Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Command.exe and others


  • This topic is locked This topic is locked
22 replies to this topic

#1 jjdefan

jjdefan

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia Beach
  • Local time:06:45 AM

Posted 01 October 2005 - 12:02 PM

Have run Ad-Aware, BitDefender and Panda and addressed all items. Here is the Log.

Logfile of HijackThis v1.99.1
Scan saved at 12:55:51 PM, on 10/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TWFueWNvcnVt\command.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\System32\sgenie.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: (no name) - {BB5ADF54-FC0D-9F15-CE12-CD1EA653BC71} - C:\WINDOWS\nklbyzgi.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Search - {3EB0EE9A-20AC-9A5C-84FA-7D3FF3DA44F8} - C:\WINDOWS\nklbyzgi.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\kpd4dx.exe reg_run
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [CustomHK] C:\WINDOWS\System32\sgenie.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0002.exe
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWFueWNvcnVt\command.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:45 PM

Posted 02 October 2005 - 05:30 AM

Hello,

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Download and install CCleaner
Do not use it yet.

* Please set your system to show all files; please see here if you're unsure how to do this.

* Please download ewido:
http://www.ewido.net/en/download/
Let it update, but don't let it scan yet!!

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: (no name) - {BB5ADF54-FC0D-9F15-CE12-CD1EA653BC71} - C:\WINDOWS\nklbyzgi.dll
O3 - Toolbar: Search - {3EB0EE9A-20AC-9A5C-84FA-7D3FF3DA44F8} - C:\WINDOWS\nklbyzgi.dll
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\kpd4dx.exe reg_run
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [CustomHK] C:\WINDOWS\System32\sgenie.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0002.exe
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWFueWNvcnVt\command.exe


* Click on Fix Checked when finished and exit HijackThis.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\TWFueWNvcnVt <== folder
C:\WINDOWS\System32\sgenie.exe
C:\WINDOWS\nklbyzgi.dll
C:\Program Files\SurfSideKick 3 <== folder

* Go to start > run and copy and paste next command in the field:

sc delete cmdService

Click OK

* Still in safe mode Start Ccleaner
click "Options", click the "Advanced" tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Click "Cleaner" and click Run Cleaner (bottom right)

* Open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Close Ewido

* Reboot your system back to normal mode.

Post back a fresh HijackThis log and the log from ewido so I can take another look.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:45 PM

Posted 13 October 2005 - 04:40 PM

Resolved here: http://www.bleepingcomputer.com/forums/ind...topic=32047&hl=

Edited with correct link

Edited by miekiemoes, 13 October 2005 - 06:01 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:45 PM

Posted 13 October 2005 - 05:59 PM

reopened.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 jjdefan

jjdefan
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia Beach
  • Local time:06:45 AM

Posted 13 October 2005 - 06:26 PM

Completed tasks as requested. Here are the 2 logs:

Logfile of HijackThis v1.99.1
Scan saved at 4:37:09 PM, on 10/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe

O2 - BHO: - {019e256e-61f4-43c3-a462-8319d81d47b0} - C:\WINDOWS\System32\jlj.dll
O2 - BHO: - {03837bcb-67d0-4545-a32f-b6f61cac2832} - C:\WINDOWS\System32\r.dll
O2 - BHO: - {09def16f-8261-4c45-8f06-eb8ca469a64e} - C:\WINDOWS\System32\jyp.dll
O2 - BHO: - {10d11675-f126-49e2-90f7-678b8a75ae52} - C:\WINDOWS\System32\prj.dll
O2 - BHO: - {1a1874fc-55a8-43a6-ad56-203da0e4bfa6} - C:\WINDOWS\System32\phxpvj.dll
O2 - BHO: - {20bb51de-b453-4a40-85bb-c23f58e4b482} - C:\WINDOWS\System32\n.dll
O2 - BHO: - {272fa812-54b8-49fd-8736-4f34e373553d} - C:\WINDOWS\System32\dlzt.dll
O2 - BHO: - {3368d66b-9f69-442b-af25-fdc87ed93257} - C:\WINDOWS\System32\dvr.dll
O2 - BHO: - {34829c0c-7161-4b1a-b01c-8c6ad6a54b6e} - C:\WINDOWS\System32\pzjx.dll
O2 - BHO: - {3bad3b2a-1d94-416e-9751-565b1897e65c} - C:\WINDOWS\System32\pz.dll
O2 - BHO: - {49e02af1-257d-4988-b2f4-b3691840050e} - C:\WINDOWS\System32\phxphpr.dll
O2 - BHO: - {4dcdbd12-caf0-435c-a6ca-9dd33839df93} - C:\WINDOWS\System32\dfb.dll
O2 - BHO: - {5ac60900-2e49-4f5f-8541-d5b8a56896bd} - C:\WINDOWS\System32\r.dll
O2 - BHO: - {604ef479-2969-4bc8-9429-66de6072c62d} - C:\WINDOWS\System32\jgmrz.dll
O2 - BHO: - {68be490d-4739-45d8-ab93-9b01284ddb43} - C:\WINDOWS\System32\vs.dll
O2 - BHO: - {69e2a0db-f62e-456c-b8ca-8eabade23165} - C:\WINDOWS\System32\j.dll
O2 - BHO: - {76c1106a-05b4-42ec-a7fb-761cba3e0a06} - C:\WINDOWS\System32\p.dll
O2 - BHO: - {9c4bab53-9c84-48c3-9a52-301e5f6b1969} - C:\WINDOWS\System32\xc.dll
O2 - BHO: - {9e46ac0e-9eeb-4dd5-b1bb-3bc95dae82c1} - C:\WINDOWS\System32\jyoz.dll
O2 - BHO: - {a5f87806-167f-48a5-be57-de3ca1606b13} - C:\WINDOWS\System32\dfbdfdph.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: - {cfe7e4be-c1fb-4fb2-bd03-2f5e27ad06f3} - C:\WINDOWS\System32\p.dll
O2 - BHO: - {d295ea27-29b1-4407-bfdb-a1f46bc9ab17} - C:\WINDOWS\System32\z.dll
O2 - BHO: - {defa6704-1b0a-4b16-a0cd-1d860a1f2f72} - C:\WINDOWS\System32\pz.dll
O2 - BHO: - {e57b1fd8-51af-472e-8d8c-896cf6efedd8} - C:\WINDOWS\System32\jgmvqn.dll
O2 - BHO: - {e9876815-e4e0-4879-9f1a-0d2d12f81735} - C:\WINDOWS\System32\phxpzh.dll
O2 - BHO: - {efe81baf-f8f9-452d-be4e-cbfdde80ea62} - C:\WINDOWS\System32\tzoz.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ntzrzg.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:31:45 PM, 10/13/2005
+ Report-Checksum: BEA189E2

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\\ -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5}\TypeLib\\ -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0}\TypeLib\\ -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SOFTWARE\Classes\NN_Bar_Dummy.NN_BarDummy\CLSID\\ -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\Classes\NN_Bar_Dummy.NN_BarDummy.1\CLSID\\ -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}\\CLSID -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned with backup
[728] C:\WINDOWS\System32\wuauclt.dll -> TrojanDownloader.Small : Cleaned with backup
[788] C:\WINDOWS\System32\kernels32.exe -> TrojanDownloader.Small.agq : Cleaned with backup
[844] C:\WINDOWS\System32\vxh8jkdq6.exe -> TrojanDownloader.Small.bon : Cleaned with backup
[860] C:\WINDOWS\System32\vxh8jkdq7.exe -> TrojanDownloader.Small.atl : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@247realmedia[1].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@buycom.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@statse.webtrendslive[1].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@web4.realtracker[2].txt -> Spyware.Cookie.Realtracker : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@www.epilot[1].txt -> Spyware.Cookie.Epilot : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\F4YXDLWB\rcverlib[1].exe -> Trojan.Pakes : Cleaned with backup
C:\Program Files\Cas\Client\casmf.dll -> Spyware.CASClient : Cleaned with backup
C:\Program Files\Symroxio\AI_10-10-2005.log -> Backdoor.Wiaatl : Cleaned with backup
C:\Program Files\Symroxio\AI_12-10-2005.log -> Backdoor.Wiaatl : Cleaned with backup
C:\Program Files\Symroxio\AI_13-10-2005.log -> Backdoor.Wiaatl : Cleaned with backup
C:\Program Files\Symroxio\data.bin -> Backdoor.Wiaatl : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\win32.exe -> TrojanDownloader.Small.agq : Cleaned with backup
C:\WINDOWS\exe82.exe -> Spyware.MediaMotor : Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\rlvknlg.exe -> Spyware.RK : Cleaned with backup
C:\WINDOWS\sb6fovol.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\63rnb7nf.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\bkutof2f.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\ct73k5fd.exe -> Adware.Saha : Cleaned with backup
C:\WINDOWS\system32\kernels32.exe -> TrojanDownloader.Small.agq : Cleaned with backup
C:\WINDOWS\system32\ktq73mnh.dll -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\maxd1.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\medgs1.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\MediaGateway.exe -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\system32\mmxp2passion.exe -> TrojanDownloader.VB.jl : Cleaned with backup
C:\WINDOWS\system32\MTE2ODM6ODoxNg.exe -> Spyware.ISearch : Cleaned with backup
C:\WINDOWS\system32\PSof1.exe -> Spyware.Pacer : Cleaned with backup
C:\WINDOWS\system32\quyby.dat -> Trojan.Pakes : Cleaned with backup
C:\WINDOWS\system32\rk.bin -> Spyware.RK : Cleaned with backup
C:\WINDOWS\system32\sav2.exe -> TrojanDownloader.Agent.vp : Cleaned with backup
C:\WINDOWS\system32\vgactl.cpl -> TrojanDownloader.Qoologic.ad : Cleaned with backup
C:\WINDOWS\system32\vx.tll -> Adware.SpySheriff : Cleaned with backup
C:\WINDOWS\system32\vxgamet3.exe -> TrojanDownloader.Small.bpz : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq5.exe -> TrojanDownloader.Small.awa : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq6.exe -> TrojanDownloader.Small.bon : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq7.exe -> TrojanDownloader.Small.atl : Cleaned with backup
C:\WINDOWS\system32\WinDmy.dll -> Spyware.Getmirar : Cleaned with backup
C:\WINDOWS\system32\wuauclt.dll -> TrojanDownloader.Small : Cleaned with backup


