Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop Ups-sysprotect Inc/systemdoctor/winantivirus


  • This topic is locked This topic is locked
8 replies to this topic

#1 sevenn

sevenn

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 30 June 2006 - 03:24 PM

I have used XoftspySE and norton and Bitdefender. My disc cleanup locks up from the begining. it shows it is running in task manager but nothing happens no matter how long it runs. bitdefende took out 15 items except windows\g3157687.dll. I think I seen another file like this the dayall this started happening from a spywarequake trojan that i was able to get rid of by checking out a few forums. Notron says there is a trojan called srvqcq[1].exe but it could not delete. I have been deling bugs like crazy but I just can't find the mother spawn.

basically internet explorer opens with the top saying systemerrorshield. it happens 2 or 3 times a day. generally a few pop ups will follow with sysprotect inc, systemdoctor, or winantivirus titled somewhere. I use firefox so I know it is fishy when i explorer opens (sometimes without even having any browsers open)

Logfile of HijackThis v1.99.1
Scan saved at 4:05:51 PM, on 6/30/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Oadaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
C:\Program Files\Siemens\SpeedStream Wireless USB\SSUSBCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Azureus\Azureus.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Winamp\winamp.exe
C:\Program Files\DVD Decrypter\DVDDecrypter.exe
C:\WINDOWS\System32\cleanmgr.exe
C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\XP\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.amazon.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.amazon.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.amazon.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\XP\Application Data\Mozilla\Profiles\default\h90903e5.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Oadaemon] Oadaemon.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKCU\..\Run: [Bdi] C:\WINDOWS\system32\DOBE~1\SCHOST~1.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Registration-InstantCopy.lnk = C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\Pixie\RegTool.exe
O4 - Global Startup: Compaq C3-1000 Settings Utility.lnk = C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
O4 - Global Startup: SpeedStream Wireless LAN Utility.lnk = C:\Program Files\Siemens\SpeedStream Wireless USB\SSUSBCfg.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Help - {1D5ABB08-6670-40E0-AC91-78104E12009B} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {9337C8DD-B38C-4CC0-B76B-8EEF1B53A48A} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {C6FECAF5-A394-474D-ACFE-8B201C5FED9B} - http://www.comcast.net (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2405.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\regedit.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINDOWS\System32\wins\DLLHOST.EXE (file missing)
O23 - Service: Network Connections Sharing (RpcTftpd) - Unknown owner - C:\WINDOWS\System32\wins\svchost.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:55 AM

Posted 01 July 2006 - 08:07 AM

Hello,

Go to start > controlpanel > software > add/remove programs and uninstall next if present:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
Cowabanga by OIN
or anything similar with Oin in it.


If OIN not listed, download and run this uninstaller.

Reboot when done! Really important!

After reboot, Can you rename Hijackthis.exe to Analyse.exe
Then scan with Analyse.exe and post the log in your next reply (which will be a hijackthislog ofcourse)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 sevenn

sevenn
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 01 July 2006 - 02:17 PM

Ran downloaded Oin uninstaller an found cowabanga oin and unistalled it as well. after running oin unistall, it stated that some might only be detected after reboot. does this meen i should run again or is that already in place.

by chance could you also explain why C:\WINDOWS\System32\wuauclt.exe runs twice in the running processes along with C:\WINDOWS\System32\svchost.exe

Also I know whensave is adware, but it is tied to a program i use and norton says it is low risk. it does not even show up in firefox. only when running i explorer.

