Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Could Use Some Serious Help With My Computer...


  • This topic is locked This topic is locked
41 replies to this topic

#1 MattSmith75

MattSmith75

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:49 AM

Posted 28 December 2007 - 01:24 PM

OK. Um, Here's what I know.

I know that It ain't because my drive is fragmented (I think that's the term.) Because I defraged it a few nights ago.

I did a virus scan using Norton Anti-Virus, and it showed that I had two Backdoor.Graybirds.

I managed to get rid of one, but the other, which is located at C:\WINDOWS\Intel.dll , couldn't get deleted or cleaned or quarentined (Spelling?)
And on top of that, I can't find that file. It's like... no where to be found. I searched for it inside and out.
So then I used Ad-Aware Free Scanner and it discovered a virus, and got rid of it. I also did all your other recommended scans, but they didn't turn up anything.

But now I'm also getting the following error message every few times I reboot or boot up:

Exception Processing Message
c0000013 Parameters
75b6bf9c 4 75b6bf9c 75b6bf9c


And I also was told by another virus scanner, I forget which one.
Anyway, long story short, Everything is running slow, and even my task bar freezes up for almost 5 minutes before unlocking again. Please, help. If my dad finds my computer like this, he'll kill me. (Metaphoricly of course).

Thank you for your time.

HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:48 PM, on 12/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched .exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\MS74A3~2.EXE
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32 .exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\IAMAPP .EXE
C:\Program Files\Ahead\InCD\InCD .exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\MS74A3~2 .EXE
C:\Program Files\Netscape\Netscape\Netscp .exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.iwon.com/"); (C:\Documents and Settings\STAR WARS\Application Data\Mozilla\Profiles\default\h5hw9omd.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\STAR WARS\Application Data\Mozilla\Profiles\default\h5hw9omd.slt\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O16 - DPF: {17D667BA-5675-4AAB-9221-08B9379384D4} (Image Uploader Control) - http://cdnimg.piczo.com/images/uploader/pi...st_uploader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\fkhadjbg.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 4958 bytes
"Rule Number One: Kill 'Em, before they kill you." - Delta 62 (Scorch), Republic Commando
"Rule Seventeen: Always make sure they're dead." - Delta 07 (Sev), Republic Commando

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 28 December 2007 - 05:55 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum MattSmith75
My name is Richie and i'll be helping you to fix your problems.

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.


You’re running msconfig in Auto mode which means that you may have selectively unchecked some items in the past from starting up with Windows.
This can be bad if they’re malware, so please re-enable those startup entries by doing the following:
Click on Start>Run,type msconfig and then press Enter.
When the ‘System Configuration Utility’ opens click on the ‘Startup’ tab,make sure all the boxes are checkmarked.
Then press Apply/Ok to exit the utility.
If it asks you to restart your pc,please don’t,it‘s not necessary at this point.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 MattSmith75

MattSmith75
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:49 AM

Posted 29 December 2007 - 08:27 AM

Hello Richie. You can call me Matt.

OK, So I did as you said with Sun Java, and I enabled those startups again and ran that ComboFix Program. But I do have a bone to pick. It quarantined my Netscape... I can't use it now. The Shortcut is dead... was it supossed to do that? Does that mean after this is all over, I'll have to reinstall? Because My dad installed it, not me...

EDIT: I take that back, sorta. I went into the place where Netscape is installed, (C:\\Program Files\Netscape) and the Exe link there works just fine. Just the Shortcuts on the task bar and Startmenu are quarantined.

ANOTHER EDIT: I should also note that My Norton Internet Security has been disabled, and I can not for the life of me, reenable it.

Anyway, I trust your judgement, you know what your doing... so here it goes:

Here is the Log from ComboFix:

ComboFix 07-12-29.5 - Star Wars 2007-12-29 7:43:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.52 [GMT -5:00]
Running Wrom: EJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXUWLSZLKBRNVWWCUFPEGAU
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Star Wars\Application Data\addon.dat
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\SYMNET~1\SNDMon.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bdeeg.ini
C:\WINDOWS\system32\bdeeg.ini2
C:\WINDOWS\system32\fccaxwv.dll
C:\WINDOWS\system32\geedb.dll
C:\WINDOWS\system32\geedb.exe
C:\WINDOWS\system32\hayxcbjs.dll
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\sjbcxyah.ini
C:\WINDOWS\system32\witisdhr.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_IPRIP
-------\DomainService
-------\Iprip


((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-29 )))))))))))))))))))))))))))))))
.