::Report End

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:45 PM

Posted 13 October 2005 - 06:37 PM

Hi,

Instead of improving, it's getting worse. Previous ones are gone, but now new and stubborn infections are present which needs a special treatment. So let's give this another round..

Please perform this in exactly the same order as I ask you.

* Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

* Update Ewido.

Then please reboot your computer in Safe Mode

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: - {019e256e-61f4-43c3-a462-8319d81d47b0} - C:\WINDOWS\System32\jlj.dll
O2 - BHO: - {03837bcb-67d0-4545-a32f-b6f61cac2832} - C:\WINDOWS\System32\r.dll
O2 - BHO: - {09def16f-8261-4c45-8f06-eb8ca469a64e} - C:\WINDOWS\System32\jyp.dll
O2 - BHO: - {10d11675-f126-49e2-90f7-678b8a75ae52} - C:\WINDOWS\System32\prj.dll
O2 - BHO: - {1a1874fc-55a8-43a6-ad56-203da0e4bfa6} - C:\WINDOWS\System32\phxpvj.dll
O2 - BHO: - {20bb51de-b453-4a40-85bb-c23f58e4b482} - C:\WINDOWS\System32\n.dll
O2 - BHO: - {272fa812-54b8-49fd-8736-4f34e373553d} - C:\WINDOWS\System32\dlzt.dll
O2 - BHO: - {3368d66b-9f69-442b-af25-fdc87ed93257} - C:\WINDOWS\System32\dvr.dll
O2 - BHO: - {34829c0c-7161-4b1a-b01c-8c6ad6a54b6e} - C:\WINDOWS\System32\pzjx.dll
O2 - BHO: - {3bad3b2a-1d94-416e-9751-565b1897e65c} - C:\WINDOWS\System32\pz.dll
O2 - BHO: - {49e02af1-257d-4988-b2f4-b3691840050e} - C:\WINDOWS\System32\phxphpr.dll
O2 - BHO: - {4dcdbd12-caf0-435c-a6ca-9dd33839df93} - C:\WINDOWS\System32\dfb.dll
O2 - BHO: - {5ac60900-2e49-4f5f-8541-d5b8a56896bd} - C:\WINDOWS\System32\r.dll
O2 - BHO: - {604ef479-2969-4bc8-9429-66de6072c62d} - C:\WINDOWS\System32\jgmrz.dll
O2 - BHO: - {68be490d-4739-45d8-ab93-9b01284ddb43} - C:\WINDOWS\System32\vs.dll
O2 - BHO: - {69e2a0db-f62e-456c-b8ca-8eabade23165} - C:\WINDOWS\System32\j.dll
O2 - BHO: - {76c1106a-05b4-42ec-a7fb-761cba3e0a06} - C:\WINDOWS\System32\p.dll
O2 - BHO: - {9c4bab53-9c84-48c3-9a52-301e5f6b1969} - C:\WINDOWS\System32\xc.dll
O2 - BHO: - {9e46ac0e-9eeb-4dd5-b1bb-3bc95dae82c1} - C:\WINDOWS\System32\jyoz.dll
O2 - BHO: - {a5f87806-167f-48a5-be57-de3ca1606b13} - C:\WINDOWS\System32\dfbdfdph.dll
O2 - BHO: - {cfe7e4be-c1fb-4fb2-bd03-2f5e27ad06f3} - C:\WINDOWS\System32\p.dll
O2 - BHO: - {d295ea27-29b1-4407-bfdb-a1f46bc9ab17} - C:\WINDOWS\System32\z.dll
O2 - BHO: - {defa6704-1b0a-4b16-a0cd-1d860a1f2f72} - C:\WINDOWS\System32\pz.dll
O2 - BHO: - {e57b1fd8-51af-472e-8d8c-896cf6efedd8} - C:\WINDOWS\System32\jgmvqn.dll
O2 - BHO: - {e9876815-e4e0-4879-9f1a-0d2d12f81735} - C:\WINDOWS\System32\phxpzh.dll
O2 - BHO: - {efe81baf-f8f9-452d-be4e-cbfdde80ea62} - C:\WINDOWS\System32\tzoz.dll
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ntzrzg.exe reg_run
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)


