Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help bad


  • Please log in to reply
8 replies to this topic

#1 andrew feazelle

andrew feazelle

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 16 November 2007 - 02:31 AM

Hello,

I'm Andrew Feazelle from California. I've been struggling with my
internet browser and computer since being infected on Monday November 12th.
Any suggestions and help would be appreciated.

Here are some of my symptoms. Upon logging onto the internet, a new internet
explorer browser pops up and tries to access several websites. There are about
20 or 30 sites it tries to access. I have a yahoo tab bar (which allows different
site addresses to exist on the same browser - one on each "tab") so the highjacked browser usually
opens between 3 and 15 tabs at once and tries to access sites such as "f3.the-truth-is-
out-there.org or "f4.the-truth-is-out-there.org" or variations of that and also sites
by the names of aaqadarsztriv.com or aaqada-rsztriv.com or aaqadavtvcp.com or dnserror.org
etc... Most sites are just a few messy html codes. This happens every 1 to 2 minutes while surfing.
Most times when this happens it activates my spyware removal software which alerts me to a high
risk threat called Downloader.Alphabet in multiple files such as
c:\documentsandsetting\owner\local\temp\syslook.exe and c:\program files\hlpsrv.exe or
hostserver.exe or sys32.exe in the local temp files.

Also, while trying to surf the net, i get redirected when i click a link or a "submit" button. For
example, if i search yahoo or google for a topic, upon clicking one of the links they provide on
a search, i get redirected to dnserror.org which is a site that has links to viagra and prescription
narcotics for sale. Or i was trying to pay a phone bill earlier and upon hitting the "submit"
button to pay the bill i was redirected to //search2find.biz/404.php.
I never did get to pay my bill. The search2find.biz site pops up alot as a redirect.

I've got a new (or recently modified) folder and file in my "Program Files" folder called e404 helper
and the file goes by the name e404.v5.dll.

Also when the infection happened a little yellow triagle with an exclamation point in it appeared
(and continues to appear) on my icons tray. It says "Windows Antivirus" and wants me to click it
to remove spyware. Then sometimes a Windows error box pops up and wants me to click "yes" to downloading
spyware removal software.

Other pop ups that are new are an "Ultimate Cleaner" pop up that is some sort of registry cleaner.
I keep deleting the files associated with it, but it always comes back. Its files are also in my Program
Files folder and go by the names xloader10181 and ucleaner_setup etc...

One really annoying aspect of the infection is that i no longer have administrative functions. The control
panel in the start menu is gone. If i try to access the control panel via the Windows Help and Support program
link, i get a message saying "this operation has been cancelled do to restrictions in effect on this computer. Please
contact your system administrator". The same error happens if i try to access the "My computer" properties.
Therefore i've lost access to turning off or on System Restore. I've lost access to these functions in safe
mode also. And of coarse i've lost access to add/remove programs. I know it has something to do with
a corruption in the shell.exe file. Also upon boot up Windows says it cannot locate the C:\Windows\shell.exe file.

Heres what i've tried so far. I ran an old Adaware 6.0 and deleted stuff. I can't download the new one - i get kicked
off the internet before the 20 Mb file can be fully downloaded. I ran an outdated Norton Antivirus 2005. I ran an
old Spy-subract (i tried to update it but the manufacture says i have to remove my old one first before the new
activation challenge screen (where you type your reg code)) can appear. I can't remove the old one because of
my administrative functions loss. I ran an updated AVG Anti-Spyware program (good for 30 day trial) several times with
both full and fast scans. I ran a bit deffender online virus removal scan. It removed 90 some files but left a
few viruses. I ran the Stinger program.