2007-12-29 08:08 . 2007-12-29 08:08 319 --ahs---- C:\WINDOWS\system32\bdeeg.ini
2007-12-29 08:06 . 2007-12-29 08:06 344,576 --------- C:\WINDOWS\system32\geedb.dll
2007-12-29 07:35 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-29 07:34 . 2007-12-29 07:34 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-28 13:07 . 2007-12-28 13:07 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-28 08:21 . 2007-12-28 08:21 348,160 --a------ C:\WINDOWS\system32\RCX38.tmp
2007-12-28 07:53 . 2007-12-28 08:48 <DIR> d-------- C:\Program Files\XoftSpySE
2007-12-28 07:02 . 2007-12-28 07:02 348,160 --a------ C:\WINDOWS\system32\RCX37.tmp
2007-12-27 20:38 . 2007-12-27 20:38 348,160 --a------ C:\WINDOWS\system32\RCX36.tmp
2007-12-27 17:28 . 2007-12-27 17:28 348,160 --a------ C:\WINDOWS\system32\RCX35.tmp
2007-12-27 15:00 . 2007-12-27 15:00 348,160 --a------ C:\WINDOWS\system32\RCX34.tmp
2007-12-27 14:30 . 2007-12-27 14:30 348,160 --a------ C:\WINDOWS\system32\RCX33.tmp
2007-12-27 14:12 . 2007-12-27 13:21 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-27 13:20 . 2007-12-27 14:28 <DIR> d-------- C:\Documents and Settings\Star Wars\.housecall6.6
2007-12-27 12:08 . 2007-12-27 12:08 348,160 --a------ C:\WINDOWS\system32\RCX32.tmp
2007-12-27 06:53 . 2007-12-27 06:53 348,160 --a------ C:\WINDOWS\system32\RCX31.tmp
2007-12-26 21:47 . 2007-12-26 21:47 348,160 --a------ C:\WINDOWS\system32\RCX30.tmp
2007-12-26 21:33 . 2007-12-26 21:33 348,160 --a------ C:\WINDOWS\system32\RCX2F.tmp
2007-12-26 18:36 . 2007-12-26 18:36 348,160 --a------ C:\WINDOWS\system32\RCX2E.tmp
2007-12-26 16:46 . 2007-12-26 16:46 <DIR> d-------- C:\Documents and Settings\Star Wars\Application Data\Petroglyph
2007-12-26 16:41 . 2007-12-29 07:31 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-26 16:40 . 2007-12-26 16:40 348,160 --a------ C:\WINDOWS\system32\RCX2D.tmp
2007-12-26 16:40 . 2007-12-29 07:30 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2007-12-26 16:40 . 2007-12-29 07:30 81,920 --a------ C:\WINDOWS\system32\ps2 .exe
2007-12-26 16:21 . 2007-12-26 16:21 <DIR> d-------- C:\Documents and Settings\Star Wars\Application Data\LucasArts
2007-12-16 19:39 . 2005-12-09 15:02 3,051,520 --------- C:\WINDOWS\UNNMP.exe
2007-12-16 19:39 . 2006-01-24 12:10 45,531 --------- C:\WINDOWS\UNNMP.cfg
2007-12-16 19:22 . 2007-12-16 19:22 <DIR> d-------- C:\Program Files\Nero
2007-12-16 19:21 . 2006-03-23 17:15 33,536 --------- C:\WINDOWS\system32\drivers\InCDrm.sys
2007-12-16 19:19 . 2005-09-01 11:03 127,488 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2007-12-16 19:18 . 2005-11-29 15:31 1,568,768 --a------ C:\WINDOWS\system32\ImagX7.dll
2007-12-16 19:18 . 2005-11-29 15:31 476,320 --a------ C:\WINDOWS\system32\ImagXpr7.dll
2007-12-16 19:18 . 2005-11-29 15:31 471,040 --a------ C:\WINDOWS\system32\ImagXRA7.dll
2007-12-16 19:18 . 2005-11-29 15:31 364,544 --a------ C:\WINDOWS\system32\TwnLib4.dll
2007-12-16 19:18 . 2005-11-29 15:31 262,144 --a------ C:\WINDOWS\system32\ImagXR7.dll
2007-12-16 18:58 . 2005-12-09 15:02 3,051,520 --------- C:\WINDOWS\UNNMIX.exe
2007-12-16 18:58 . 2006-01-24 12:14 162,289 --------- C:\WINDOWS\UNNMIX.cfg
2007-12-16 18:58 . 2004-08-04 02:56 25,088 --a------ C:\WINDOWS\system32\shfolder.dll
2007-12-16 18:57 . 2005-11-29 15:31 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-12-16 18:56 . 2007-12-16 18:56 <DIR> d-------- C:\WINDOWS\InCD
2007-12-16 18:56 . 2006-03-07 16:27 3,067,904 --------- C:\WINDOWS\NuNinst.exe
2007-12-16 18:56 . 2006-03-23 17:15 102,016 --------- C:\WINDOWS\system32\drivers\incdfs.sys
2007-12-16 18:56 . 2006-03-24 11:12 59,278 --------- C:\WINDOWS\NuNinst.cfg
2007-12-16 18:56 . 2006-03-23 17:15 29,440 --------- C:\WINDOWS\system32\drivers\incdpass.sys
2007-12-16 18:56 . 2006-03-23 17:00 8,704 --------- C:\WINDOWS\system32\drivers\incdrec.sys
