 - BHO: BndDrive BHO Class - {9815DA81-2E0C-478c-90E4-06E474E704D0} - C:\Program Files\ISM\BndDrive.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C309511A-EEA2-B22F-81DA-E4ABAB7653E5} - C:\WINDOWS\system32\khpz.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu11.exe 61A847B5BBF72813338B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ISMModule2] "C:\Program Files\ISM\ISMModule2.exe"
O4 - HKCU\..\Run: [Srro] "C:\DOCUME~1\COMPAQ~1\APPLIC~1\MBOLS~1\attrib.exe" -vt yazb
O4 - HKCU\..\Run: [Jxa] "C:\Documents and Settings\Compaq_Owner\Application Data\?racle\m?iexec.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000318 (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:06:36 PM

Posted 19 August 2007 - 12:59 PM

Hi kartoon and welcome to BleepingComputers Forums.

My name is Trevuren and I will be helping you with your problem.


Please download this file - combofix.exe by sUBs
  • Save it to your Desktop
  • Now physically disconnect from the internet and STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
  • Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.

    "%userprofile%\desktop\ComboFix.exe" /KillAll



    Posted Image

  • Click OK and this will start ComboFix in a special way.
  • When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply along with a fresh HJT log.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

* After you have saved the logs, restart your system to re-enable all the programs that were disabled during the running of ComboFix.

* Reconnect to the internet

* Post the following logs/Reports:
  • ComboFix.txt
  • Fresh HijackThis log run after all the other tools have performed their cleanup.

Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#3 kartoon

kartoon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 19 August 2007 - 02:50 PM