Still my symptoms are present.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:24:20 AM, on 11/16/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\msg32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe
C:\WINDOWS\avp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\mgrs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\My Documents\??pPatch\r?gsvr32.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\xloader10181.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\softclix\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://lolitampegs.com/home.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1033
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0ABE789E-9A55-EDFA-2852-BFCE199DB7C9} - C:\WINDOWS\System32\tujkkdc.dll (file missing)
O2 - BHO: (no name) - {17AC6037-DAF6-F053-D5B8-F10A062CA4C4} - C:\WINDOWS\System32\nyj.dll (file missing)
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {38EB6CD8-D349-ABB9-3321-F86A13ACDB97} - C:\WINDOWS\System32\lrwgm.dll (file missing)
O2 - BHO: (no name) - {3C4DF385-4910-31E5-6286-3246E1ECD794} - C:\WINDOWS\System32\yxyo.dll (file missing)
O2 - BHO: (no name) - {3E1BA282-1916-66EF-31D7-3246E1E2D591} - C:\WINDOWS\System32\qrqql.dll (file missing)
O2 - BHO: (no name) - {61707ECB-9158-BFFA-2941-EBEBDB64D5C5} - C:\WINDOWS\System32\ewk.dll (file missing)
O2 - BHO: (no name) - {67C85852-B396-9A65-E138-C91964798791} - C:\WINDOWS\System32\jgvva.dll (file missing)
O2 - BHO: (no name) - {AE518A52-6BCD-1E39-EAAB-1084FD97199A} - C:\WINDOWS\System32\mjddqbwv.dll (file missing)
O2 - BHO: (no name) - {AF57880D-619A-4469-BFAB-1084FD9718C9} - C:\WINDOWS\System32\xdlbj.dll (file missing)
O2 - BHO: C:\WINDOWS\System32\jkd845jg.dll - {B5AC49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\System32\jkd845jg.dll
O2 - BHO: C:\WINDOWS\System32\d4ghggf4g.dll - {B5AF0562-94F3-42BD-F434-2604812C297D} - C:\WINDOWS\System32\d4ghggf4g.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {BFF7F766-42AB-3B5C-8F2D-38E605F55EC9} - C:\WINDOWS\System32\lomkkeeq.dll
O2 - BHO: (no name) - {C70B519A-E004-CDA3-2055-CF09F667209D} - C:\WINDOWS\System32\ivlkqqc.dll (file missing)
O2 - BHO: (no name) - {D0B8211F-C28D-B077-AB1B-BE5E101E34C2} - C:\WINDOWS\System32\ttjts.dll (file missing)
O2 - BHO: (no name) - {DAA5C5F8-716B-5ECF-4702-5FF00AB93D98} - C:\WINDOWS\System32\xvqb.dll (file missing)
O2 - BHO: (no name) - {EB383504-8EC5-AE33-B469-FC7A91965EC5} - C:\WINDOWS\System32\jhl.dll (file missing)
O2 - BHO: (no name) - {ED386406-82C4-F83E-B369-FC7A91930DCA} - C:\WINDOWS\System32\tgpzlazl.dll (file missing)
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\E404 Helper\e404.v5.dll
O2 - BHO: (no name) - {F1B93BAD-8362-F19B-1DF7-F55A131949CE} - C:\WINDOWS\System32\pgccdi.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [EW Message Server] msg32.exe
O4 - HKLM\..\Run: [965225B4] C:\WINDOWS\System32\agraqu.exe
O4 - HKLM\..\Run: [zzwhcfy] C:\WINDOWS\System32\eetjanxq.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [igghbfkstib] C:\WINDOWS\System32\mbtgzu.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [CPU Watcher] rundll32.exe C:\WINDOWS\cpu.dll,load
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
O4 - HKLM\..\Run: [ms] C:\DOCUME~1\Owner\LOCALS~1\Temp\22430\gm.exe
