Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ad Pop-ups - System Doctor, Winantivirus, Virtumonde


  • Please log in to reply
23 replies to this topic

#1 coffeefiend1

coffeefiend1

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 05 September 2007 - 09:27 AM

This is my HijackThis log. I have tried using anti spyware scanners but I still get pop-ups. I've also tried to disable some items in msconfig but I don't want to disable something I need. The pop-ups that I get are SystemDoctor2006, Winantivirus, and ErrorSafe. I've spent way too much time trying to figure this out so any help would be greatly appreciated. Thanks, Zach

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:39 AM, on 9/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load=
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lrdisxaA] C:\WINDOWS\lrdisxaA.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\RunOnce: [PM_reg] c:\windows\regedit.exe /s c:\sysprep\Nic_pm.reg
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189000675890
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 5023 bytes

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 05 September 2007 - 10:05 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum coffeefiend1 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

First of all you've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 coffeefiend1

coffeefiend1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 05 September 2007 - 12:57 PM

Thank you for the reply. I was using Comodo as what I thought was an antivirus. I downloaded Avira Antivar which is being pretty freakin annoying. Sometimes it beeps every two seconds to say there is a trojan infection which I tried deleting or deny access. The same thing keeps popping up. I will have to leave for work soon so I will continue the other steps tonight. Thanks again and hope to hear from you soon.


ComboFix 07-09-05.5 - "Owner" 2007-09-05 13:26:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.152 [GMT -4:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Owner\APPLIC~1\macromedia\Flash Player\#SharedObjects\6A3LDPN5\www.broadcaster.com
C:\DOCUME~1\Owner\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Owner\APPLIC~1\YSTEM3~1
C:\DOCUME~1\Owner\err.log
C:\DOCUME~1\Owner\MYDOCU~1\STEM32~1
C:\Program Files\asks~1
C:\Program Files\asks~1\?asks\
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\poolsv
C:\Program Files\poolsv\k11u72.exe
C:\Program Files\poolsv\svhost.exe
C:\Program Files\poolsv\wr-1-0000077.exe
C:\Program Files\poolsv\YazzleBundle-1549.exe
C:\Program Files\svhost
C:\Program Files\svhost\wr-1-0000077.exe
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\0c2
C:\temp\0c2\tmpFF.log
C:\temp\brr
C:\temp\brr\tmpZTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\poolsv.exe
C:\WINDOWS\system32\b10FdUe
C:\WINDOWS\system32\elihfteb.exe
C:\WINDOWS\system32\F1
C:\WINDOWS\system32\F2
C:\WINDOWS\system32\F3
C:\WINDOWS\system32\F4
C:\WINDOWS\system32\F5
C:\WINDOWS\system32\F9
C:\WINDOWS\system32\G1
C:\WINDOWS\system32\G11
C:\WINDOWS\system32\G3
C:\WINDOWS\system32\G7
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\wcpicomsv32.exe
C:\WINDOWS\system32\win
C:\WINDOWS\system32\xycdd.bak1
C:\WINDOWS\system32\xycdd.bak2
C:\WINDOWS\system32\xycdd.ini
C:\WINDOWS\system32\xycdd.ini2
D:\Autorun.inf


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-08-05 to 2007-09-05 )))))))))))))))))))))))))))))))