2007-12-16 18:55 . 2007-12-16 18:55 <DIR> d-------- C:\Documents and Settings\Star Wars\Application Data\NeroVision
2007-12-16 18:55 . 2005-12-09 15:02 3,051,520 --------- C:\WINDOWS\UNNeroVision.exe
2007-12-16 18:55 . 2006-01-30 14:18 156,471 --------- C:\WINDOWS\UNNeroVision.cfg
2007-12-16 18:47 . 2003-07-29 10:09 57,344 -ra------ C:\WINDOWS\system32\ImageDrive.cpl
2007-12-16 18:47 . 2005-09-01 11:03 5,888 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2007-12-16 18:45 . 2007-12-16 18:46 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-12-16 18:45 . 2007-12-16 19:41 <DIR> d-------- C:\Program Files\Ahead
2007-12-03 17:58 . 2006-12-01 21:54 548,864 --a------ C:\WINDOWS\system32\msvcp80.dll
2007-12-03 17:57 . 2006-12-01 23:25 1,101,824 --a------ C:\WINDOWS\system32\mfc80.dll
2007-12-02 16:45 . 2007-12-02 16:45 <DIR> d-------- C:\Documents and Settings\Star Wars\Application Data\Intuit
2007-12-02 16:45 . 2007-07-26 17:13 3,518,464 --a------ C:\WINDOWS\system32\cdintf300.dll
2007-12-02 16:45 . 2007-07-26 17:13 1,843,200 --a------ C:\WINDOWS\system32\acXMLParser.dll
2007-12-02 16:44 . 2007-12-02 16:51 <DIR> d-------- C:\Program Files\Quicken
2007-12-02 16:44 . 2007-12-02 16:44 <DIR> d-------- C:\Program Files\Common Files\Palo Alto Software
2007-12-02 16:44 . 2007-12-02 16:44 <DIR> d-------- C:\Program Files\Common Files\Intuit
2007-12-02 16:43 . 2007-12-02 16:51 165 --a------ C:\WINDOWS\QUICKEN.INI
2007-12-02 16:42 . 2007-12-02 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-29 13:06 --------- d-----w C:\Program Files\Norton Internet Security
2007-12-29 13:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-29 12:56 --------- d-----w C:\Program Files\SymNetDrv
2007-12-29 12:35 --------- d-----w C:\Program Files\Java
2007-12-29 02:41 158,208 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
2007-12-28 21:59 --------- d-----w C:\Documents and Settings\Star Wars\Application Data\Xfire
2007-12-27 22:36 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-27 20:33 --------- d-----w C:\Program Files\Xfire
2007-12-26 21:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 21:13 --------- d-----w C:\Program Files\LucasArts
2007-12-25 19:31 --------- d-----w C:\Program Files\Intel
2007-12-25 16:19 --------- d-----w C:\Program Files\Soldier of Fortune II - Double Helix
2007-12-17 01:44 --------- d-----w C:\Documents and Settings\Star Wars\Application Data\AdobeUM
2007-12-17 00:46 --------- d-----w C:\Documents and Settings\Star Wars\Application Data\Ahead
2007-12-17 00:30 --------- d-----w C:\Documents and Settings\Star Wars\Application Data\Nero
2007-12-16 23:39 --------- d-----w C:\Program Files\Westwood
2007-12-16 22:57 --------- d-----w C:\Documents and Settings\Star Wars\Application Data\Move Networks
2007-12-16 22:54 --------- d-----w C:\Program Files\MSN Messenger
2007-11-28 22:58 --------- d-----w C:\Program Files\Activision
2007-11-27 14:24 --------- d-----w C:\Program Files\BitLord
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 20:23 --------- d-----w C:\Program Files\Common Files\xing shared
2007-11-12 20:23 --------- d-----w C:\Program Files\Common Files\Real
2007-11-06 15:43 --------- d-----w C:\Program Files\Acclaim Entertainment
2007-11-04 14:14 --------- d-----w C:\Program Files\Microsoft Games
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9D912798-5DFF-4B3E-9588-08F2579A072B}]
2007-12-29 08:06 344576 --------- C:\WINDOWS\system32\geedb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nero PhotoShow Media Manager"="C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\MS0827~4.EXE" [2007-12-29 08:06]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Norton System Doctor.lnk - C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE [2006-10-24 20:48:54]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\geedb.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\geedb