ok here is the combfix log


ComboFix 07-08-17.2 - "Compaq_Owner" 2007-08-19 15:39:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.183 [GMT -4:00]
Command switches used :: /KillAll
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\as.txt
C:\DOCUME~1\COMPAQ~1\APPLIC~1.\fnts~1
C:\DOCUME~1\COMPAQ~1\APPLIC~1.\mbols~1
C:\DOCUME~1\COMPAQ~1\APPLIC~1.\mbols~1\??mbols\
C:\DOCUME~1\COMPAQ~1\APPLIC~1.\mbols~1\attrib.exe
C:\DOCUME~1\COMPAQ~1\APPLIC~1.\racle~1
C:\DOCUME~1\COMPAQ~1\APPLIC~1.\racle~1\?racle\
C:\DOCUME~1\COMPAQ~1\APPLIC~1.\racle~1\javaw.exe
C:\DOCUME~1\COMPAQ~1\APPLIC~1.\racle~1\m?iexec.exe
C:\DOCUME~1\COMPAQ~1\APPLIC~1.\stem~1
C:\DOCUME~1\COMPAQ~1\APPLIC~1.\wnsxs~1
C:\DOCUME~1\COMPAQ~1\APPLIC~1.\ystem3~1
C:\DOCUME~1\COMPAQ~1\APPLIC~1.\ystem3~1\??plorer.exe
C:\DOCUME~1\COMPAQ~1\APPLIC~1\Dxcdmns.dll
C:\DOCUME~1\COMPAQ~1\APPLIC~1\Dxcknwrd.dll
C:\DOCUME~1\COMPAQ~1\APPLIC~1\Dxcuknwrd.dll
C:\DOCUME~1\COMPAQ~1\APPLIC~1\Microsoft\20509.dat
C:\DOCUME~1\COMPAQ~1\APPLIC~1\Microsoft\60787.dat
C:\DOCUME~1\COMPAQ~1\ie_updater.exe
C:\DOCUME~1\COMPAQ~1\MYDOCU~1.\asks~1
C:\DOCUME~1\COMPAQ~1\MYDOCU~1.\dobe~1
C:\DOCUME~1\COMPAQ~1\MYDOCU~1.\racle~1
C:\DOCUME~1\COMPAQ~1\MYDOCU~1.\ymbols~1
C:\DOCUME~1\COMPAQ~1\STARTM~1\Programs.\Outerinfo
C:\DOCUME~1\COMPAQ~1\STARTM~1\Programs.\Outerinfo\Terms.lnk
C:\DOCUME~1\COMPAQ~1\STARTM~1\Programs.\Outerinfo\Uninstall.lnk
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Documents and Settings\All Users.\documents\settings\partnership.dll
C:\Program Files\asks~1
C:\Program Files\Common Files\{3CCC9~1
C:\Program Files\Common Files\{3CCC9~1\Bar888.dll
C:\Program Files\Common Files\{3CCC9~1\UnInstall.exe
C:\Program Files\Common Files\{7CCC9~1
C:\Program Files\Common Files\{7CCC9~1\Update.exe
C:\Program Files\Common Files\ecurit~1
C:\Program Files\Common Files\Yazzle1409OinAdmin.exe
C:\Program Files\Common Files\Yazzle1409OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\Common Files\ymbols~1
C:\Program Files\deskalerts
C:\Program Files\deskalerts\basis.xml
C:\Program Files\deskalerts\Cache\045b4f7adac10e512896af2a0470f433.xml
C:\Program Files\deskalerts\cancel_button.gif
C:\Program Files\deskalerts\deskbar.crc
C:\Program Files\deskalerts\deskbar.inf
C:\Program Files\deskalerts\history.html
C:\Program Files\deskalerts\hs_delete.bmp
C:\Program Files\deskalerts\hs_search.bmp
C:\Program Files\deskalerts\icons.bmp
C:\Program Files\deskalerts\mbclose.bmp
C:\Program Files\deskalerts\mblogo.bmp
C:\Program Files\deskalerts\newversion.txt
C:\Program Files\deskalerts\notify.wav
C:\Program Files\deskalerts\options.html
C:\Program Files\deskalerts\save_button.gif
C:\Program Files\deskalerts\title_back.gif
C:\Program Files\deskalerts\version.txt
C:\Program Files\fnts~1
C:\Program Files\icroso~1
C:\Program Files\ISM
C:\Program Files\ISM\BndDrive.dll
C:\Program Files\ISM\bndloader.exe
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\ISMModule2.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\mbols~1
C:\Program Files\newdotnet
C:\Program Files\newdotnet\newdotnet7_48.dll
C:\Program Files\newdotnet\readme.html
C:\Program Files\newdotnet\uninstall6_38.exe
C:\Program Files\newdotnet\uninstall7_48.exe
C:\Program Files\oin search
C:\Program Files\oin search\OINSearch.dll
C:\Program Files\oin search\Uninstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\ppatch~1
C:\Program Files\pppatc~1
C:\Program Files\system files
C:\Program Files\system files\kwdata.cdb
C:\Program Files\system files\Uninstall.exe
C:\Program Files\system icons
C:\Program Files\tsks~1
C:\system.exe
C:\temp\tn3
C:\visfx500new.exe
C:\WINDOWS\asembl~1
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\dobe~1
C:\WINDOWS\DOWNLO~1\USDR6_0001_D08M0404NetInstaller.exe
C:\WINDOWS\DOWNLO~1\USDR6_0001_D18M2707NetInstaller.exe
C:\WINDOWS\IA
C:\WINDOWS\IA\KE.vbs
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\mbols~1
C:\WINDOWS\mirarsetup_876075.exe
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\NDNuninstall7_48.exe
C:\WINDOWS\newname.dat
C:\WINDOWS\retadpu11.exe
C:\WINDOWS\search_res.txt
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\khpz.dll
C:\WINDOWS\system32\rcfhk.dat
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\system32\unsvchosts.exe
C:\WINDOWS\system32\wtsicomsv32.exe
C:\WINDOWS\uninst2.htm
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\unist1.htm
C:\WINDOWS\updater.exe
C:\WINDOWS\vcui32.dll
C:\WINDOWS\wr.txt
D:\Autorun.inf


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CLIENT_IP-IPX
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\Client IP-IPX
-------\cmdService
-------\core
-------\Network Monitor


((((((((((((((((((((((((( Files Created from 2007-07-19 to 2007-08-19 )))))))))))))))))))))))))))))))