2007-09-05 13:25 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-05 13:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-09-05 10:42 125,504 --a------ C:\WINDOWS\system32\gcsmxwte.dll
2007-09-05 10:39 70,208 --a------ C:\WINDOWS\system32\pralthdt.dll
2007-09-05 10:13 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-05 03:39 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-05 03:36 <DIR> d-------- C:\DOCUME~1\Owner\.housecall6.6
2007-09-03 08:07 <DIR> d-------- C:\Program Files\MSConfig CleanUp
2007-09-03 07:41 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-09-02 06:45 3,336 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-02 06:44 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-02 06:44 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-02 06:44 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-02 05:10 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-09-02 05:08 <DIR> d-------- C:\Program Files\RogueRemover
2007-08-31 10:49 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\MSNInstaller
2007-08-22 01:31 125,504 --a------ C:\WINDOWS\system32\qcuxtxan.dll
2007-08-12 17:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BOC425
2007-08-11 00:54 125,504 --a------ C:\WINDOWS\system32\inewejir.dll
2007-08-10 23:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-08-10 23:39 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-08-10 23:39 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-08-10 23:37 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-08-10 23:36 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-08-10 02:27 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-10 02:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-10 02:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-07 02:06 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-07 00:24 235,008 --a------ C:\WINDOWS\UNBOC.EXE
2007-08-07 00:24 208,896 --a------ C:\WINDOWS\CMDLIC.DLL


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-05 01:02 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-09-05 01:02 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-31 23:08 --------- d-------- C:\Program Files\Google
2007-08-31 11:05 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-31 11:04 --------- d-------- C:\Program Files\The Print Shop 20
2007-08-31 11:04 --------- d-------- C:\Program Files\support.com
2007-08-31 11:04 --------- d-------- C:\Program Files\QuickTime
2007-08-31 11:04 --------- d-------- C:\Program Files\Common Files\AOL
2007-08-21 00:21 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com
2007-08-13 23:34 --------- d-------- C:\Program Files\BigFix
2007-08-12 17:53 --------- d-------- C:\Program Files\Comodo
2007-08-12 09:24 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\McAfee
2007-08-12 09:24 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-08-10 23:28 --------- d-------- C:\Program Files\Yahoo!
2007-08-03 23:25 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-03 23:19 125504 --a------ C:\WINDOWS\system32\xwjxlmws.dll
2007-08-02 01:02 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Comodo
2007-08-02 01:01 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 10:13 69184 --a------ C:\WINDOWS\system32\wjiycetv.dll
2007-07-29 19:50 228960 --------- C:\WINDOWS\system32\ddcyx.dll
2007-07-29 19:45 31254 --------- C:\WINDOWS\system32\wvursro.dll
2007-07-29 15:44 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\MySpace
2007-07-07 02:08 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3964D8D6-86D0-493A-B460-A805B5401114}]
2007-07-29 19:45 31254 --------- C:\WINDOWS\system32\wvursro.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BC24A92-EEB3-4FB3-BF38-8527F8E2C11A}]
C:\Program Files\Common Files\hokev83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E10E360A-E8C0-49EE-AB8C-3671DA2BF0C8}]
C:\WINDOWS\system32\mllji.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 16:42]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 14:50]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-10-18 17:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-25 17:54]
"lrdisxaA"="C:\WINDOWS\lrdisxaA.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-10-11 14:07]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-08-02 00:57]
"BOC-425"="" []
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 15:00]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2004-10-02 19:34]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 15:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"PM_reg"=c:\windows\regedit.exe /s c:\sysprep\Nic_pm.reg

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2006-10-11 14:11:27]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3964D8D6-86D0-493A-B460-A805B5401114}"= C:\WINDOWS\system32\wvursro.dll [2007-07-29 19:45 31254]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvursro]
wvursro.dll 2007-07-29 19:45 31254 C:\WINDOWS\system32\wvursro.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PrismXL"=2 (0x2)
"DomainService"=2 (0x2)
"mcupdmgr.exe"=2 (0x2)

R3 BOCDRIVE;BOClean Kernel Monitor.;\??\C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys


Contents of the 'Scheduled Tasks' folder
"2007-04-18 10:35:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-05 17:39:02 C:\WINDOWS\Tasks\McAfee.com Update Check (NT AUTHORITY-SYSTEM).job"
- c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-09-05 17:06:01 C:\WINDOWS\Tasks\McAfee.com Update Check (OWNER-C15BBDE69-Owner).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-09-05 17:39:59 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-05 13:38:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-05 13:41:18 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-05 13:41

