Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Vundoo


  • This topic is locked This topic is locked
10 replies to this topic

#1 al d

al d

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 30 October 2007 - 07:15 AM

I have unsuccessfully tried to get rid of Trojan Vundoo (fcccabc.dll).
Have downloaded and tried a half-dozen solutions including fixvundoo and combofix
Norton still "finds" it - and opens a popup
Machine is very slow because it hogs memory constantly "finding" it
Machines was rebuilt less than 60 days ago
Fully patched
Using Norton and Webroot
hijackthis log is attached.
Can you please help?
Thank you
Al Dashevsky

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:55 AM

Posted 30 October 2007 - 10:53 AM

Hi,

Please do not attach your logs, but copy and paste them in the thread instead.

* Download ComboFix from here.
**Save it to your desktop**

In case you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.


* Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".

When finished and after reboot (in case it rebooted), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 al d

al d
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 31 October 2007 - 08:04 AM

As requested:

combofix.txt (log)

ComboFix 07-10-30.2 - Owner 2007-10-31 8:51:59.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.234 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-31 )))))))))))))))))))))))))))))))
.

2007-10-30 08:16 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-30 06:54 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-30 05:56 <DIR> d-------- C:\VundoFix Backups
2007-10-29 17:32 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-10-24 20:59 35,328 --a------ C:\WINDOWS\system32\fcccabc.dll
2007-10-24 20:58 31,744 -r-hs---- C:\WINDOWS\system\msigsvc.exe
2007-10-18 21:49 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-18 21:48 <DIR> d-------- C:\Program Files\Yahtzee
2007-10-18 21:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SpinTop
2007-10-18 20:50 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2007-10-18 20:50 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2007-10-13 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zylom
2007-10-13 17:07 <DIR> d-------- C:\My Games
2007-10-13 17:06 <DIR> d-------- C:\My Download Files
2007-10-13 17:00 <DIR> d-------- C:\Program Files\Real
2007-10-13 17:00 774,144 --a------ C:\Program Files\RngInterstitial.dll
2007-10-13 16:58 <DIR> d-------- C:\Program Files\Common Files\Real
2007-10-09 14:53 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-06 22:42 <DIR> d-------- C:\Program Files\Yahoo! Games
2007-10-06 22:42 <DIR> d-------- C:\Program Files\TryMedia
2007-10-04 13:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2007-10-04 13:47 <DIR> d-------- C:\Program Files\iTunes
2007-10-04 13:47 <DIR> d-------- C:\Program Files\iPod
2007-10-04 13:46 <DIR> d-------- C:\Program Files\QuickTime
2007-10-04 13:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-04 13:45 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-04 13:45 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-04 13:44 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-10-04 13:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-09-28 10:25 <DIR> d-------- C:\Program Files\MySpace
2007-09-28 10:25 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MySpace
2007-09-23 11:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Viewpoint
2007-09-23 09:31 <DIR> d-------- C:\Program Files\Picasa2
2007-09-23 09:31 <DIR> d-------- C:\Program Files\Google
2007-09-23 09:25 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-09-22 21:24 <DIR> d-------- C:\Program Files\Lx_cats
2007-09-22 21:24 <DIR> d-------- C:\Program Files\Lexmark 810 Series
2007-09-22 21:24 <DIR> d-------- C:\Program Files\Lexmark
2007-09-22 10:52 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Move Networks
2007-09-22 08:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\acccore
2007-09-22 08:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-09-22 08:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-09-22 08:54 <DIR> d-------- C:\Program Files\Viewpoint
2007-09-22 08:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-22 08:53 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-09-22 08:53 <DIR> d-------- C:\Program Files\AIM6
2007-09-22 08:53 335 --a------ C:\WINDOWS\nsreg.dat
2007-09-22 08:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-21 19:58 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-09-21 19:58 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-09-20 23:40 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-09-20 23:27 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-09-20 23:21 40,960 --a------ C:\WINDOWS\uneng.exe
2007-09-20 23:20 <DIR> d-------- C:\Program Files\Common Files\Adaptec Shared
2007-09-20 23:20 <DIR> d-------- C:\Program Files\Adaptec
2007-09-20 23:16 <DIR> d-------- C:\WINDOWS\ShellNew
2007-09-20 23:14 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Microsoft Web Folders
2007-09-20 23:09 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-09-20 23:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-09-20 23:09 1,521,464 --a------ C:\WINDOWS\WRSetup.dll
2007-09-20 23:09 163,128 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-09-20 23:09 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-09-20 23:09 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-09-20 23:09 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-09-20 22:44 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-09-20 22:44 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-09-20 22:44 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-09-20 22:36 <DIR> d-------- C:\Program Files\Webroot
2007-09-20 22:36 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2007-09-20 22:32 <DIR> d-------- C:\Program Files\Symantec_Client_Security
2007-09-20 22:32 <DIR> d-------- C:\Program Files\Symantec
2007-09-20 22:32 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-20 22:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-20 22:32 83,208 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-09-20 22:32 73,496 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-09-20 22:02 <DIR> d-------- C:\WINDOWS\provisioning
2007-09-20 22:02 <DIR> d-------- C:\WINDOWS\peernet
2007-09-20 22:01 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-09-20 21:55 <DIR> d-------- C:\WINDOWS\EHome
2007-09-20 21:38 11,776 --a------ C:\WINDOWS\system32\spnpinst.exe
2007-09-20 21:38 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2007-09-20 16:11 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2007-09-20 16:11 5,504 --a------ C:\WINDOWS\system32\drivers\intelide.sys
2007-09-20 16:10 <DIR> dr------- C:\Program Files
2007-09-20 16:10 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2007-09-20 16:09 <DIR> d-------- C:\Documents and Settings