2007-08-19 15:43 127,488 --a------ C:\WINDOWS\system32\rcfhk.dat
2007-08-19 15:37 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-15 20:19 <DIR> d-------- C:\Program Files\WinBudget
2007-08-03 19:07 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-19 13:47 614 --a------ C:\WINDOWS\kawlp.dll
2007-08-16 15:19 --------- d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\WeatherBug
2007-08-15 11:20 --------- d--h----- C:\Program Files\BHO Plugin
2007-08-15 11:20 --------- d-------- C:\Program Files\Messenger
2007-08-15 11:20 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-10 19:29 --------- d-------- C:\Program Files\LimeWire
2007-06-26 11:13 851968 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 10:09 658944 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-14 14:09 96256 --a------ C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-14 14:09 615424 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-14 14:09 55808 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-14 14:09 532480 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-14 14:09 474112 --a------ C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-14 14:09 449024 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-14 14:09 39424 --a------ C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-14 14:09 357888 --a------ C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-14 14:09 3058688 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-14 14:09 251392 --a------ C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-14 14:09 205312 --a------ C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-14 14:09 16384 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-14 14:09 151040 --a------ C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-14 14:09 1494528 --a------ C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-14 14:09 146432 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-14 14:09 1054208 --a------ C:\WINDOWS\system32\dllcache\danim.dll
2007-06-14 14:09 1023488 --a------ C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 10:07 18432 --a------ C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-04-07 13:01 279 --a------ C:\Program Files\Common Files\rybiv
2006-12-29 11:47 142 --a------ C:\Program Files\Common Files\vikok.html
2006-08-13 12:48 657 --a------ C:\Program Files\Common Files\niwyr


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-01-04 19:54 C:\WINDOWS\system32\SiSPower.dll]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" []
"IS CfgWiz"="c:\Program Files\Norton Internet Security\cfgwiz.exe" [2007-04-07 20:14]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" []
"SMSERIAL"="sm56hlpr.exe" [2005-01-24 05:56 C:\WINDOWS\sm56hlpr.exe]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-07 20:14]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-16 18:36]
"lvuvxc"="C:\WINDOWS\system32\lfqeye.exe" [2007-04-09 03:15]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2006-04-07 15:02]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 11:29]
"Srro"="C:\DOCUME~1\COMPAQ~1\APPLIC~1\MBOLS~1\attrib.exe" []
"Jxa"="C:\Documents and Settings\Compaq_Owner\Application Data\?racle\m?iexec.exe" []
"hscwa"="C:\WINDOWS\system32\lfqeye.exe" [2007-04-09 03:15]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-26 13:31:26]
emcff.exe [2007-02-12 13:26:43]
SpySubtract.lnk - C:\Program Files\InterMute\SpySubtract\sslaunch.exe [2005-05-16 18:38:33]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe, C:\WINDOWS\system32\cohix.exe"
"Userinit"="C:\WINDOWS\system32\userinit.exe,mjomjka.exe"



Contents of the 'Scheduled Tasks' folder
2007-08-19 18:52:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-18 00:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Compaq_Owner.job - c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
2005-05-16 23:03:31 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-19 15:43:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-19 15:46:10 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-19 15:45

--- E O F ---








and here is a new HIJACK this log


Logfile of HijackThis v1.99.1
Scan saved at 3:50:25 PM, on 8/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
c:\program files\aol\aol toolbar 4.0\AolTbServer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
C:\Documents and Settings\Compaq_Owner\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\cohix.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,mjomjka.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Srro] "C:\DOCUME~1\COMPAQ~1\APPLIC~1\MBOLS~1\attrib.exe" -vt yazb
O4 - HKCU\..\Run: [Jxa] "C:\Documents and Settings\Compaq_Owner\Application Data\?racle\m?iexec.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#4 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:06:36 PM

Posted 19 August 2007 - 04:22 PM

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Regards,

Trevuren

Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#5 kartoon

kartoon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 19 August 2007 - 04:37 PM

here is the sdfix log



SDFix: Version 1.99

Run by Compaq_Owner on Sun 08/19/2007 at 05:28 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