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Service Host Driver]
@=""

R2 NISSERV;Norton Internet Security Service;C:\Program Files\Norton Internet Security\NISSERV.EXE [2001-08-30 00:32]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-29 00:59]
R3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\System32\Drivers\NPDRIVER.SYS [2001-08-10 05:00]
S2 Service Host Driver;Service Host Driver;C:\DOCUME~1\STARWA~1\LOCALS~1\Temp\svchost.sys []
S3 gAGP440p;gAGP440p;C:\DOCUME~1\STARWA~1\LOCALS~1\Temp\gAGP440p.sys []
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe [2004-08-04 02:56]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe [2004-08-04 02:56]
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe [2004-08-04 02:56]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe [2004-08-04 02:56]
S3 SIWIO;SIWIO;C:\WINDOWS\TEMP\SiwIo.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2007-12-29 13:14:27 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-29 08:08:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180]
-> C:\WINDOWS\system32\geedb.dll
.
Completion time: 2007-12-29 8:15:17 - machine was rebooted
.
2007-12-25 19:39:44 --- E O F ---



A New HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:10 AM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\MS0827~3.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\MS0827~3 .EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F3 - REG:win.ini: load=C:\WINDOWS\system32\geedb.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.iwon.com/"); (C:\Documents and Settings\STAR WARS\Application Data\Mozilla\Profiles\default\h5hw9omd.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\STAR WARS\Application Data\Mozilla\Profiles\default\h5hw9omd.slt\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\MS0827~4.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {17D667BA-5675-4AAB-9221-08B9379384D4} (Image Uploader Control) - http://cdnimg.piczo.com/images/uploader/pi...st_uploader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 4911 bytes


Thank you for any and all time you spend helping me in advance Richie.

Edited by MattSmith75, 29 December 2007 - 08:41 AM.

