Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help Removing Spyware/malware


  • This topic is locked This topic is locked
24 replies to this topic

#1 PhilD

PhilD

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 16 March 2008 - 07:17 PM

I got hit with a bunch of stuff


I can't use ctrl+alt+del to open the
task manager. It says it's been disabled
by the administrator. It hasn't. Luckily
I have process explorer installed so I can
still see what's running and end any unwanted
processes temporarily.

There are some new folders in my
c:/program files directory and some
new listings in my add/remove programs list.

I get pop ups in windows telling me my
computer is infected with spyware and
to download a spyware scanner.

My computer background has been changed
to a background that says my computer is
infected with spyware and to download a
spyware scanner.



I've run

Norton Antivirus - (Found a few files it deleted)
Mcfee Stinger - (Found nothing)
Spybot Search and Destroy - (Found several problems)

these scans found and deleted some stuff but
the rest just come back when I restart the
computer. After the Spybot scan I can access
the task manager until I restart the computer
and then it is disabled again.

If you need any additional info please let me know.



Any help is appreciated.

Thanks,
-Phillip




Here's my HiJackThis log:




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:57:28 PM, on 3/16/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\QdrPack\QdrPack14.exe
C:\Program Files\Bat\X_Bat.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HiJackThis\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Bat\Bat.dll
O2 - BHO: BndFibu7 IE Helper - {8041E642-8CFC-4720-BC9D-D2DB8904286F} - C:\Program Files\QdrDrive\QdrDrive12.dll (file missing)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QUICKCARE] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [Atrt] "C:\WINDOWS\System32\CURITY~1\msdtc.exe" -vt yazb
O4 - HKCU\..\Run: [QdrModule13] "C:\Program Files\QdrModule\QdrModule13.exe"
O4 - HKCU\..\Run: [QdrPack14] "C:\Program Files\QdrPack\QdrPack14.exe"
O4 - HKCU\..\Run: [Iznntor] "C:\Program Files\?icrosoft.NET\m?dtc.exe"
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 6602 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:36 AM

Posted 16 March 2008 - 07:57 PM

Hello Phillip,

Welcome to Bleeping Computer :thumbsup:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Bat\Bat.dll
O2 - BHO: BndFibu7 IE Helper - {8041E642-8CFC-4720-BC9D-D2DB8904286F} - C:\Program Files\QdrDrive\QdrDrive12.dll (file missing)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [QdrModule13] "C:\Program Files\QdrModule\QdrModule13.exe"
O4 - HKCU\..\Run: [QdrPack14] "C:\Program Files\QdrPack\QdrPack14.exe"
O4 - HKCU\..\Run: [Iznntor] "C:\Program Files\?icrosoft.NET\m?dtc.exe"
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 PhilD

PhilD
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 16 March 2008 - 09:40 PM

Ok, I followed your instructions.

I'm still getting the spyware scanner popups.

Also, I noticed that I have a program running
in the processes list since my computer was
infected called mgmrwmrv.exe that never
used to run at startup.


Thanks,
-Phillip


Here are the new logs.





ComboFix 08-03-14.4 - Philip 2008-03-16 19:22:05.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.727 [GMT -8:00]
Running from: C:\Documents and Settings\Philip\My Documents\American Idol\Combo Fix\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Philip\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Philip\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Philip\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\icroso~1.net
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\outerinfo
C:\Program Files\QdrDrive
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack14.exe
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\Program Files\WinBudget
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\default.htm
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\000090.exe
C:\WINDOWS\system32\curity~1
C:\WINDOWS\system32\curity~1\??curity\
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-17 to 2008-03-17 )))))))))))))))))))))))))))))))
.