Registry Backups: - C:\SDFix\backups\backupreg.zip
Full Registry Backup: - C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE

Files with Hidden Attributes:

C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG

Finished



and the new hijack this log



Logfile of HijackThis v1.99.1
Scan saved at 5:35:38 PM, on 8/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Norton Internet Security\cfgwiz.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\ALCXMNTR.EXE
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\InterMute\SpySubtract\sslaunch.exe
c:\program files\aol\aol toolbar 4.0\AolTbServer.exe
C:\Documents and Settings\Compaq_Owner\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\cohix.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,mjomjka.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Srro] "C:\DOCUME~1\COMPAQ~1\APPLIC~1\MBOLS~1\attrib.exe" -vt yazb
O4 - HKCU\..\Run: [Jxa] "C:\Documents and Settings\Compaq_Owner\Application Data\?racle\m?iexec.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe








this comp already is 10000x better then it was

#6 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:06:36 PM

Posted 19 August 2007 - 05:47 PM

Please copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
  • Please disable AVG AntiSpyware by opening the program and on the Status page - beside "Resident Shield" click on "change status" so that it says "inactive" for it may interfere with our HJT fix.
    • Remember to reactivate this feature when all our work is finished.

  • Please RUN HijackThis

    1. Click the SCAN button to produce a log.


    2. Place a check mark beside each one of the following items:

    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\cohix.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,mjomjka.exe
    O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
    O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
    O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKCU\..\Run: [Srro] "C:\DOCUME~1\COMPAQ~1\APPLIC~1\MBOLS~1\attrib.exe" -vt yazb
    O4 - HKCU\..\Run: [Jxa] "C:\Documents and Settings\Compaq_Owner\Application Data\?racle\m?iexec.exe"




    3. Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.


  • Now to Remove some malware:

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.
    2. Now copy/paste the entire content of the code box below into the Notepad window:

    File::
    C:\WINDOWS\system32\rcfhk.dat
    C:\WINDOWS\kawlp.dll
    C:\DOCUME~1\COMPAQ~1\APPLIC~1\WeatherBug
    C:\Program Files\Common Files\vikok.html
    C:\WINDOWS\system32\cohix.exe
    C:\windows\system32\mjomjka.exe
    C:\windows\system32\sm56hlpr.exe
    C:\WINDOWS\system32\lfqeye.exe
    
    Folder::
    C:\Program Files\Common Files\rybiv
    C:\Program Files\Common Files\niwyr
    C:\Program Files\MyWebSearchWB
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "lvuvxc"=-
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hscwa"=-


    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    Posted Image


    5. If the tool does not initiate a reboot itself, please restart the system yourself, then post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.

Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#7 kartoon

kartoon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 19 August 2007 - 08:46 PM

just got in from work. but will try this first thing tommrow and post of my logs. thank you for the help so far. will update tommrow!

thanks

#8 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:06:36 PM

Posted 19 August 2007 - 11:22 PM

:thumbsup:
Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#9 kartoon

kartoon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 20 August 2007 - 06:30 AM

ok here is our new combfix log


ComboFix 07-08-17.2 - "Compaq_Owner" 2007-08-20 7:23:08.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.183 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\rcfhk.dat
C:\WINDOWS\kawlp.dll
C:\DOCUME~1\COMPAQ~1\APPLIC~1\WeatherBug
C:\Program Files\Common Files\vikok.html
C:\WINDOWS\system32\cohix.exe
C:\windows\system32\mjomjka.exe
C:\windows\system32\sm56hlpr.exe
C:\WINDOWS\system32\lfqeye.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\niwyr\
C:\Program Files\Common Files\rybiv\
C:\WINDOWS\kawlp.dll
C:\WINDOWS\system32\cohix.exe
C:\WINDOWS\system32\lfqeye.exe
C:\windows\system32\mjomjka.exe
C:\WINDOWS\system32\rcfhk.dat


((((((((((((((((((((((((( Files Created from 2007-07-20 to 2007-08-20 )))))))))))))))))))))))))))))))