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-23 01:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-21 03:21 45,056 ----a-w C:\WINDOWS\system32\cdrtc.dll
2007-09-21 03:21 45,056 ----a-w C:\WINDOWS\system32\cdral.dll
2007-09-21 03:14 --------- d-----w C:\Program Files\microsoft frontpage
2007-09-21 00:35 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-21 00:35 --------- d-----w C:\Program Files\Broadcom
2007-09-21 00:31 --------- d-----w C:\Program Files\Analog Devices
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-09 13:09 584,192 ----a-w C:\WINDOWS\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E5EB899-4E67-4E17-A95F-C5211AD736B3}]
2007-10-24 20:59 35328 --a------ C:\WINDOWS\system32\fcccabc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BD306721-2701-47ED-A3FE-D51EF349FA8D}]
C:\WINDOWS\system32\vtstr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 11:55]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 11:51]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-01-23 10:20]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"LXBSCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll" [2004-03-17 12:26]
"MemoryCardManager"="C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe" [2004-02-02 13:58]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-07-19 22:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [2007-07-19 22:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{0E5EB899-4E67-4E17-A95F-C5211AD736B3}"= C:\WINDOWS\system32\fcccabc.dll [2007-10-24 20:59 35328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcccabc]
fcccabc.dll 2007-10-24 20:59 35328 C:\WINDOWS\system32\fcccabc.dll

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R2 WzaSvc;Windows Zero Adapter;"C:\WINDOWS\system\msigsvc.exe"

.
Contents of the 'Scheduled Tasks' folder
"2007-10-22 16:00:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-31 08:55:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-31 8:58:12
C:\ComboFix2.txt ... 2007-10-31 08:43
C:\ComboFix3.txt ... 2007-10-31 08:28
.
--- E O F ---


hijackthis.txt (log)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:05:55 AM, on 10/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system\msigsvc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E5EB899-4E67-4E17-A95F-C5211AD736B3} - C:\WINDOWS\system32\fcccabc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BD306721-2701-47ED-A3FE-D51EF349FA8D} - C:\WINDOWS\system32\vtstr.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe" -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Yahtzee/Images/stg_drm.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1190335326265
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Yahtzee/Images/armhelper.ocx
O20 - Winlogon Notify: fcccabc - C:\WINDOWS\SYSTEM32\fcccabc.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Windows Zero Adapter (WzaSvc) - Unknown owner - C:\WINDOWS\system\msigsvc.exe

--
End of file - 5741 bytes



=========================================

Thank you very much for looking into this ...