"Rule Number One: Kill 'Em, before they kill you." - Delta 62 (Scorch), Republic Commando
"Rule Seventeen: Always make sure they're dead." - Delta 07 (Sev), Republic Commando

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 29 December 2007 - 09:47 AM

There appears to be a problem with Combofix,please do not run it again.
I'll get back to you as soon as possible.
Posted Image
Posted Image

#5 MattSmith75

MattSmith75
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:49 AM

Posted 29 December 2007 - 10:19 AM

I'll be waiting. Do you want me to delete Combofix form my desktop?

I'll leave it for now... until you reply.
"Rule Number One: Kill 'Em, before they kill you." - Delta 62 (Scorch), Republic Commando
"Rule Seventeen: Always make sure they're dead." - Delta 07 (Sev), Republic Commando

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 29 December 2007 - 10:44 AM

Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\RCX38.tmp
C:\WINDOWS\system32\RCX37.tmp
C:\WINDOWS\system32\RCX36.tmp
C:\WINDOWS\system32\RCX35.tmp
C:\WINDOWS\system32\RCX34.tmp
C:\WINDOWS\system32\RCX33.tmp
C:\WINDOWS\system32\RCX32.tmp
C:\WINDOWS\system32\RCX31.tmp
C:\WINDOWS\system32\RCX30.tmp
C:\WINDOWS\system32\RCX2F.tmp
C:\WINDOWS\system32\RCX2E.tmp
C:\WINDOWS\system32\RCX2D.tmp
C:\WINDOWS\system32\bdeeg.ini
C:\WINDOWS\system32\geedb.dll


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the information into the registry,then restart your pc.

REGEDIT4
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9D912798-5DFF-4B3E-9588-08F2579A072B}]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=""
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0


Also post a new Hijackthis log please.
Posted Image
Posted Image

#7 MattSmith75

MattSmith75
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:49 AM

Posted 29 December 2007 - 10:53 AM

OK! Did that. Went smoothly with out any problems. Here's the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:55 AM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\MS0827~4.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\MS0827~4 .EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.iwon.com/"); (C:\Documents and Settings\STAR WARS\Application Data\Mozilla\Profiles\default\h5hw9omd.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\STAR WARS\Application Data\Mozilla\Profiles\default\h5hw9omd.slt\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\MS8515~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {17D667BA-5675-4AAB-9221-08B9379384D4} (Image Uploader Control) - http://cdnimg.piczo.com/images/uploader/pi...st_uploader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 4890 bytes
"Rule Number One: Kill 'Em, before they kill you." - Delta 62 (Scorch), Republic Commando
"Rule Seventeen: Always make sure they're dead." - Delta 07 (Sev), Republic Commando

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 29 December 2007 - 11:36 AM

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#9 MattSmith75

MattSmith75
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:49 AM

Posted 29 December 2007 - 01:46 PM

OK. Um, The ATF Cleaner, sorta worked. I had to check each one at a time, because Selecting All Made the computer freeze up. I couldn't clean out the Cookies, Temp Internet Files, or the History with it either, cause each of those made the comp freeze up as well.

Other then that, everything went smoothly. I still can't enable my internet security with norton, and my norton email virus scanner has it's status as "Error".

And Also, my Netscape and such Shortcuts are still not working from that Combofix program.

Other then that, my computer is booting up quicker, then it had before you started helping me.

Now for the logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/29/2007 at 01:36 PM

Application Version : 3.9.1008

Core Rules Database Version : 3370
Trace Rules Database Version: 1365

Scan type : Complete Scan
Total Scan Time : 01:33:04

Memory items scanned : 187
Memory threats detected : 1
Registry items scanned : 5914
Registry threats detected : 5
File items scanned : 41022
File threats detected : 1

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\GEEDB.DLL
C:\WINDOWS\SYSTEM32\GEEDB.DLL
HKLM\Software\Classes\CLSID\{5090ECDE-77B3-4487-A06D-2478D668B9AA}
HKCR\CLSID\{5090ECDE-77B3-4487-A06D-2478D668B9AA}
HKCR\CLSID\{5090ECDE-77B3-4487-A06D-2478D668B9AA}\InprocServer32
HKCR\CLSID\{5090ECDE-77B3-4487-A06D-2478D668B9AA}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5090ECDE-77B3-4487-A06D-2478D668B9AA}