O4 - HKLM\..\Run: [f94mggfhfghodftdf] C:\DOCUME~1\Owner\LOCALS~1\Temp\winlogan.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\RunServices: [BC194812] C:\WINDOWS\System32\agraqu.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Dkn] C:\WINDOWS\System32\w?wexec.exe
O4 - HKCU\..\Run: [Notn] "C:\WINDOWS\System32\RACLE~1\regedit.exe" -vt ndrv
O4 - HKCU\..\Run: [Bxaa] "C:\Documents and Settings\Owner\Application Data\?icrosoft\?hkdsk.exe"
O4 - HKCU\..\Run: [Mwubbg] "C:\Documents and Settings\Owner\Application Data\?ppPatch\?hkdsk.exe"
O4 - HKCU\..\Run: [Yet] "C:\Program Files\Common Files\M?crosoft.NET\w?auboot.exe"
O4 - HKCU\..\Run: [Hdpo] "C:\Documents and Settings\Owner\My Documents\??pPatch\r?gsvr32.exe"
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - HKCU\..\Run: [f94mggfhfghodftdf] C:\DOCUME~1\Owner\LOCALS~1\Temp\winlogan.exe
O4 - HKCU\..\Run: [Windows Rescue System] C:\DOCUME~1\Owner\LOCALS~1\Temp\winsto.exe
O4 - HKUS\S-1-5-18\..\Run: [Win32 USB2 Driver] smsc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update Machine] wuamgrd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Win32 USB2 Driver] smsc.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Win32 USB2 Driver] smsc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Win32 USB2 Driver] smsc.exe (User 'Default user')
O4 - .DEFAULT User Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe (User 'Default user')
O4 - Startup: AdSubtract.lnk = ?
O4 - Startup: findfast.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Startup: The Matrix_ Path of Neo Registration.lnk = C:\Documents and Settings\Owner\Local Settings\Temp\{4AE9928E-A4B7-4FBE-8CF8-7F3976729947}\{E571E8B1-9771-465D-9DE0-3BA2D1BDAE99}\ATR1.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://download.winfixer.com/files/install...nnerInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{380BAB73-7B29-45B0-80F4-3CBAD85965DD}: NameServer = 85.255.114.55,85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{81E9219A-3144-4BE6-9DA1-D2B4EC85FF13}: NameServer = 85.255.114.55 85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7F29E67-590B-482E-9E05-7EBAD729C8F9}: NameServer = 85.255.114.55,85.255.112.21
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.55 85.255.112.21
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.55 85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.55 85.255.112.21
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Glbncl32.dll (file missing)
O21 - SSODL: SysTray.Ev - {F5B1D0BE-5f02-4255-96DB-388DFA244900} - C:\WINDOWS\System32\fbjkocnl.dll (file missing)
O21 - SSODL: DCOM Server 25319 - {2C1CD3D7-86AC-4068-93BC-A02304B25319} - C:\WINDOWS\System32\kmuqrvg.dll
O22 - SharedTaskScheduler: - {3F245C2A-1558-3CCA-04A8-7AA23B60E40F} - (no file)
O22 - SharedTaskScheduler: DCOM Server 25319 - {2C1CD3D7-86AC-4068-93BC-A02304B25319} - C:\WINDOWS\System32\kmuqrvg.dll
O22 - SharedTaskScheduler: sdf4dr4gfdgeetj - {B5AC49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\System32\jkd845jg.dll
O22 - SharedTaskScheduler: JGhjddf9dtj - {B5AF0562-94F3-42BD-F434-2604812C297D} - C:\WINDOWS\System32\d4ghggf4g.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft Inet Service - Unknown owner - C:\WINDOWS\System32\_svchost.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 15588 bytes