2008-03-16 16:49 . 2008-03-16 19:18 <DIR> d-------- C:\HiJackThis
2008-03-16 16:26 . 2008-03-16 16:26 <DIR> d-------- C:\WINDOWS\FLEOK
2008-03-16 16:26 . 2008-03-16 16:26 <DIR> d-------- C:\Program Files\zango
2008-03-16 16:26 . 2008-03-16 16:26 <DIR> d-------- C:\Program Files\180solutions
2008-03-16 16:26 . 2008-03-16 16:26 <DIR> d-------- C:\Program Files\180searchassistant
2008-03-16 16:26 . 2008-03-16 16:26 24,576 --a------ C:\WINDOWS\didduid.ini
2008-03-16 00:53 . 2008-03-16 02:38 560 --a------ C:\WINDOWS\wininit.ini
2008-03-15 22:46 . 2008-03-15 22:46 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-15 22:46 . 2008-03-15 22:46 <DIR> d-------- C:\Program Files\stc
2008-03-15 22:46 . 2008-03-15 22:46 <DIR> d-------- C:\Program Files\180search assistant
2008-03-15 22:00 . 2008-03-16 04:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-15 21:58 . 2008-03-16 19:19 <DIR> d-------- C:\Program Files\Bat
2008-03-15 21:57 . 2008-03-15 21:57 90,544 --a------ C:\WINDOWS\system32\mgmrwmrv.exe
2008-03-15 21:57 . 2008-03-15 21:57 4 --a------ C:\WINDOWS\system32\winfrun32.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 10:47 --------- d-----w C:\Program Files\Cpukiller3
2008-02-04 09:15 --------- d-----w C:\Program Files\LEGO Media
2008-01-29 08:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-25 09:32 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 28,672 2001-11-29 09:00:00 C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Creative Soundblaster ADGJDet Backup\bak\ADGJDet.exe

----a-w 100,056 2005-05-27 08:09:21 C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Nortan Antivirus SNDMon Backup\bak\SNDMon.exe

----a-w 71,328 2006-03-09 19:47:52 C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Norton Antivirus Autoprotect Backup - CCAPP\bak\ccApp.exe

----a-w 218,240 2004-11-03 00:59:52 C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Norton Antivirus Usrprmpt Backup\bak\UsrPrmpt.exe

----a-w 98,304 2004-08-03 02:55:35 C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Quicktime qttask Backup\bak\qttask.exe

----a-w 180,269 2004-11-01 15:27:17 C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Real Player realsched backup\bak\realsched.exe

----a-w 180,269 2004-11-01 15:27:17 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 180,269 2004-11-01 15:27:17 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----a-w 71,328 2006-03-09 19:47:52 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 71,328 2006-03-09 19:47:52 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

----a-w 218,240 2004-11-03 00:59:52 C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe
----a-w 218,240 2004-11-03 00:59:52 C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

----a-w 28,672 2001-11-29 09:00:00 C:\Program Files\Creative\SBLive\Program\bak\ADGJDet.exe
----a-w 28,672 2001-11-29 09:00:00 C:\Program Files\Creative\SBLive\Program\ADGJDet.exe

----a-w 98,304 2004-08-03 02:55:35 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 98,304 2004-08-03 02:55:35 C:\Program Files\QuickTime\qttask.exe

----a-w 100,056 2005-05-27 08:09:21 C:\Program Files\SymNetDrv\bak\SNDMon.exe
----a-w 100,056 2005-05-27 08:09:21 C:\Program Files\SymNetDrv\SNDMon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Atrt"="C:\WINDOWS\System32\CURITY~1\msdtc.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 11:47 71328]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-07-12 15:50 4112384]
"nwiz"="nwiz.exe" [2004-07-12 15:50 843776 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2004-07-12 15:50 81920 C:\WINDOWS\system32\nvmctray.dll]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-02 18:55 98304]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 16:59 218240]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-11-01 07:27 180269]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-05-27 00:09 100056]
"QUICKCARE"="C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [2006-11-07 21:07 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

R3 Intels51;Intel® 536EP Modem;C:\WINDOWS\System32\DRIVERS\Intels51.sys [2003-05-22 06:44]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-16 19:24:30
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-16 19:25:06
ComboFix-quarantined-files.txt 2008-03-17 03:25:04
ComboFix2.txt 2007-08-03 21:02:04




----------------------------------




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:51 PM, on 3/16/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QUICKCARE] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE
O4 - HKCU\..\Run: [Atrt] "C:\WINDOWS\System32\CURITY~1\msdtc.exe" -vt yazb
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 5058 bytes

#4 PhilD

PhilD
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 16 March 2008 - 09:42 PM

I forgot to mention that Task Manager is still disabled as well.