Any help in killing this worm will be appreciated -

Finally - any idea where/how it was acquired - some things/places to avoid ?

Al Dashevsky

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:55 AM

Posted 31 October 2007 - 08:25 AM

Finally - any idea where/how it was acquired - some things/places to avoid ?

Yes, it is getting installed via cracksites/keygensites and via p2p software.

Please disable your Spysweeper, because it may interfere with the fixes and cause your system unstable..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\fcccabc.dll

Collect::[8]
C:\WINDOWS\system\msigsvc.exe

Folder::
C:\VundoFix Backups

Driver::
WzaSvc

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E5EB899-4E67-4E17-A95F-C5211AD736B3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BD306721-2701-47ED-A3FE-D51EF349FA8D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{0E5EB899-4E67-4E17-A95F-C5211AD736B3}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcccabc]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.
* it will create a zipped file on your Desktop - [8]-Submit_Date_Time.zip
* another file will be present on your desktop: CF-Submit.htm which will open after you ran Combofix.
* Where it says: "Submit files for further analysis", click OK and a browser Window will open. There you'll see: "copy/paste filepath into the box & click OK". You'll find the filepath below, so copy and paste this in the above field and click OK.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 al d

al d
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 31 October 2007 - 08:58 AM

Followed the instructions - combofix attempted to reboot computer and it hung ..
Please advise.
Thank you
Al Dashevsky

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:55 AM

Posted 31 October 2007 - 09:03 AM

Please reboot manually.
Then post a new HijackThislog.

Did you disable Spysweeper as requested? Because I posted before that Spysweeper needs to be disabled, because it may cause a system instable. This because it may interfere with Combofix.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 al d

al d
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 31 October 2007 - 09:23 AM

System (finally( rebooted on it's own

------------------------------------------

ComboFix 07-10-30.2 - Owner 2007-10-31 9:53:10.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.224 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\fcccabc.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\WINDOWS\system\msigsvc.exe
C:\WINDOWS\system32\fcccabc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_WZASVC
-------\WzaSvc


((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-31 )))))))))))))))))))))))))))))))
.