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:46:04 PM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\MS8515~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\MS8515~2 .EXE
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Works\msworks.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WKSCAL.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F3 - REG:win.ini: load=C:\WINDOWS\system32\geedb.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.iwon.com/"); (C:\Documents and Settings\STAR WARS\Application Data\Mozilla\Profiles\default\h5hw9omd.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\STAR WARS\Application Data\Mozilla\Profiles\default\h5hw9omd.slt\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\MS8515~3.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {17D667BA-5675-4AAB-9221-08B9379384D4} (Image Uploader Control) - http://cdnimg.piczo.com/images/uploader/pi...st_uploader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 5318 bytes
"Rule Number One: Kill 'Em, before they kill you." - Delta 62 (Scorch), Republic Commando
"Rule Seventeen: Always make sure they're dead." - Delta 07 (Sev), Republic Commando

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 29 December 2007 - 02:07 PM

First create a new System Restore point.
Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Download the following file and place it inside the C:\QooBox folder.
http://download.bleepingcomputer.com/sUBs/...eQuarantine.exe

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\SYMNET~1\SNDMon.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE

Now drag then drop the CFScript file onto CF-DeQuarantine.exe inside the C:\Qoobox folder.
Follow the prompts.
Let me know whats happening now.

Edited by RichieUK, 29 December 2007 - 02:18 PM.

Posted Image
Posted Image

#11 MattSmith75

MattSmith75
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:49 AM

Posted 29 December 2007 - 02:23 PM

Uh, I did the notepad thing, however, I'm not finding the CF-DeQuarantine.exe inside the C:\Qoobox folder. I mean, I found the C:\Qoobox folder, but no CF-DeQuarantine.exe

What do I do?I also did the Restore Point. ;)

Edited by MattSmith75, 29 December 2007 - 02:24 PM.

"Rule Number One: Kill 'Em, before they kill you." - Delta 62 (Scorch), Republic Commando
"Rule Seventeen: Always make sure they're dead." - Delta 07 (Sev), Republic Commando

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 29 December 2007 - 02:47 PM

Hello MattSmith75,i'm looking for some help from sUBs,Combofix's creator,i'll post back as soon as i can :thumbsup:

A silly question maybe but you did place CF-DeQuarantine.exe inside the C:\QooBox folder.

Edited by RichieUK, 29 December 2007 - 02:50 PM.

Posted Image
Posted Image

#13 MattSmith75

MattSmith75
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:49 AM

Posted 29 December 2007 - 02:51 PM

OKAY. I'll be waiting. Oh, and just so you know, and it doesn't happen too often, but it is still happening, and that is that when I'm using the Internet Explorer, my Task Bar dissapeares, but only for a moment, as if Windows Explore has shut down and started back up again.

Just thought you should know, as it just happened.

I uh.. didn't know I had to move anything to it. Where would I find the CF-DeQuarantine.exe?

Edited by MattSmith75, 29 December 2007 - 02:52 PM.

"Rule Number One: Kill 'Em, before they kill you." - Delta 62 (Scorch), Republic Commando
"Rule Seventeen: Always make sure they're dead." - Delta 07 (Sev), Republic Commando

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 29 December 2007 - 03:07 PM

Ok,lets forget that,if you have the Norton Internet Security installation disk,uninstall/reinstall the program.
You'll have to do the same with any other program thats not working correctly.

This is not a problem with Combofix,its caused by a Trojan Vundo infection.
Posted Image
Posted Image

#15 MattSmith75

MattSmith75
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:49 AM

Posted 29 December 2007 - 03:10 PM

OK, Um... I think I can handle that. But does that mean, I'm still infected?

Um, I got a problem. I fixed Netscape, by simply creating a new Shortcut, cause the program works, just the shortcuts were bad. But Norton is messed up, and It refuses to uninstall it completely, saying that some parts of Norton are still running. What should I do?

Edited by MattSmith75, 29 December 2007 - 03:40 PM.

"Rule Number One: Kill 'Em, before they kill you." - Delta 62 (Scorch), Republic Commando
"Rule Seventeen: Always make sure they're dead." - Delta 07 (Sev), Republic Commando




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users