Edited by KoanYorel, 27 November 2007 - 11:35 AM.
To sanitize hot link URL above


BC AdBot (Login to Remove)

 


#2 andrew feazelle

andrew feazelle
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 19 November 2007 - 11:23 PM

Hello,

I'm trying to prepare my computer for help with malware removal, but i'm having
some difficulty getting through the basic steps.

I've downloaded spybot (spybot 1.5.1.15 (which is spybotsd15.exe)), but i'm
having trouble installing it. When i double click the spybotsd15.exe icon,
it starts the installation process. Then the installation window just disapears.
Even if i keep clicking "next" really fast and get to click installation button at
end of the installation wizard's queries, it still disapears.

It won't disapear in safe mode, but it still won't let me install it once the
final installation window comes up.

I'm running AVG and and old trend micro spysubtract which i'm trying to update.
Would these programs interfere with installation?

I've lost my control panel (either in spyware/virus deletes) or due to spyware/
viruses. Even in safe mode as the administrator i cannot access the control
panel (or control panel functions) or general windows properties.
Would that have something to do with my installation problem?

Also i'm having trouble downloading Adaware 7.0 - does anyone know of a mirror
that allows me to grab it with Getright (download manager that allows download
resuming)? I have dial up and my last two attemps of downloading it have failed
after getting 3 to 5 mb's into the download.

Thanks

Andrew Fez

P.S. Bleeping Computer administrators - Please put my topic i posted on nov 15
2007 on hold until i can resolve these basic issues. Thanks
http://www.bleepingcomputer.com/forums/topic116760.html

#3 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:22 AM

Posted 29 November 2007 - 04:52 PM

Hi andrew feazelle, :thumbsup:

If you still need help please post a fresh HijackThis log and I'll be happy to look at it for you.

Thanks for your patience. :blink:

P.S. Please copy/paste the log into this thread using the Add Reply button.

#4 andrew feazelle

andrew feazelle
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 29 November 2007 - 10:05 PM

Hi Falu,

Sure - i'd love some help!

Since my last two posts, i've managed to clean alot of files. I guess one of the malware files was keeping me from
installing Spy-bot, because after i cleaned, i was able to install. So now i have Spy-bot! (the malware must have also
been closing the outerinfo uninstall program because i was able to use that as well after cleaning)

I also regained control of my control pannel/administrative stuff after cleaning.

The most successful clean i did was run ATF_Cleaner in safe mode then delete junk AVG was detecting. There was
also a few files Big Defender couldn't delete, but i managed to finally delete them by rebooting to DOS prompt and
manually deleting.

So i'm no longer getting the downloader browser highjack thing. I'm also free of the Ultimate Cleaner pop up now.
The yellow triangle is gone too (but i haven't checked in safe mode where it seemed to pop up more often).

Also i updated my trend micro program, but usually shut it down after i boot up because it conflicts with Spy-bot
--------------------------------------------------------------------------------------------------------------------------------------

So to make a long story short, the only thing plaguing me now are redirects on link clicks. Also i'm ready to install
Service Pack 2 (i have Norton Antivirus 2008 ready to install, but it won't install unless i get Service Pack 2), but i wan't to be
as clean as possible before i download it.

I see file references in HighJack This that i've cleanned, but i was too afraid to delete them out of HighJack This with
out assistance.