Logfile of HijackThis v1.99.1
Scan saved at 3:03:37 PM, on 7/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\Oadaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Save\Save.exe
C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
C:\Program Files\Siemens\SpeedStream Wireless USB\SSUSBCfg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\XP\My Documents\Analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.amazon.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.amazon.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.amazon.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\XP\Application Data\Mozilla\Profiles\default\h90903e5.slt\prefs.js)
O2 - BHO: (no name) - {062492AF-392E-479D-BF52-A7A4BCA00307} - C:\WINDOWS\compstuic.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: CDLPObj Object - {BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} - C:\WINDOWS\DLP.dll (file missing)
O2 - BHO: (no name) - {C5A36FA5-B648-4D72-AED7-539EC84A3955} - C:\WINDOWS\System32\gebcb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Oadaemon] Oadaemon.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Registration-InstantCopy.lnk = C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\Pixie\RegTool.exe
O4 - Global Startup: Compaq C3-1000 Settings Utility.lnk = C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
O4 - Global Startup: SpeedStream Wireless LAN Utility.lnk = C:\Program Files\Siemens\SpeedStream Wireless USB\SSUSBCfg.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Help - {1D5ABB08-6670-40E0-AC91-78104E12009B} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {9337C8DD-B38C-4CC0-B76B-8EEF1B53A48A} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {C6FECAF5-A394-474D-ACFE-8B201C5FED9B} - http://www.comcast.net (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2405.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\regedit.dll
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g3157687.dll
O20 - Winlogon Notify: gebcb - C:\WINDOWS\System32\gebcb.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winhdn32 - winhdn32.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINDOWS\System32\wins\DLLHOST.EXE (file missing)
O23 - Service: Network Connections Sharing (RpcTftpd) - Unknown owner - C:\WINDOWS\System32\wins\svchost.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:55 AM

Posted 01 July 2006 - 06:23 PM

Hello,

it stated that some might only be detected after reboot. does this meen i should run again or is that already in place


This means that a reboot was needed to delete some files that were in use previously. That's why I also said in my previous post how important the reboot was.

Also I know whensave is adware, but it is tied to a program i use

I don't know what program you use that installed this adware, but I really advise NOT to use that program and uninstall it together with whenusave/save, because that's what we are trying to accomplish here, trying to get your system malware free and adware is malware as well.
There should be other alternatives which are adware free instead of that program that is bundled with WhenUsave.

Please perform next steps in the right order..

Please download VundoFix.exe to your C:\.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • In case it says that nothing was been found, Right click the list box (white box) in the main VundoFix window.
  • Select Add More Files? from the menu that comes up. This will open a new VundoFix window.
  • In the Window: copy and paste next in the first field: C:\WINDOWS\System32\gebcb.dll
  • Copy and paste next in the second field: C:\WINDOWS\System32\bcbeg.*
  • Click the Add Files button.
  • Click the "Close Window" button.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
* Download win32delfkil.exe.
Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil.
Close all windows, open the win32delfkil folder and double click on fix.bat.
The computer will reboot automatically.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
O2 - BHO: (no name) - {062492AF-392E-479D-BF52-A7A4BCA00307} - C:\WINDOWS\compstuic.dll
O2 - BHO: CDLPObj Object - {BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} - C:\WINDOWS\DLP.dll (file missing)
O2 - BHO: (no name) - {C5A36FA5-B648-4D72-AED7-539EC84A3955} - C:\WINDOWS\System32\gebcb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2405.exe
O20 - AppInit_DLLs: C:\WINDOWS\System32\regedit.dll
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g3157687.dll
O20 - Winlogon Notify: gebcb - C:\WINDOWS\System32\gebcb.dll
O20 - Winlogon Notify: winhdn32 - winhdn32.dll (file missing)
O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINDOWS\System32\wins\DLLHOST.EXE (file missing)
O23 - Service: Network Connections Sharing (RpcTftpd) - Unknown owner - C:\WINDOWS\System32\wins\svchost.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Just to be sure that leftovers are gone, download and run this removal tool:
http://securityresponse.symantec.com/avcen...moval.tool.html

REBOOT afterwards!! Important!

After reboot, delete this file and folder:

C:\WINDOWS\System32\regedit.dll <== don't delete regedit.exe present in your Windows-folder!
C:\Program Files\Save <== folder

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report together with the contents of C:\vundofix.txt, the contents of the logfile c\windelf.txt and a new HiJackThis log.