Sorry about the double reply.


-Phillip

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:36 AM

Posted 16 March 2008 - 11:12 PM

Hi Phillip,

We need to drastically shift course for now, and come back to this a bit later. You have an additional infection that wreaks havoc on your programs. We need to get them put back in their rightful places, and delete the bad look alikes :

# *Please download FindAWF by noahdfear and save it to your desktop:

# Please double-click FindAWF.exe to run option 1.
# If a security alert shows, allow the program to run.
# When the tool has completed, a report will open in Notepad.
# Please post the results of the awf.txt in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 PhilD

PhilD
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 16 March 2008 - 11:51 PM

Hi, done running FindAWF.

I noticed it was looking for folders
named BAK and duplicate files.

I hate to complicate things but I had an infection
quite awhile back (a couple years ago, at least)
where some of my files were replaced with malware
duplicates and the original files were backed up
in folders called BAK.

I got that problem fixed back then but I never did delete
the BAK folders with the good copies of the files that
were attacked.


Back then the files that were replaced (which were fixed) were:


ADGJDet
SNDMon
CCAPP
Usrprmpt
qttask
realsched



I noticed these showed up in the FindAWF scan but I don't
know if they have been replaced again or if FindAWF is
just seeing the remnants of an old infection.

I know that CCAPP is the Antivirus Autoprotect that runs
in the system tray. That seems to be running fine.

I don't see ADGJDet, SNDMon, or qttask running in the processes list
like they did when they were replaced two years ago.

Usrprmpt and realsched are running at startup but they always do
so I don't know if they've been attacked again or not.

Anyway I thought you should have the info.



-Phillip




Here's the FindAWF log:





Find AWF report by noahdfear 2006
Version 1.40

The current date is: Sun 03/16/2008
The current time is: 21:25:41.67


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

08/02/2004 06:55 PM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

05/27/2005 12:09 AM 100,056 SNDMon.exe
1 File(s) 100,056 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

03/09/2006 11:47 AM 71,328 ccApp.exe
1 File(s) 71,328 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

11/01/2004 07:27 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK

11/02/2004 04:59 PM 218,240 UsrPrmpt.exe
1 File(s) 218,240 bytes

Directory of C:\PROGRA~1\CREATIVE\SBLIVE\PROGRAM\BAK

11/29/2001 01:00 AM 28,672 ADGJDet.exe
1 File(s) 28,672 bytes

Directory of C:\DOCUME~1\PHILIP\MYDOCU~1\NORTON~3\CREATI~1\BAK

11/29/2001 01:00 AM 28,672 ADGJDet.exe
1 File(s) 28,672 bytes

Directory of C:\DOCUME~1\PHILIP\MYDOCU~1\NORTON~3\NORTAN~1\BAK

05/27/2005 12:09 AM 100,056 SNDMon.exe
1 File(s) 100,056 bytes

Directory of C:\DOCUME~1\PHILIP\MYDOCU~1\NORTON~3\NORTON~1\BAK

03/09/2006 11:47 AM 71,328 ccApp.exe
1 File(s) 71,328 bytes

Directory of C:\DOCUME~1\PHILIP\MYDOCU~1\NORTON~3\NORTON~3\BAK

11/02/2004 04:59 PM 218,240 UsrPrmpt.exe
1 File(s) 218,240 bytes

Directory of C:\DOCUME~1\PHILIP\MYDOCU~1\NORTON~3\QUICKT~1\BAK

08/02/2004 06:55 PM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\DOCUME~1\PHILIP\MYDOCU~1\NORTON~3\REALPL~1\BAK

11/01/2004 07:27 AM 180,269 realsched.exe
1 File(s) 180,269 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