Thanks,

Andrew Feazelle

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:18 PM, on 11/29/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\msg32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\softclix\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://lolitampegs.com/home.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1033
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0ABE789E-9A55-EDFA-2852-BFCE199DB7C9} - C:\WINDOWS\System32\tujkkdc.dll (file missing)
O2 - BHO: (no name) - {17AC6037-DAF6-F053-D5B8-F10A062CA4C4} - C:\WINDOWS\System32\nyj.dll (file missing)
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {38EB6CD8-D349-ABB9-3321-F86A13ACDB97} - C:\WINDOWS\System32\lrwgm.dll (file missing)
O2 - BHO: (no name) - {3C4DF385-4910-31E5-6286-3246E1ECD794} - C:\WINDOWS\System32\yxyo.dll (file missing)
O2 - BHO: (no name) - {3E1BA282-1916-66EF-31D7-3246E1E2D591} - C:\WINDOWS\System32\qrqql.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {61707ECB-9158-BFFA-2941-EBEBDB64D5C5} - C:\WINDOWS\System32\ewk.dll (file missing)
O2 - BHO: (no name) - {67C85852-B396-9A65-E138-C91964798791} - C:\WINDOWS\System32\jgvva.dll (file missing)
O2 - BHO: (no name) - {AE518A52-6BCD-1E39-EAAB-1084FD97199A} - C:\WINDOWS\System32\mjddqbwv.dll (file missing)
O2 - BHO: (no name) - {AF57880D-619A-4469-BFAB-1084FD9718C9} - C:\WINDOWS\System32\xdlbj.dll (file missing)
O2 - BHO: C:\WINDOWS\System32\jkd845jg.dll - {B5AC49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\System32\jkd845jg.dll (file missing)
O2 - BHO: C:\WINDOWS\System32\d4ghggf4g.dll - {B5AF0562-94F3-42BD-F434-2604812C297D} - C:\WINDOWS\System32\d4ghggf4g.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C70B519A-E004-CDA3-2055-CF09F667209D} - C:\WINDOWS\System32\ivlkqqc.dll (file missing)
O2 - BHO: (no name) - {D0B8211F-C28D-B077-AB1B-BE5E101E34C2} - C:\WINDOWS\System32\ttjts.dll (file missing)
O2 - BHO: (no name) - {DAA5C5F8-716B-5ECF-4702-5FF00AB93D98} - C:\WINDOWS\System32\xvqb.dll (file missing)
O2 - BHO: (no name) - {EB383504-8EC5-AE33-B469-FC7A91965EC5} - C:\WINDOWS\System32\jhl.dll (file missing)
O2 - BHO: (no name) - {ED386406-82C4-F83E-B369-FC7A91930DCA} - C:\WINDOWS\System32\tgpzlazl.dll (file missing)
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\E404 Helper\e404.v6.dll (file missing)
O2 - BHO: (no name) - {F1B93BAD-8362-F19B-1DF7-F55A131949CE} - C:\WINDOWS\System32\pgccdi.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [EW Message Server] msg32.exe
O4 - HKLM\..\Run: [965225B4] C:\WINDOWS\System32\agraqu.exe
O4 - HKLM\..\Run: [zzwhcfy] C:\WINDOWS\System32\eetjanxq.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [igghbfkstib] C:\WINDOWS\System32\mbtgzu.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe
O4 - HKLM\..\Run: [ms] C:\DOCUME~1\Owner\LOCALS~1\Temp\22430\gm.exe
O4 - HKLM\..\Run: [f94mggfhfghodftdf] C:\DOCUME~1\Owner\LOCALS~1\Temp\winlogan.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
O4 - HKLM\..\RunServices: [BC194812] C:\WINDOWS\System32\agraqu.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Dkn] C:\WINDOWS\System32\w?wexec.exe
O4 - HKCU\..\Run: [Bxaa] "C:\Documents and Settings\Owner\Application Data\?icrosoft\?hkdsk.exe"
O4 - HKCU\..\Run: [Mwubbg] "C:\Documents and Settings\Owner\Application Data\?ppPatch\?hkdsk.exe"
O4 - HKCU\..\Run: [Yet] "C:\Program Files\Common Files\M?crosoft.NET\w?auboot.exe"
O4 - HKCU\..\Run: [f94mggfhfghodftdf] C:\DOCUME~1\Owner\LOCALS~1\Temp\winlogan.exe
O4 - HKCU\..\Run: [Windows Rescue System] C:\DOCUME~1\Owner\LOCALS~1\Temp\winsto.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Win32 USB2 Driver] smsc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Win32 USB2 Driver] smsc.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Win32 USB2 Driver] smsc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Win32 USB2 Driver] smsc.exe (User 'Default user')
O4 - .DEFAULT User Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe (User 'Default user')
O4 - Startup: AdSubtract.lnk = ?
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Startup: The Matrix_ Path of Neo Registration.lnk = C:\Documents and Settings\Owner\Local Settings\Temp\{4AE9928E-A4B7-4FBE-8CF8-7F3976729947}\{E571E8B1-9771-465D-9DE0-3BA2D1BDAE99}\ATR1.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195694506406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195694407828
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://download.winfixer.com/files/install...nnerInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{380BAB73-7B29-45B0-80F4-3CBAD85965DD}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{81E9219A-3144-4BE6-9DA1-D2B4EC85FF13}: NameServer = 85.255.114.55 85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7F29E67-590B-482E-9E05-7EBAD729C8F9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O21 - SSODL: SysTray.Ev - {F5B1D0BE-5f02-4255-96DB-388DFA244900} - C:\WINDOWS\System32\fbjkocnl.dll (file missing)
O21 - SSODL: DCOM Server 25319 - {2C1CD3D7-86AC-4068-93BC-A02304B25319} - C:\WINDOWS\System32\kmuqrvg.dll (file missing)
O22 - SharedTaskScheduler: - {3F245C2A-1558-3CCA-04A8-7AA23B60E40F} - (no file)
O22 - SharedTaskScheduler: DCOM Server 25319 - {2C1CD3D7-86AC-4068-93BC-A02304B25319} - C:\WINDOWS\System32\kmuqrvg.dll (file missing)
O22 - SharedTaskScheduler: sdf4dr4gfdgeetj - {B5AC49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\System32\jkd845jg.dll (file missing)
O22 - SharedTaskScheduler: JGhjddf9dtj - {B5AF0562-94F3-42BD-F434-2604812C297D} - C:\WINDOWS\System32\d4ghggf4g.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft Inet Service - Unknown owner - C:\WINDOWS\System32\_svchost.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 14959 bytes