--- E O F ---

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 05 September 2007 - 03:40 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\gcsmxwte.dll
C:\WINDOWS\system32\pralthdt.dll
C:\WINDOWS\system32\qcuxtxan.dll
C:\WINDOWS\system32\inewejir.dll
C:\WINDOWS\system32\xwjxlmws.dll
C:\WINDOWS\system32\wjiycetv.dll
C:\WINDOWS\system32\ddcyx.dll
C:\WINDOWS\system32\wvursro.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3964D8D6-86D0-493A-B460-A805B5401114}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BC24A92-EEB3-4FB3-BF38-8527F8E2C11A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E10E360A-E8C0-49EE-AB8C-3671DA2BF0C8}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lrdisxaA"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvursro]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.

Edited by RichieUK, 05 September 2007 - 03:41 PM.

Posted Image
Posted Image

#5 coffeefiend1

coffeefiend1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 06 September 2007 - 02:22 AM

Here is the second ComboFix Scan. Is it normal for the Antivar Antivirus to lock the computer up? I've had to do a hard reboot about 4 times since I installed it because it would stop responding and nothing else would work. I tried cntrl-alt-delete and restart and they wouldn't work. Thanks, Zach.


ComboFix 07-09-05.5 - "Owner" 2007-09-06 2:53:17.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.147 [GMT -4:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ddcyx.dll


((((((((((((((((((((((((( Files Created from 2007-08-06 to 2007-09-06 )))))))))))))))))))))))))))))))


2007-09-05 13:25 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-05 13:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-09-05 10:42 125,504 --a------ C:\WINDOWS\system32\gcsmxwte.dll
2007-09-05 10:39 70,208 --a------ C:\WINDOWS\system32\pralthdt.dll
2007-09-05 10:13 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-05 03:39 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-05 03:36 <DIR> d-------- C:\DOCUME~1\Owner\.housecall6.6
2007-09-03 08:07 <DIR> d-------- C:\Program Files\MSConfig CleanUp
2007-09-03 07:41 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-09-02 06:45 3,336 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-02 06:44 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-02 06:44 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-02 06:44 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-02 05:10 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-09-02 05:08 <DIR> d-------- C:\Program Files\RogueRemover
2007-08-31 10:49 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\MSNInstaller
2007-08-22 01:31 125,504 --a------ C:\WINDOWS\system32\qcuxtxan.dll
2007-08-12 17:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BOC425
2007-08-11 00:54 125,504 --a------ C:\WINDOWS\system32\inewejir.dll
2007-08-10 23:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-08-10 23:39 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-08-10 23:39 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-08-10 23:37 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-08-10 23:36 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-08-10 02:27 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-10 02:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-10 02:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-07 02:06 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-07 00:24 235,008 --a------ C:\WINDOWS\UNBOC.EXE
2007-08-07 00:24 208,896 --a------ C:\WINDOWS\CMDLIC.DLL


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-06 03:01 --------- d-------- C:\Program Files\Microsoft Money
2007-09-05 01:02 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-09-05 01:02 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-31 23:08 --------- d-------- C:\Program Files\Google
2007-08-31 11:05 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-31 11:04 --------- d-------- C:\Program Files\The Print Shop 20
2007-08-31 11:04 --------- d-------- C:\Program Files\support.com
2007-08-31 11:04 --------- d-------- C:\Program Files\QuickTime
2007-08-31 11:04 --------- d-------- C:\Program Files\Common Files\AOL
2007-08-21 00:21 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com
2007-08-13 23:34 --------- d-------- C:\Program Files\BigFix
2007-08-12 17:53 --------- d-------- C:\Program Files\Comodo
2007-08-12 09:24 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\McAfee
2007-08-12 09:24 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-08-10 23:28 --------- d-------- C:\Program Files\Yahoo!
2007-08-03 23:25 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-03 23:19 125504 --a------ C:\WINDOWS\system32\xwjxlmws.dll
2007-08-02 01:02 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Comodo
2007-08-02 01:01 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 10:13 69184 --a------ C:\WINDOWS\system32\wjiycetv.dll
2007-07-29 19:45 31254 --------- C:\WINDOWS\system32\wvursro.dll
2007-07-29 15:44 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\MySpace
2007-07-07 02:08 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL


((((((((((((((((((((((((((((( snapshot_2007-09-05_134015.96 )))))))))))))))))))))))))))))))))))))))))

----a-w 14,048 2005-02-25 00:35:06 C:\WINDOWS\SoftwareDistribution\Download\0ad26524c298df9a41026d3b49a38936\spmsg.dll
----a-w 209,632 2005-02-25 00:35:06 C:\WINDOWS\SoftwareDistribution\Download\0ad26524c298df9a41026d3b49a38936\spuninst.exe
----a-w 925,184 2005-08-31 22:49:28 C:\WINDOWS\SoftwareDistribution\Download\0ad26524c298df9a41026d3b49a38936\sp1qfe\asms\60\msft\windows\common\controls\comctl32.dll
----a-w 30,720 2005-09-26 21:36:24 C:\WINDOWS\SoftwareDistribution\Download\0ad26524c298df9a41026d3b49a38936\update\arpidfix.exe
----a-w 22,240 2005-02-25 00:35:06 C:\WINDOWS\SoftwareDistribution\Download\0ad26524c298df9a41026d3b49a38936\update\spcustom.dll
----a-w 718,048 2005-02-25 00:35:06 C:\WINDOWS\SoftwareDistribution\Download\0ad26524c298df9a41026d3b49a38936\update\update.exe
----a-w 371,936 2005-02-25 00:35:08 C:\WINDOWS\SoftwareDistribution\Download\0ad26524c298df9a41026d3b49a38936\update\updspapi.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3964D8D6-86D0-493A-B460-A805B5401114}]
2007-07-29 19:45 31254 --------- C:\WINDOWS\system32\wvursro.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 15:00]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2006-10-11 14:11:27]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3964D8D6-86D0-493A-B460-A805B5401114}"= C:\WINDOWS\system32\wvursro.dll [2007-07-29 19:45 31254]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvursro]
wvursro.dll 2007-07-29 19:45 31254 C:\WINDOWS\system32\wvursro.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PrismXL"=2 (0x2)
"DomainService"=2 (0x2)
"mcupdmgr.exe"=2 (0x2)

R3 BOCDRIVE;BOClean Kernel Monitor.;\??\C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys


Contents of the 'Scheduled Tasks' folder
"2007-04-18 10:35:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-06 06:59:00 C:\WINDOWS\Tasks\McAfee.com Update Check (NT AUTHORITY-SYSTEM).job"
- c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-09-06 07:00:00 C:\WINDOWS\Tasks\McAfee.com Update Check (OWNER-C15BBDE69-Owner).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-09-06 07:01:24 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-06 02:59:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-06 3:03:05 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-06 03:02
C:\ComboFix2.txt ... 2007-09-05 13:41

--- E O F ---

#6 coffeefiend1

coffeefiend1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 06 September 2007 - 02:50 AM

Here is the second Hijack This log. Thanks for the help, Zach.

Logfile of HijackThis v1.99.1
Scan saved at 3:46:34 AM, on 9/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\abc.bat.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\wvursro.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189000675890
O20 - Winlogon Notify: wvursro - C:\WINDOWS\SYSTEM32\wvursro.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 06 September 2007 - 07:44 AM

Make sure all hidden files are showing:
* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Find and delete:
C:\WINDOWS\system32\gcsmxwte.dll
C:\WINDOWS\system32\pralthdt.dll
C:\WINDOWS\system32\qcuxtxan.dll
C:\WINDOWS\system32\inewejir.dll
C:\WINDOWS\system32\xwjxlmws.dll
C:\WINDOWS\system32\wjiycetv.dll
C:\WINDOWS\system32\wvursro.dll

Still in Safe Mode,have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\wvursro.dll
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O20 - Winlogon Notify: wvursro - C:\WINDOWS\SYSTEM32\wvursro.dll