98304 Aug 2 2004 "C:\Program Files\QuickTime\qttask.exe"
98304 Aug 2 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
98304 Aug 2 2004 "C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Quicktime qttask Backup\bak\qttask.exe"
100056 May 27 2005 "C:\Program Files\SymNetDrv\SNDMon.exe"
100056 May 27 2005 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
100056 May 27 2005 "C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Nortan Antivirus SNDMon Backup\bak\SNDMon.exe"
71328 Mar 9 2006 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
71328 Mar 9 2006 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
71328 Mar 9 2006 "C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Norton Antivirus Autoprotect Backup - CCAPP\bak\ccApp.exe"
180269 Nov 1 2004 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Nov 1 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
180269 Nov 1 2004 "C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Real Player realsched backup\bak\realsched.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"
218240 Nov 2 2004 "C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Norton Antivirus Usrprmpt Backup\bak\UsrPrmpt.exe"
28672 Nov 29 2001 "C:\Program Files\Creative\SBLive\Program\ADGJDet.exe"
28672 Nov 29 2001 "C:\Program Files\Creative\SBLive\Program\bak\ADGJDet.exe"
28672 Nov 29 2001 "C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Creative Soundblaster ADGJDet Backup\bak\ADGJDet.exe"
28672 Nov 29 2001 "C:\Program Files\Creative\SBLive\Program\ADGJDet.exe"
28672 Nov 29 2001 "C:\Program Files\Creative\SBLive\Program\bak\ADGJDet.exe"
28672 Nov 29 2001 "C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Creative Soundblaster ADGJDet Backup\bak\ADGJDet.exe"
100056 May 27 2005 "C:\Program Files\SymNetDrv\SNDMon.exe"
100056 May 27 2005 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
100056 May 27 2005 "C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Nortan Antivirus SNDMon Backup\bak\SNDMon.exe"
71328 Mar 9 2006 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
71328 Mar 9 2006 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
71328 Mar 9 2006 "C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Norton Antivirus Autoprotect Backup - CCAPP\bak\ccApp.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"
218240 Nov 2 2004 "C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Norton Antivirus Usrprmpt Backup\bak\UsrPrmpt.exe"
98304 Aug 2 2004 "C:\Program Files\QuickTime\qttask.exe"
98304 Aug 2 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
98304 Aug 2 2004 "C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Quicktime qttask Backup\bak\qttask.exe"
180269 Nov 1 2004 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Nov 1 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
180269 Nov 1 2004 "C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Real Player realsched backup\bak\realsched.exe"


end of report

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:36 AM

Posted 17 March 2008 - 12:04 AM

Hi Phillip,

Thank you so much for the explanation, or I would be totally at a loss right now. :thumbsup: Let's run this phase of the tool, and if it doesn't work, or if your Norton goes wonky, you'll have to get rid of everything Norton and reinstall it.

Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\QuickTime\bak
C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Quicktime qttask Backup\bak
C:\Program Files\SymNetDrv\bak
C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Nortan Antivirus SNDMon Backup\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Norton Antivirus Autoprotect Backup - CCAPP\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Real Player realsched backup\bak
C:\Program Files\Common Files\Symantec Shared\Security Center\bak
C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Norton Antivirus Usrprmpt Backup\bak
C:\Program Files\Creative\SBLive\Program\bak
C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Creative Soundblaster ADGJDet Backup\bak
C:\Program Files\Creative\SBLive\Program\bak
C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Creative Soundblaster ADGJDet Backup\bak
C:\Program Files\SymNetDrv\bak
C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Nortan Antivirus SNDMon Backup\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Norton Antivirus Autoprotect Backup - CCAPP\bak
C:\Program Files\Common Files\Symantec Shared\Security Center\bak
C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Norton Antivirus Usrprmpt Backup\bak
C:\Program Files\QuickTime\bak
C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Quicktime qttask Backup\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Real Player realsched backup\bak

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 PhilD

PhilD
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 17 March 2008 - 01:47 AM

Hi,

I haven't done your last set of instructions yet.


I was looking at the list of files and directories
you wanted me to use FindAWF to delete and I know why
these are here. When I had the malware infection 2 years
ago I copied these file here after I fixed it. These
are the good files. I kept copies of them in case they
were ever replaced again so I could fix them if neded.