* Click on Fix Checked when finished and exit HijackThis.

* Still in safe mode, run Ewido again and save the log.

* Please double-click aproposfix.exe.
This will create a new folder on your desktop called aproposfix.
Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 jjdefan

jjdefan
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia Beach
  • Local time:06:45 AM

Posted 17 October 2005 - 06:42 PM

Things seem to be getting better. Can't seem to shake SurfSideKick and the cmdService though. Just wont go away. Here are the logs.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:50:34 PM, 10/17/2005
+ Report-Checksum: 826E1DAF

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC}\TypeLib\\ -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D52433A9-A44C-43AB-A013-24B3C756DD2B}\TypeLib\\ -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\\ -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E}\TypeLib\\ -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE}\TypeLib\\ -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B}\TypeLib\\ -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06}\TypeLib\\ -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\PopOops2.PopOops -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\PopOops2.PopOops\Clsid -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\PopOops2.PopOops\Clsid\\ -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD\Clsid -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{D0C29A75-7146-4737-98EE-BC4D7CF44AF9} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{E0D3B292-A0B0-4640-975C-2F882E039F52} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf SideKick -> Spyware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Virtual Bouncer -> Spyware.VirtualBouncer : Cleaned with backup
HKLM\SOFTWARE\SafeSurfing -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SOFTWARE\SafeSurfing\System -> Spyware.SafeSurfing : Cleaned with backup
HKU\S-1-5-21-436374069-813497703-854245398-1007\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Cleaned with backup
HKU\S-1-5-21-436374069-813497703-854245398-1007\Software\VB and VBA Program Settings\VBouncer -> Spyware.VirtualBouncer : Cleaned with backup
HKU\S-1-5-21-436374069-813497703-854245398-1007\Software\VB and VBA Program Settings\VBouncer\Settings -> Spyware.VirtualBouncer : Cleaned with backup
[760] C:\WINDOWS\System32\wuauclt.dll -> TrojanDownloader.Small : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@as-eu.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@as-us.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@as1.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@counter.hitslink[2].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@data.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@entrepreneur.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@hypertracker[1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@offers.shopathomeselect[1].txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@server.iad.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@statse.webtrendslive[2].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@targetnet[1].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@tradedoubler[2].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@www.adtrak[2].txt -> Spyware.Cookie.Adtrak : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@www.shopathomeselect[1].txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
C:\Documents and Settings\Manycorum\Cookies\manycorum@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\180sainstallersca.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\180sainstallersca.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\5.qtdfmp -> TrojanDownloader.Small.awa : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\6.qtdfmp -> TrojanDownloader.Small.bon : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\60001.exe -> TrojanDownloader.Small.bkr : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\7.qtdfmp -> TrojanDownloader.Small.atl : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\Cookies\manycorum@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\Cookies\manycorum@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\Cookies\manycorum@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\Cookies\manycorum@bfast[1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\Cookies\manycorum@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\Cookies\manycorum@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\Cookies\manycorum@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\Cookies\manycorum@statse.webtrendslive[2].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\Cookies\manycorum@targetnet[2].