2007-08-19 17:27 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-19 15:37 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-15 20:19 <DIR> d-------- C:\Program Files\WinBudget
2007-08-03 19:07 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-20 07:19 --------- d-------- C:\Program Files\AWS
2007-08-15 11:20 --------- d--h----- C:\Program Files\BHO Plugin
2007-08-15 11:20 --------- d-------- C:\Program Files\Messenger
2007-08-15 11:20 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-10 19:29 --------- d-------- C:\Program Files\LimeWire
2007-06-26 11:13 851968 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 10:09 658944 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-14 14:09 96256 --a------ C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-14 14:09 615424 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-14 14:09 55808 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-14 14:09 532480 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-14 14:09 474112 --a------ C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-14 14:09 449024 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-14 14:09 39424 --a------ C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-14 14:09 357888 --a------ C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-14 14:09 3058688 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-14 14:09 251392 --a------ C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-14 14:09 205312 --a------ C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-14 14:09 16384 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-14 14:09 151040 --a------ C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-14 14:09 1494528 --a------ C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-14 14:09 146432 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-14 14:09 1054208 --a------ C:\WINDOWS\system32\dllcache\danim.dll
2007-06-14 14:09 1023488 --a------ C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 10:07 18432 --a------ C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-04-07 13:01 279 --a------ C:\Program Files\Common Files\rybiv
2006-08-13 12:48 657 --a------ C:\Program Files\Common Files\niwyr


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-01-04 19:54 C:\WINDOWS\system32\SiSPower.dll]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" []
"IS CfgWiz"="c:\Program Files\Norton Internet Security\cfgwiz.exe" [2007-04-07 20:14]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" []
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-07 20:14]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-16 18:36]
"lvuvxc"="C:\WINDOWS\system32\lfqeye.exe" [2007-08-20 07:26]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 11:29]
"hscwa"="C:\WINDOWS\system32\lfqeye.exe" [2007-08-20 07:26]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-26 13:31:26]
emcff.exe [2007-02-12 13:26:43]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe, C:\WINDOWS\system32\cohix.exe"
"Userinit"="C:\WINDOWS\system32\userinit.exe,mjomjka.exe"



Contents of the 'Scheduled Tasks' folder
2007-08-19 18:52:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-18 00:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Compaq_Owner.job - c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
2005-05-16 23:03:31 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-20 07:25:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\cohix.exe
C:\WINDOWS\system32\mjomjka.exe
C:\WINDOWS\system32\rcfhk.dat

scan completed successfully
hidden files: 3

**************************************************************************

Completion time: 2007-08-20 7:28:05 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-20 07:27
C:\ComboFix2.txt ... 2007-08-20 07:12
C:\ComboFix3.txt ... 2007-08-19 15:46

--- E O F ---








and the new HJT log

Logfile of HijackThis v1.99.1
Scan saved at 7:28:52 AM, on 8/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\aol\aol toolbar 4.0\AolTbServer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Compaq_Owner\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\cohix.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,mjomjka.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#10 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:06:36 PM

Posted 20 August 2007 - 09:14 AM

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\lfqeye.exe

Folder::
C:\Program Files\Common Files\rybiv
C:\Program Files\Common Files\niwyr


Rootkit:
C:\WINDOWS\system32\cohix.exe
C:\WINDOWS\system32\mjomjka.exe
C:\WINDOWS\system32\rcfhk.dat

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hscwa"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#11 kartoon

kartoon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 20 August 2007 - 09:47 AM

the combo log


ComboFix 07-08-17.2 - "Compaq_Owner" 2007-08-20 10:40:06.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.130 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\CFScript..txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\lfqeye.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\niwyr\
C:\Program Files\Common Files\rybiv\
C:\WINDOWS\system32\cohix.exe\
C:\WINDOWS\system32\lfqeye.exe
C:\WINDOWS\system32\mjomjka.exe\
C:\WINDOWS\system32\rcfhk.dat\


((((((((((((((((((((((((( Files Created from 2007-07-20 to 2007-08-20 )))))))))))))))))))))))))))))))