C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Quicktime qttask Backup\bak
C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Nortan Antivirus SNDMon Backup\bak
C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Norton Antivirus Autoprotect Backup - CCAPP\bak
C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Real Player realsched backup\bak
C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Norton Antivirus Usrprmpt Backup\bak
C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Creative Soundblaster ADGJDet Backup\bak
C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Creative Soundblaster ADGJDet Backup\bak
C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Nortan Antivirus SNDMon Backup\bak
C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Norton Antivirus Autoprotect Backup - CCAPP\bak
C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Norton Antivirus Usrprmpt Backup\bak
C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Quicktime qttask Backup\bak
C:\Documents and Settings\Philip\My Documents\Norton Antivirus Autoprotect CCAPP Files\Real Player realsched backup\bak


As for the other directories in the list if it's easier
I can just go in and manually delete them. Unless
FindASF does something else besides just deleting them
or you need to see the new log in which case I can use it.


Let me know. And again sorry for being so much trouble.



-Phillip

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:36 AM

Posted 17 March 2008 - 03:04 PM

Hello Phillip,

If you look at the AWF log, you'll see that the dates and sizes match, and are in triplicate in most cases. That means they're all good, and you just need to have the duplicates and bak folders deleted. That's what option #3 does. There are still others to consider. It's your computer, so your decision. Please let me know what you want to do, and please do consider that there are other infections present to deal with. :thumbsup:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 PhilD

PhilD
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 17 March 2008 - 07:10 PM

Hi again,

Sorry it took so long to reply.

Ok, I followed your instructions and ran FindAWF.


-Phillip


Here's the new log:





Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Mon 03/17/2008
The current time is: 17:02:53.20


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:36 AM

Posted 17 March 2008 - 07:15 PM

Did you go ahead and delete them? :thumbsup: Run option #4 to reset the domain zones and exit the program.

Please run ComboFix again and post a new HijackThis log in your reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 PhilD

PhilD
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 17 March 2008 - 08:04 PM

Hi,

Ok, I ran option 4 in FindAWF. No Problems.

But, I had some problems running combofix. Norton popped up telling
me it detected a malicious script a few times while combofix was running.

It managed to run all the way through and generate log. But the norton popup
and the notepad that the combofix log was in locked up on me and I had to restart
the computer.

I'm sure norton was just being nuts and detecting combofix but i'm not sure if
combofix did everything it was supposed to do. :thumbsup:

I'm pretty sure I manged to find the combofix log (the date on it matches today's date)
and I ran HiJackThis and got a log for that too.

You can look them over and decide if I should run combofix again just to make sure
it did whatever it needs to do.

Let me know if you want me to run the scans again and post new logs. (I'll disable
norton's autoprotect this time. I'm feeling pretty dumb.)


-Phillip


Anyway here are the new logs I have (such as they are):



ComboFix 08-03-14.4 - Philip 2008-03-17 17:32:22.4 - NTFSx86
Running from: C:\Documents and Settings\Philip\My Documents\American Idol\Combo Fix\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\default.htm
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-18 to 2008-03-18 )))))))))))))))))))))))))))))))
.