Restart your pc normally.
Post a new Hijackthis log please.
Posted Image
Posted Image

#8 coffeefiend1

coffeefiend1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 06 September 2007 - 10:59 AM

Thanks for helping but there were some problems with the instructions. I wasn't able to get to the option of hidden files and folders the way that you instructed. I did however get to see the files by different way. I was able to delete the files that you advised except for c:\WINDOWS\system32\wvursro.dll. I am not able to delete the file because it is in use even in safe mode. I'm not sure at what point my msconfig file disappeared but I am no longer able to find it. Can Microsoft such any worse or is it me that's having issues? :thumbsup: I don't think I will be able to delete c:\WINDOWS\system32\wvursro.dll until I can disable what is using that file at startup. Should I try the Hijack This fix you instructed before that file is deleted or should I get it deleted first? Hopefully you have an idea on how to resolve this. Look forward to hearing from you. Zach

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 06 September 2007 - 11:03 AM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following text inside the quote box below:

Files to delete:
C:\WINDOWS\system32\wvursro.dll

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.
Posted Image
Posted Image

#10 coffeefiend1

coffeefiend1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 06 September 2007 - 11:24 AM

Thanks for the advise and I downloaded Avenger. Here is the log:
I will go ahead and do the Hijack This log now.


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\olroouuq

*******************

Script file located at: \??\C:\Documents and Settings\gpiuvifl.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\wvursro.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

#11 coffeefiend1

coffeefiend1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 06 September 2007 - 11:47 AM

Here is the new Hijack This log file:
I hope it is free of viruses now but I still don't see a msconfig file and when I go to the start tab and click "All Programs" there isn't anything there. There is a little bit more to do isn't there? I will have to go to work in a few minutes so I will have to get back to this later. Thanks for the help. Zach

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36:53 PM, on 9/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189000675890
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 4258 bytes

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 06 September 2007 - 12:06 PM

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.

Run 'BitDefender Online Scanner' using Internet Explorer:
http://www.bitdefender.com/scan8/ie.html
Read the 'END USER SOFTWARE LICENSE AGREEMENT' then click 'I agree'.
You'll be prompted to install the activex control,please do so.
Once installed,disable your current antivirus program,then click the 'Click here to scan' button.
The virus signatures will then load.
Once loaded the scan will start.
The scan will take quite some time so please be patient.
Once the scan has finished select the 'Detected Problems' tab.
Click on 'Click here to export scan'.
Save the file as an HTML file to your desktop.
Then click on the saved file and allow it to open with your browser.
Go to 'Edit'/'Select All' then copy and paste that log into your next reply.
*Note*
Don't forget to re-enable your antivirus program.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#13 coffeefiend1

coffeefiend1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 07 September 2007 - 12:22 AM

Thanks for the reply. There was a problem installing superantispyware. I don't know if you would know how to resolve that but it came up as an internal error and wasn't able to install.

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 07 September 2007 - 04:07 AM

Download/unzip/install Dial-a-Fix from here:
http://djlizard.net/software/Dial-a-fix-v0.60.0.24.zip
Launch the program,place a check in the 'MSI' box 'Fix Windows Installer'.
Then click on 'GO' at the bottom.
Restart your pc when Dial-a-Fix has done.
Are you now able to install SuperAntiSpyware now.

If you're not,carry on with the BitDefender instructions please.
Posted Image
Posted Image

#15 coffeefiend1

coffeefiend1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 07 September 2007 - 09:12 AM

I downloaded Dial-a-Fix as you instructed and had it fix Windows installer but it seems like I'm at a roadblock. SuperAntiSpyware would still not install. I tried the Bitdefender scan but it was requiring a Internet Explorer update. I tried updating but there was an issue. HDC problem? After it finished installing with that issue I tried to get online using Internet Explorer but it would not do anything. I right clicked the icon to check properties and made sure I added my broadband connection in settings. This is just a little agitating.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users