Look here for more info about svchost.exe and why it runs more than one time in your processes:
http://windowsxp.mvps.org/svchost.htm
Look here for wuauclt.exe:
http://www.liutilities.com/products/wintas...ibrary/wuauclt/
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 sevenn

sevenn
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 02 July 2006 - 02:53 AM

vundofix would not reopen after checking run vundofix as a task on own. I let it sit for a half hour twice. so i re-opened manually and scan for vundo

during hijackthis a message appeared:
an unexpected error has occureded at procedure modbackup_makebackup(sken = o2o-Applnit_DLLs:
C:\windows\system32\regedit.dll)
Error #5 - invalid procedure call or argument

could not find to delete ask instructed by you either

02-BHO:(no name) - {062492AF-392E-479D-F52-A7A4BCA0307} - Cwindows\compstuic.dll
was not in hijackthis list along with on of the 020 - winligon notify


in panda scan I see C:\Documents and Settings\XP\Local Settings\Application Data\4b8836b7.exe
I tried deleting this a while back, but just could not figure out how.

thanks for help so far. I did not think things where this severe. live and learn
---------------------------------------------------------------------------------------------------------------------------
Panda
Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.com.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.servedby.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[servedby.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.overture.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.azjmp.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.go.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.clickbank.net/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[adserver.filefront.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.microsofteup.112.2o7.net/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.revenue.net/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.statse.webtrendslive.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[as1.falkag.de/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.hotlog.ru/]
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.spylog.com/]
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.targetnet.com/]
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.fortunecity.com/]
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[banners.searchingbooth.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[c.enhance.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[fe.lea.lycos.fr/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Firefox\Profiles\iuq800tr.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Profiles\default\h90903e5.slt\cookies.txt[.bfast.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Profiles\default\h90903e5.slt\cookies.txt[.atwola.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Profiles\default\h90903e5.slt\cookies.txt[.2o7.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Profiles\default\h90903e5.slt\cookies.txt[servedby.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\XP\Application Data\Mozilla\Profiles\default\h90903e5.slt\cookies.txt[.advertising.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\XP\Cookies\xp@ad.yieldmanager[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\XP\Cookies\xp@mediaplex[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\XP\Cookies\xp@stats1.reliablestats[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\XP\Desktop\win32delfkil\Process.exe
Adware:Adware/SystemDoctor Not disinfected C:\Documents and Settings\XP\Local Settings\Application Data\4b8836b7.exe
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\XP\Local Settings\Temporary Internet Files\Content.IE5\1G78FQ6T\anti4[1].exe
Potentially unwanted tool:Application/SystemDoctor2006 Not disinfected C:\Documents and Settings\XP\Local Settings\Temporary Internet Files\Content.IE5\1G78FQ6T\SystemDoctor2006FreeInstall[1].exe

---------------------------------------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 3:34:41 AM, on 7/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Oadaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
C:\Program Files\Siemens\SpeedStream Wireless USB\SSUSBCfg.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\XP\Desktop\Analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.amazon.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.amazon.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.amazon.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\XP\Application Data\Mozilla\Profiles\default\h90903e5.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Oadaemon] Oadaemon.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Registration-InstantCopy.lnk = C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\Pixie\RegTool.exe
O4 - Global Startup: Compaq C3-1000 Settings Utility.lnk = C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
O4 - Global Startup: SpeedStream Wireless LAN Utility.lnk = C:\Program Files\Siemens\SpeedStream Wireless USB\SSUSBCfg.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Help - {1D5ABB08-6670-40E0-AC91-78104E12009B} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {9337C8DD-B38C-4CC0-B76B-8EEF1B53A48A} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {C6FECAF5-A394-474D-ACFE-8B201C5FED9B} - http://www.comcast.net (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
---------------------------------------------------------------------------------------------------------------------------

VundoFix V4.2.84

Checking Java version...

Java version is 1.5.0.6

Scan started at 11:57:27 PM 7/1/2006

Listing files found while scanning....