#5 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:22 AM

Posted 01 December 2007 - 03:28 PM

Hi andrew feazelle, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

Your system is heavily infected with some trojans like: Trojan-Downloader.Win32.Small.ddx, which includes functionality to access the internet and communicate with a remote server via HTTP but even worse: WORM_SDBOT.FO which can communicate with remote computers, download and run code, send emails and redirect browser requests and "enables an attacker to gain full control of the affected system."

I would counsel you to disconnect this PC from the Internet immediately until it's clean. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the the best course of action would be a reformat and reinstall of the OS.
Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Visit the following sites for more information on internet theft and when to reformat!

If you have any questions before to come to a final decision, please feel free to ask.

Please let me know your decision.

#6 andrew feazelle

andrew feazelle
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 05 December 2007 - 03:40 AM

Hi Falu,

Sorry for the slow responce - for some reason i didn't get an email alert for your last message.

Yikes - sounds like i've got it bad. Yeah, let's try to clean as good as we can and i'll read the articles
you posted. I do do alot of online banking/credit card stuff, but so far i've been lucky and haven't
had any problems with fraud or theft.

Talk with you later,

Andrew Feazelle

#7 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:22 AM

Posted 05 December 2007 - 06:52 AM

Hi andrew feazelle, :thumbsup:

Yikes - sounds like i've got it bad.



Yes you have and that's an understatement.

I do do alot of online banking/credit card stuff, but so far i've been lucky and haven't
had any problems with fraud or theft.


You have a computer with serious problems and, looking at the way you use it: you're in serious problems as well. So don't forget to follow the instructions in my first post:

.... disconnect this PC from the Internet immediately until it's clean. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation.



Personally I would make a back up of the computer, reformat and reinstall the OS and restore back-upped files after I scanned them with an antivirus.
Do you have an external harddisk or an alternative storage system (USB stick, CD's) large enough to copy your entire disk so you can be sure that you don't lose anything (bookmarks, e-mail, passwords, IP dadresses, usernames etc.)? Read Windows XP Backup Made Easy for making a back up.

To be honest I want you to do your part before I start trying to clean the computer, if possible at all: read all the information available and come to a decision.