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\Cookies\manycorum@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\crptclrs.tmp -> Spyware.SafeSurfing : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\Del4F.tmp -> TrojanDownloader.Small.asf : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\Del59.tmp -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\f154255077.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\i2F2.tmp -> Spyware.SurfSide : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\i43.tmp -> Spyware.SurfSide : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\ist_remove.exe -> TrojanDownloader.IstBar.jt : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\maxdd.game -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\MediaAccessInstPack.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\pcs_0002.exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\res50.tmp -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\Temporary Internet Files\Content.IE5\4D6R4PA3\WinFixer2005ScannerInstall[1].exe -> Not-A-Virus.Downloader.Agent.d : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\tm61030.exe -> Trojan.Pakes : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\~os10.tmp\ossproxy.exe -> Spyware.RK : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temp\~os10.tmp\rk.bin -> Spyware.RK : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temporary Internet Files\Content.IE5\4YACVN6S\mm63[1].ocx -> Spyware.MediaMotor : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temporary Internet Files\Content.IE5\4YACVN6S\rcverlib[1].exe -> Trojan.Pakes : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temporary Internet Files\Content.IE5\8HQL6YJY\trk_0002[1].exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\Manycorum\Local Settings\Temporary Internet Files\Content.IE5\Q14GNJIJ\mm[2].js -> Spyware.Chitika : Cleaned with backup
C:\Program Files\AdDestroyer\AdDestroyer.exe -> Spyware.VirtualBouncer : Cleaned with backup
C:\Program Files\CMSystem\plugin.dll -> Spyware.CASClient : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskBho.dll -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\Symroxio\AI_13-10-2005.log -> Backdoor.Wiaatl : Cleaned with backup
C:\Program Files\Symroxio\AI_14-10-2005.log -> Backdoor.Wiaatl : Cleaned with backup
C:\Program Files\Symroxio\AI_15-10-2005.log -> Backdoor.Wiaatl : Cleaned with backup
C:\Program Files\VBouncer\VirtualBouncer.exe -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\mm63.ocx -> Spyware.MediaMotor : Cleaned with backup
C:\WINDOWS\offun.exe -> TrojanDownloader.VB.hw : Cleaned with backup
C:\WINDOWS\system32\93_app13.exe -> TrojanDropper.Agent.xw : Cleaned with backup
C:\WINDOWS\system32\APD123.exe -> Spyware.Pacer : Cleaned with backup
C:\WINDOWS\system32\dist001.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\WINDOWS\system32\ichckupd.exe -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\italavlb.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\kpd4dx.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\mmxdoubleexe.exe -> TrojanDownloader.VB.jl : Cleaned with backup
C:\WINDOWS\system32\MTE2ODM6ODoxNg.exe -> Spyware.ISearch : Cleaned with backup
C:\WINDOWS\system32\nsq2FA.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\system32\PopOops.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\system32\PopOops2.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\system32\quyby.dat -> Trojan.Pakes : Cleaned with backup
C:\WINDOWS\system32\sav2.exe -> TrojanDownloader.Agent.vp : Cleaned with backup
C:\WINDOWS\system32\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\WINDOWS\system32\SWLAD1.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\system32\SWLAD2.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\system32\vgactl.cpl -> TrojanDownloader.Qoologic.ad : Cleaned with backup
C:\WINDOWS\system32\wuauclt.dll -> TrojanDownloader.Small : Cleaned with backup
C:\WINDOWS\TWFueWNvcnVt\asappsrv.dll -> Spyware.CommAd : Cleaned with backup
C:\WINDOWS\TWFueWNvcnVt\command.exe -> Adware.CommAd : Cleaned with backup


::Report End


Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\Manycorum\Desktop\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CsiT2ADshX4m]
"Device"="\\\\.\\c06AX6gu"
"DriverPath"="C:\\WINDOWS\\System32\\drivers\\dxankspx.sys"
"DriverName"="DnsMup"
"HideUninstallerName"="C:\\Program Files\\Symroxio\\ntzwrstr.exe"
"HDll"="C:\\WINDOWS\\System32\\sfcsvinn.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.SAV2"
"InstallationId"="{X38c7c2d-b563-2290-ca40-fd10ed3d172c}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Symroxio\\infgcdef.exe"
"AutoUpdater"="C:\\WINDOWS\\System32\\mllrecst.exe"
"Version"="2.0.100"
"LastAURestoreMsgTS"="2005:10:03-02:42:06:204"
@="mINvPKVWWVWWXW7Zfj2fBPVWWVlYW1rwmx1\\W\\TNO9HcbW8MDQ9MNW8S5IFNKSXNTN"
--
[HKEY_LOCAL_MACHINE\Software\Aprps]

[HKEY_LOCAL_MACHINE\Software\Aprps\Client]
"PartnerId"="WB.VER2"


************

Removing hidden service:
Service DnsMup removed.