2007-08-20 07:26 28,672 --a------ C:\WINDOWS\system32\cohix.exe
2007-08-20 07:26 257 --a------ C:\WINDOWS\kawlp.dll
2007-08-20 07:26 23,552 --a------ C:\WINDOWS\system32\mjomjka.exe
2007-08-20 07:26 127,488 --a------ C:\WINDOWS\system32\rcfhk.dat
2007-08-19 17:27 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-19 15:37 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-15 20:19 <DIR> d-------- C:\Program Files\WinBudget
2007-08-03 19:07 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-20 07:19 --------- d-------- C:\Program Files\AWS
2007-08-15 11:20 --------- d--h----- C:\Program Files\BHO Plugin
2007-08-15 11:20 --------- d-------- C:\Program Files\Messenger
2007-08-15 11:20 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-10 19:29 --------- d-------- C:\Program Files\LimeWire
2007-06-26 11:13 851968 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 10:09 658944 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-14 14:09 96256 --a------ C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-14 14:09 615424 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-14 14:09 55808 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-14 14:09 532480 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-14 14:09 474112 --a------ C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-14 14:09 449024 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-14 14:09 39424 --a------ C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-14 14:09 357888 --a------ C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-14 14:09 3058688 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-14 14:09 251392 --a------ C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-14 14:09 205312 --a------ C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-14 14:09 16384 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-14 14:09 151040 --a------ C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-14 14:09 1494528 --a------ C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-14 14:09 146432 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-14 14:09 1054208 --a------ C:\WINDOWS\system32\dllcache\danim.dll
2007-06-14 14:09 1023488 --a------ C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 10:07 18432 --a------ C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-04-07 13:01 279 --a------ C:\Program Files\Common Files\rybiv
2006-08-13 12:48 657 --a------ C:\Program Files\Common Files\niwyr


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-01-04 19:54 C:\WINDOWS\system32\SiSPower.dll]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" []
"IS CfgWiz"="c:\Program Files\Norton Internet Security\cfgwiz.exe" [2007-04-07 20:14]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" []
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-07 20:14]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-16 18:36]
"lvuvxc"="C:\WINDOWS\system32\lfqeye.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 11:29]
"hscwa"="C:\WINDOWS\system32\lfqeye.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-26 13:31:26]
emcff.exe [2007-02-12 13:26:43]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe, C:\WINDOWS\system32\cohix.exe"
"Userinit"="C:\WINDOWS\system32\userinit.exe,mjomjka.exe"



Contents of the 'Scheduled Tasks' folder
2007-08-19 18:52:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-18 00:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Compaq_Owner.job - c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
2005-05-16 23:03:31 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-20 10:42:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-20 10:43:07
C:\ComboFix-quarantined-files.txt ... 2007-08-20 10:42
C:\ComboFix2.txt ... 2007-08-20 07:28
C:\ComboFix3.txt ... 2007-08-20 07:12

--- E O F ---








hijack this log


Logfile of HijackThis v1.99.1
Scan saved at 10:46:03 AM, on 8/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton Internet Security\cfgwiz.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\aol\aol toolbar 4.0\AolTbServer.exe
C:\Documents and Settings\Compaq_Owner\My Documents\hijackthis\HijackThis.exe
c:\program files\aim6\anotify.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\cohix.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,mjomjka.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#12 kartoon

kartoon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 20 August 2007 - 11:37 AM

just a small update

this seems to have worked alot so far. i would say the pop ups have cut by at least 90% or more

i still notice a pop up or 2 every so ofton but it has been holding out very well


im sure there is still more but i just wanted to say you have done a great job basicly fixing this....but also a great job walking me through all of this

#13 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:06:36 PM

Posted 20 August 2007 - 11:45 AM

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Rootkit::
C:\WINDOWS\system32\cohix.exe
C:\WINDOWS\kawlp.dll
C:\WINDOWS\system32\mjomjka.exe
C:\WINDOWS\system32\rcfhk.dat

Folder::
C:\Program Files\Common Files\rybiv
C:\Program Files\Common Files\niwyr

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lvuvxc"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hscwa"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"=""
"Userinit"="C:\WINDOWS\system32\userinit.exe,