2008-03-16 16:49 . 2008-03-16 19:28 <DIR> d-------- C:\HiJackThis
2008-03-16 16:26 . 2008-03-16 16:26 <DIR> d-------- C:\WINDOWS\FLEOK
2008-03-16 16:26 . 2008-03-16 16:26 <DIR> d-------- C:\Program Files\zango
2008-03-16 16:26 . 2008-03-16 16:26 <DIR> d-------- C:\Program Files\180solutions
2008-03-16 16:26 . 2008-03-16 16:26 <DIR> d-------- C:\Program Files\180searchassistant
2008-03-16 16:26 . 2008-03-16 16:26 24,576 --a------ C:\WINDOWS\didduid.ini
2008-03-16 00:53 . 2008-03-16 02:38 560 --a------ C:\WINDOWS\wininit.ini
2008-03-15 22:46 . 2008-03-15 22:46 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-15 22:46 . 2008-03-15 22:46 <DIR> d-------- C:\Program Files\stc
2008-03-15 22:46 . 2008-03-15 22:46 <DIR> d-------- C:\Program Files\180search assistant
2008-03-15 22:00 . 2008-03-16 04:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-15 21:58 . 2008-03-16 19:19 <DIR> d-------- C:\Program Files\Bat
2008-03-15 21:57 . 2008-03-15 21:57 90,544 --a------ C:\WINDOWS\system32\mgmrwmrv.exe
2008-03-15 21:57 . 2008-03-15 21:57 4 --a------ C:\WINDOWS\system32\winfrun32.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-18 01:02 --------- d-----w C:\Program Files\SymNetDrv
2008-03-18 01:02 --------- d-----w C:\Program Files\QuickTime
2008-03-18 01:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-06 10:47 --------- d-----w C:\Program Files\Cpukiller3
2008-02-04 09:15 --------- d-----w C:\Program Files\LEGO Media
2008-01-29 08:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-25 09:32 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
.

((((((((((((((((((((((((((((( snapshot@2008-03-16_19.24.49.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-17 00:55:48 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-03-18 01:00:09 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-17 00:55:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-18 01:00:09 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-17 00:55:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-18 01:00:09 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Atrt"="C:\WINDOWS\System32\CURITY~1\msdtc.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 11:47 71328]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-07-12 15:50 4112384]
"nwiz"="nwiz.exe" [2004-07-12 15:50 843776 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2004-07-12 15:50 81920 C:\WINDOWS\system32\nvmctray.dll]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-02 18:55 98304]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 16:59 218240]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-11-01 07:27 180269]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-05-27 00:09 100056]
"QUICKCARE"="C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [2006-11-07 21:07 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

R3 Intels51;Intel® 536EP Modem;C:\WINDOWS\System32\DRIVERS\Intels51.sys [2003-05-22 06:44]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-17 17:38:33
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-17 17:40:13
ComboFix-quarantined-files.txt 2008-03-18 01:40:05
ComboFix2.txt 2008-03-17 03:25:06
ComboFix3.txt 2007-08-03 21:02:04





-----------------------------------------





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:50:10 PM, on 3/17/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QUICKCARE] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE
O4 - HKCU\..\Run: [Atrt] "C:\WINDOWS\System32\CURITY~1\msdtc.exe" -vt yazb
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 6168 bytes

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:36 AM

Posted 17 March 2008 - 08:45 PM

Hi Phillip,

Now you just stop that.....you did just fine. :wacko: Lots of AVs detect bits of the tools we use as bad, like nircmd.exe, part of ComboFix to name but one. Sometimes it is necessary to disable everything before it's run.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKCU\..\Run: [Atrt] "C:\WINDOWS\System32\CURITY~1\msdtc.exe" -vt yazb


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Navigate to and delete the following folders (if they exist):

C:\WINDOWS\System32\CURITY~1<---this folder. Will start with CURITY and may be longer.

Reboot your computer.

Now go totally offline and go ahead and disable your Norton and run ComboFix again. Be sure you re enable it again before you come back online to post the report. :blink: We're getting there! :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 PhilD

PhilD
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 17 March 2008 - 10:11 PM

Hi,

Ok I've got a problem here.

For some reason every time I run combo fix Norton pops up
and tells me about malicious scripts and then combofix and the
Norton popups lock up and I have to restart the computer.

I disabled everything for norton that I could using process explorer
to kill the processes but it still flags it when I run combofix.

I'm not sure what to do?

Is there some specific way to disable Norton?



-Phillip

#15 PhilD

PhilD
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 17 March 2008 - 10:26 PM

I've also noticed that since combofix crashed
my clock down in the windows system tray is
running strange. It seems to be running using
24 hour time. Instead of 8:22pm it says 20:22?

I know combofix alters the clock settings while it runs
so i'm guess something got messed up.

I tried syncronizing the clock settings
but that doesn't seem to work.


-Phillip




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users