2007-10-30 08:16 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-30 06:54 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-29 17:32 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-10-18 21:49 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-18 21:48 <DIR> d-------- C:\Program Files\Yahtzee
2007-10-18 21:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SpinTop
2007-10-18 20:50 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2007-10-18 20:50 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2007-10-13 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zylom
2007-10-13 17:07 <DIR> d-------- C:\My Games
2007-10-13 17:06 <DIR> d-------- C:\My Download Files
2007-10-13 17:00 <DIR> d-------- C:\Program Files\Real
2007-10-13 17:00 774,144 --a------ C:\Program Files\RngInterstitial.dll
2007-10-13 16:58 <DIR> d-------- C:\Program Files\Common Files\Real
2007-10-09 14:53 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-06 22:42 <DIR> d-------- C:\Program Files\Yahoo! Games
2007-10-06 22:42 <DIR> d-------- C:\Program Files\TryMedia
2007-10-04 13:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2007-10-04 13:47 <DIR> d-------- C:\Program Files\iTunes
2007-10-04 13:47 <DIR> d-------- C:\Program Files\iPod
2007-10-04 13:46 <DIR> d-------- C:\Program Files\QuickTime
2007-10-04 13:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-04 13:45 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-04 13:45 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-04 13:44 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-10-04 13:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-09-28 10:25 <DIR> d-------- C:\Program Files\MySpace
2007-09-28 10:25 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MySpace
2007-09-23 11:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Viewpoint
2007-09-23 09:31 <DIR> d-------- C:\Program Files\Picasa2
2007-09-23 09:31 <DIR> d-------- C:\Program Files\Google
2007-09-23 09:25 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-09-22 21:24 <DIR> d-------- C:\Program Files\Lx_cats
2007-09-22 21:24 <DIR> d-------- C:\Program Files\Lexmark 810 Series
2007-09-22 21:24 <DIR> d-------- C:\Program Files\Lexmark
2007-09-22 10:52 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Move Networks
2007-09-22 08:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\acccore
2007-09-22 08:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-09-22 08:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-09-22 08:54 <DIR> d-------- C:\Program Files\Viewpoint
2007-09-22 08:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-22 08:53 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-09-22 08:53 <DIR> d-------- C:\Program Files\AIM6
2007-09-22 08:53 335 --a------ C:\WINDOWS\nsreg.dat
2007-09-22 08:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-21 19:58 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-09-21 19:58 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-09-20 23:40 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-09-20 23:27 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-09-20 23:21 40,960 --a------ C:\WINDOWS\uneng.exe
2007-09-20 23:20 <DIR> d-------- C:\Program Files\Common Files\Adaptec Shared
2007-09-20 23:20 <DIR> d-------- C:\Program Files\Adaptec
2007-09-20 23:16 <DIR> d-------- C:\WINDOWS\ShellNew
2007-09-20 23:14 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Microsoft Web Folders
2007-09-20 23:09 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-09-20 23:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-09-20 23:09 1,521,464 --a------ C:\WINDOWS\WRSetup.dll
2007-09-20 23:09 163,128 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-09-20 23:09 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-09-20 23:09 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-09-20 23:09 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-09-20 22:44 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-09-20 22:44 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-09-20 22:44 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-09-20 22:36 <DIR> d-------- C:\Program Files\Webroot
2007-09-20 22:36 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2007-09-20 22:32 <DIR> d-------- C:\Program Files\Symantec_Client_Security
2007-09-20 22:32 <DIR> d-------- C:\Program Files\Symantec
2007-09-20 22:32 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-20 22:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-20 22:32 83,208 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-09-20 22:32 73,496 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-09-20 22:02 <DIR> d-------- C:\WINDOWS\provisioning
2007-09-20 22:02 <DIR> d-------- C:\WINDOWS\peernet
2007-09-20 22:01 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-09-20 21:55 <DIR> d-------- C:\WINDOWS\EHome
2007-09-20 21:38 11,776 --a------ C:\WINDOWS\system32\spnpinst.exe
2007-09-20 21:38 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2007-09-20 16:11 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2007-09-20 16:11 5,504 --a------ C:\WINDOWS\system32\drivers\intelide.sys
2007-09-20 16:10 <DIR> dr------- C:\Program Files
2007-09-20 16:10 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2007-09-20 16:09 <DIR> d-------- C:\Documents and Settings

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-23 01:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-21 03:14 --------- d-----w C:\Program Files\microsoft frontpage
2007-09-21 00:35 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-21 00:35 --------- d-----w C:\Program Files\Broadcom
2007-09-21 00:31 --------- d-----w C:\Program Files\Analog Devices
.

((((((((((((((((((((((((((((( snapshot@2007-10-30_ 7.07.19.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 14:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 11:55]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 11:51]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-01-23 10:20]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"LXBSCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll" [2004-03-17 12:26]
"MemoryCardManager"="C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe" [2004-02-02 13:58]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [2007-07-19 22:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56]

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-10-22 16:00:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-31 10:08:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-31 10:09:38 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-31 08:58
C:\ComboFix3.txt ... 2007-10-31 08:43

----------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:09 AM, on 10/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe" -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Yahtzee/Images/stg_drm.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1190335326265
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Yahtzee/Images/armhelper.ocx
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5259 bytes

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:55 AM

Posted 31 October 2007 - 09:31 AM

System (finally( rebooted on it's own

Sometimes you need to be patient, but it was Spysweeper causing this hangup anyway, because I see Spysweeper is still running, so I guess it wasn't disabled previously.
I know Spysweeper causes this.

Anyway, this looks OK again. :thumbsup:

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 al d

al d
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 31 October 2007 - 09:55 AM

All appears to be resolved ....
Thank you very much !
It is appreciated.

Al Dashevsky

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:55 AM

Posted 31 October 2007 - 10:12 AM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:55 AM

Posted 01 November 2007 - 05:33 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users