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#14 kartoon

kartoon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 20 August 2007 - 12:08 PM

COMBO LOG



ComboFix 07-08-17.2 - "Compaq_Owner" 2007-08-20 12:57:30.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.128 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\niwyr\
C:\Program Files\Common Files\rybiv\
C:\WINDOWS\kawlp.dll
C:\WINDOWS\system32\cohix.exe
C:\WINDOWS\system32\lfqeye.exe
C:\WINDOWS\system32\mjomjka.exe
C:\WINDOWS\system32\rcfhk.dat


((((((((((((((((((((((((( Files Created from 2007-07-20 to 2007-08-20 )))))))))))))))))))))))))))))))


2007-08-19 17:27 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-19 15:37 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-15 20:19 <DIR> d-------- C:\Program Files\WinBudget
2007-08-03 19:07 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-20 07:19 --------- d-------- C:\Program Files\AWS
2007-08-15 11:20 --------- d--h----- C:\Program Files\BHO Plugin
2007-08-15 11:20 --------- d-------- C:\Program Files\Messenger
2007-08-15 11:20 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-10 19:29 --------- d-------- C:\Program Files\LimeWire
2007-06-26 11:13 851968 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 10:09 658944 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-14 14:09 96256 --a------ C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-14 14:09 615424 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-14 14:09 55808 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-14 14:09 532480 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-14 14:09 474112 --a------ C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-14 14:09 449024 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-14 14:09 39424 --a------ C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-14 14:09 357888 --a------ C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-14 14:09 3058688 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-14 14:09 251392 --a------ C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-14 14:09 205312 --a------ C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-14 14:09 16384 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-14 14:09 151040 --a------ C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-14 14:09 1494528 --a------ C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-14 14:09 146432 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-14 14:09 1054208 --a------ C:\WINDOWS\system32\dllcache\danim.dll
2007-06-14 14:09 1023488 --a------ C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 10:07 18432 --a------ C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-04-07 13:01 279 --a------ C:\Program Files\Common Files\rybiv
2006-08-13 12:48 657 --a------ C:\Program Files\Common Files\niwyr


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-01-04 19:54 C:\WINDOWS\system32\SiSPower.dll]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" []
"IS CfgWiz"="c:\Program Files\Norton Internet Security\cfgwiz.exe" [2007-04-07 20:14]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" []
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-07 20:14]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-16 18:36]
"lvuvxc"="C:\WINDOWS\system32\lfqeye.exe" [2007-08-20 13:01]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 11:29]
"hscwa"="C:\WINDOWS\system32\lfqeye.exe" [2007-08-20 13:01]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-26 13:31:26]
emcff.exe [2007-02-12 13:26:43]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe, C:\WINDOWS\system32\cohix.exe"
"Userinit"="C:\WINDOWS\system32\userinit.exe,mjomjka.exe"



Contents of the 'Scheduled Tasks' folder
2007-08-19 18:52:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-18 00:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Compaq_Owner.job - c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
2005-05-16 23:03:31 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-20 13:01:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\cohix.exe
C:\WINDOWS\system32\mjomjka.exe
C:\WINDOWS\system32\rcfhk.dat

scan completed successfully
hidden files: 3

**************************************************************************

Completion time: 2007-08-20 13:03:03 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-20 13:02
C:\ComboFix2.txt ... 2007-08-20 10:43
C:\ComboFix3.txt ... 2007-08-20 07:28

--- E O F ---







Hijack This Log


Logfile of HijackThis v1.99.1
Scan saved at 1:07:59 PM, on 8/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
c:\program files\aol\aol toolbar 4.0\AolTbServer.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Owner\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\cohix.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,mjomjka.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#15 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:06:36 PM

Posted 20 August 2007 - 01:04 PM

Download this tool to your desktop:
http://www.uploads.ejvindh.net/rootchk.exe
Run the program. After a short time a logfile will turn up. Copy the contents of the log into the thread.
Don't run any tools suggested in the log if any. I need to see its contents first.
Microsoft MVP - Consumer Security 2008 - 2009

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users