Removing hidden folder:
Deletion of folder Symroxio succeeded!

Deleting files:

Deletion of file C:\WINDOWS\System32\drivers\dxankspx.sys succeeded!
Deletion of file C:\WINDOWS\System32\mllrecst.exe succeeded!
Deletion of file C:\WINDOWS\System32\sfcsvinn.dll succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\CsiT2ADshX4m]
[-HKEY_CURRENT_USER\Software\Aprps]
[-HKEY_LOCAL_MACHINE\Software\CsiT2ADshX4m]
[-HKEY_LOCAL_MACHINE\Software\Aprps]

Done!

Finished!


Logfile of HijackThis v1.99.1
Scan saved at 6:17:28 PM, on 10/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\System Files\System.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.go2realsearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.go2realsearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.go2realsearch.com/sp2.php
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWFueWNvcnVt\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:45 PM

Posted 18 October 2005 - 12:13 AM

Hi,

UNINSTALL Surfsidekick and Addestroyer and REBOOT afterwards!! The reboot is really important though. You'll see, after reboot, the surfsidekick-folder will be still present, but empty.

After reboot:

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.go2realsearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.go2realsearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.go2realsearch.com/sp2.php
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWFueWNvcnVt\command.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Using Windows Explorer, locate the following folders, and delete them if still present:

C:\Program Files\SurfSideKick 3
C:\Program Files\CMSystem
C:\Program Files\System Files
C:\Program Files\AdDestroyer
C:\WINDOWS\TWFueWNvcnVt

If you are having problems with deleting in normal mode, try it in safe mode.

Go to start > run and copy and paste next command:

sc delete cmdService

Click OK.

* Run Ccleaner

Reboot once again and post a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 jjdefan

jjdefan
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia Beach
  • Local time:06:45 AM

Posted 20 October 2005 - 03:12 PM

I think we are almost there. Winsync seems to be a culprit now. Here is the log.

Logfile of HijackThis v1.99.1
Scan saved at 4:05:55 PM, on 10/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ntzrzg.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:45 PM

Posted 20 October 2005 - 04:41 PM

Hello,

Download FindQoologic.zip save it to your Desktop.
http://downloads.subratam.org/Find-Qoologic.zip

Extract (unzip) the files inside into their own folder called FindQoologic.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html

Open the FindQoologic folder. Preferable to your desktop.
Locate and double-click the Find-Qoologic.bat file to run it.
Choose option 1 for Run Findqoologic by typing 1 and pressing enter.
This will scan your system.
Wait until a text opens.
Post this in your next reply
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:45 PM

Posted 30 October 2005 - 02:06 PM

Problem solved here? Because I've seen you already posted new logs in another thread...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 jjdefan

jjdefan
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia Beach
  • Local time:06:45 AM

Posted 31 October 2005 - 01:32 PM

No, I just haven't been able to get back to the client's house to do the requested actions. He has been on travel for the last week. Should get back to this computer this week.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:45 PM

Posted 09 November 2005 - 11:14 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:45 PM

Posted 21 November 2005 - 01:40 PM

Reopened again.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 jjdefan

jjdefan
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia Beach
  • Local time:06:45 AM

Posted 22 November 2005 - 10:12 AM

Ran Qoologic. Attached are the logs.

Check for missing files
.....
C:\WINDOWS\system32\AUTOEXEC.NT not there
.....
End check for missing files
.....
VXD Check
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers]
"VDD"=hex(7):43,3a,5c,50,52,4f,47,52,41,7e,31,5c,53,79,6d,61,6e,74,65,63,5c,53,\
33,32,45,56,4e,54,31,2e,44,4c,4c,00,00
.....
End vxd check
Please post this in the forum

Logfile of HijackThis v1.99.1
Scan saved at 9:58:35 AM, on 11/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ntzrzg.exe reg_run
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users