C:\WINDOWS\system32\bcbeg.bak1
C:\WINDOWS\system32\bcbeg.bak2
C:\WINDOWS\system32\bcbeg.tmp
C:\WINDOWS\system32\bcbeg.ini
C:\WINDOWS\system32\bcbeg.ini2
C:\WINDOWS\system32\gebcb.dll
C:\WINDOWS\system32\bcbeg.ini2
C:\WINDOWS\system32\bcbeg.bak2
C:\WINDOWS\system32\bcbeg.tmp
C:\WINDOWS\system32\bcbeg.ini
C:\WINDOWS\system32\bcbeg.ini2
C:\WINDOWS\system32\gebcb.dll
Attempting to delete C:\WINDOWS\system32\bcbeg.bak1
C:\WINDOWS\system32\bcbeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\bcbeg.bak2
C:\WINDOWS\system32\bcbeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\bcbeg.tmp
C:\WINDOWS\system32\bcbeg.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\bcbeg.ini
C:\WINDOWS\system32\bcbeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\bcbeg.ini2
C:\WINDOWS\system32\bcbeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebcb.dll
C:\WINDOWS\system32\gebcb.dll Has been deleted!

Performing Repairs to the registry.
Done!

----------------------------------------------------------------------------------------------------------------------------
************************
* WIN32DELFKIL LOGFILE *
************************
by Marckie


BEFORE RUNNING WIN32DELFKIL
***************************

File(s) found in Windows directory
----------------------------------
g3157687.dll
compstuic.dll

File(s) found in system32 folder
--------------------------------
admparsel.dll

Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{259BA022-2005-45E9-A965-10EDB9C00605}"="Windows Updater"
"{0B5F7FDF-0717-45BF-B49D-695F3168C7FE}"="Master Browseui"


sharedtaskkey: 259BA022-2005-45E9-A965-10EDB9C00605
---------------------------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{259BA022-2005-45E9-A965-10EDB9C00605}]
@="C:\\WINDOWS\\g3157687.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{259BA022-2005-45E9-A965-10EDB9C00605}\InprocServer32]
@="C:\\WINDOWS\\g3157687.dll"
"ThreadingModel"="Apartment"


sharedtaskkey: 0B5F7FDF-0717-45BF-B49D-695F3168C7FE
---------------------------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B5F7FDF-0717-45BF-B49D-695F3168C7FE}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B5F7FDF-0717-45BF-B49D-695F3168C7FE}\InprocServer32]
@="C:\\WINDOWS\\system32\\admparsel.dll"
"ThreadingModel"="Apartment"



Notify key
----------
subkey cfgmngr32 is present!



AFTER RUNNING WIN32DELFKIL
**************************

File(s) found in Windows directory
----------------------------------
g3157687.dll

File(s) found in system32 folder
--------------------------------
Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"



Notify key
----------

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:55 AM

Posted 02 July 2006 - 03:56 AM

Hello,

Yes I know that some entries would be gone in your hijackthislog after running Vundofix and windelfkil. It is also normal that Hijackthis gives that error after checking and fixing that O20 entry - so don't worry.
The reason why Vundofix didn't reopen is most probably because of Norton interfering. But the vundofix did its job after all, so no need to rerun it.

We really made improvement here!

Your hijackthislog looks clean again.
Now let's deal with some leftovers --

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.


Delete next files manually:

C:\Documents and Settings\XP\Local Settings\Application Data\4b8836b7.exe
C:\Windows\g3157687.dll <== if still present.

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Let me know in your next reply how things are running now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 sevenn

sevenn
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 02 July 2006 - 09:18 AM

thank you. things seem to be operating properly. The only problem is my disk cleanup. I have used it long before this, but now it opens to calculate spaceable to free on (C:) and 3 bars display in the progress bar. it says scanning:compress old files below. it does nothing. When I check windows task manager, it say 92 to 99 for CPU as if it is operating fully. no matter the time it is left to caculate, it stays right where it is and doesnt take me to the next window to clean out areas. I also notice when I click the x button, it stays just as active in task mangager. I have to end process manually. Any ideas? can't I manually do thisas well?

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:55 AM

Posted 02 July 2006 - 09:28 AM

Hello,

Well, actually, this is normal that it can take a while when cleanmgr hasn't been performed in a while.

it says scanning:compress old files below. it does nothing


Well it looks like it doesn't do anything, but it does though...

So yes, the three bars can be there for a long time.

As an alternative, you can use Ccleaner instead:

Download CCleaner
1. During the install uncheck to install the Yahoo Toolbar
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Cookies.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.


In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:55 AM

Posted 08 July 2006 - 05:25 PM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users