I'll wait for your decision.

#8 andrew feazelle

andrew feazelle
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 06 December 2007 - 04:57 AM

Hi Falu,

Well, i have one other laptop pc i could use, but it will take me some time before it's internet ready. I remember back in 2004 or so, when i first logged onto the internet with this computer (i'm using now) it got infected. I'd hate to go through that with the laptop since its main purpose is to supplement my studio with extra synth sounds (i write film music and concert music).

This computer (i'm on now) is really the workhorse of my orchestral music library. It took me weeks of troubleshooting to get Gigastudio up and running with an old parallel port 1995 MTP AV (midi hub). That was years ago. There's a ton of other time costing things related to my music software on here that make me pause about reformatting. Perhaps it may be easier just to use my clean pc for banking/credit card stuff and use this one as is for non-sensitive type use.

I do have some questions though.

I'm assuming that even if all infections were cleaned from my system and i had all the latest antivirus/malware software in place, that i'd still be vulnerable because the infections have probably corrupted windows or internet explorer files. Is that
correct? For example, i've deleted smsc.exe (WORM SDBOT.FO) off my system (i haven't corrected the registry values to make smsc.exe run on start up - that's why it's in the HiJack This log). Even though the execution file is gone, i'm still at risk
for someone to look through all of my files remotely. Is that correct?

Is there anyway to see if any of Window's files have been corrupted or know if i've ever been hacked?

Is there any way to quantify the risk of being successfully hacked secondary to corrected infections? From the little i've read on the subject, it seems the probablility of being hacked is greatly augmented if a successful hack has happened in the past.

My credit card and bank websites require extra security questions to be completed if some one tries to log in on a different computer than this one. Is there a way a hacker can steal this computer's address and make it seem as though it's my computer to the credit card's website?

Right now AVG, Spybot and Trend Micro (all up to date) are not finding anything, even though there is a ton of artifacts in my registery. But i know something is wrong as i keep getting redirected on Yahoo search link clicks.

Let me work on getting my other pc internet ready and i'll continue my questions and research.

Talk more later - thanks,

Andrew Fez

#9 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:22 AM

Posted 06 December 2007 - 01:26 PM

Hi andrew feazelle, :thumbsup:

Perhaps it may be easier just to use my clean pc for banking/credit card stuff and use this one as is for non-sensitive type use.


Yes it would be but still, don't forget to change passwords.

I'm assuming that even if all infections were cleaned from my system and i had all the latest antivirus/malware software in place, that i'd still be vulnerable because the infections have probably corrupted windows or internet explorer files. Is that
correct?


The point is that we don't know and cann't tell what has been corrupted, if anything.

For example, i've deleted smsc.exe (WORM SDBOT.FO) off my system (i haven't corrected the registry values to make smsc.exe run on start up - that's why it's in the HiJack This log). Even though the execution file is gone, i'm still at risk
for someone to look through all of my files remotely. Is that correct?


You have a backdoor on your computer which may be undetected. So to be clear: we may be able to clean your computer but have no means to check how/in what way your ccomputer is corrupted.

Is there anyway to see if any of Window's files have been corrupted or know if i've ever been hacked?


It is possible to look for corrupted Windows files and repair them. There is no way to check if you've ever been hacked: you would know if it had ever happened.

Is there any way to quantify the risk of being successfully hacked secondary to corrected infections?


As you can see on TrendMicro's site the risk level is considered low but the damage potential and distribution potential is high.

My credit card and bank websites require extra security questions to be completed if some one tries to log in on a different computer than this one. Is there a way a hacker can steal this computer's address and make it seem as though it's my computer to the credit card's website?


As an example, for your information: Keyloggers: How they work and how to detect them

Let me work on getting my other pc internet ready and i'll continue my questions and research.


Okay, when you decided to go this way and you're ready, post a fresh HijackThis log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users