Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cpvfeed & Zedo Adware Problem


  • This topic is locked This topic is locked
8 replies to this topic

#1 marker20

marker20

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 18 May 2007 - 05:17 PM

This problem began yesterday and it's ruining my life. I really need some help. Popups are occurring that have "cpvfeed", "zedo" and other headings and I can't get rid of them. Also, I tried as best I could to follow each step in your "before you post" process, but I can't say everyone was done properly. It seems like this infection is preventing some of the programs. My apologies if this makes your job harder. Here's my Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 3:00:38 PM, on 5/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WiredRed\EPopS\EPopS.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Business Inkjet 2800 series\Toolbox\HPWPTBX.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\smanager.7.exe
C:\WINDOWS\system32\avp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\WiredRed\EPop\EPopB.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Mark\Local Settings\Temp\HijackThis.exe

O3 - Toolbar: File Print FedEx Kinko's - {9566395f-43d2-4c64-b525-b501ffa276e2} - mscoree.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [Hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe /ICON
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 3015_3020_3030_3380\SetConfig.exe -c Network -p -pn "" -n 1 -l 1033 -sl 120000
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPWPTOOLBOX] C:\Program Files\Hewlett-Packard\HP Business Inkjet 2800 series\Toolbox\HPWPTBX.exe "-i"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels32.exe
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\poxuythp.dll",realset
O4 - HKLM\..\Run: [{12-2F-FF-FE-ZN}] C:\windows\system32\nodsregm.exe CHD001
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvcov.dll,startup
O4 - HKLM\..\Run: [avp] C:\WINDOWS\system32\avp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\CfgWiz.exe" /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Dlte] "C:\WINDOWS\SSTEM3~1\chkntfs.exe" -vt yazb
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ePop.lnk = C:\Program Files\WiredRed\EPop\EPopB.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: e/pop Server (RServer) - WiredRed Software - C:\Program Files\WiredRed\EPopS\EPopS.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Please help! Thanks!

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:22 PM

Posted 19 May 2007 - 12:36 PM

Hello,

Perform my next instructions in the right order..

Hijackthis is still in your temp-folder, so I strongly advise to create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.
How do you make a permanent folder:

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O3 - Toolbar: File Print FedEx Kinko's - {9566395f-43d2-4c64-b525-b501ffa276e2} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels32.exe
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\poxuythp.dll",realset
O4 - HKLM\..\Run: [{12-2F-FF-FE-ZN}] C:\windows\system32\nodsregm.exe CHD001
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvcov.dll,startup
O4 - HKCU\..\Run: [Dlte] "C:\WINDOWS\SSTEM3~1\chkntfs.exe" -vt yazb
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 marker20

marker20
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 21 May 2007 - 03:41 PM

Combofix log:

"Mark" - 2007-05-21 13:13:20 Service Pack 2
ComboFix 07-05.21.6.V - Running from: "C:\Documents and Settings\Mark\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dnuhgglk.dll
C:\WINDOWS\system32\ggtxonrt.dll
C:\WINDOWS\system32\gkuqfivj.dll
C:\WINDOWS\system32\pgbmsxkl.dll
C:\WINDOWS\system32\qopqn.dll
C:\WINDOWS\system32\vtsro.dll
C:\WINDOWS\system32\yabby.dll
C:\WINDOWS\system32\cbxvusr.dll
C:\WINDOWS\system32\xxyyawt.dll
C:\WINDOWS\system32\windig32.dll
C:\WINDOWS\system32\tstwa.bak1
C:\WINDOWS\system32\tstwa.bak2
C:\WINDOWS\system32\tstwa.ini
C:\WINDOWS\system32\tstwa.ini2
C:\WINDOWS\system32\tstwa.tmp
C:\WINDOWS\system32\klgghund.ini
C:\WINDOWS\system32\trnoxtgg.ini
C:\WINDOWS\system32\nqpoq.ini
C:\WINDOWS\system32\orstv.ini
C:\WINDOWS\system32\tstwa.bak1
C:\WINDOWS\system32\tstwa.bak2
C:\WINDOWS\system32\tstwa.ini
C:\WINDOWS\system32\tstwa.ini2
C:\WINDOWS\system32\tstwa.tmp
C:\WINDOWS\system32\awtst.dll
C:\WINDOWS\system32\hggebxv.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\dlh9jkd1q8.exe
C:\WINDOWS\system32\smpi1\lb5.exe
C:\WINDOWS\system32\smpi1\lb66.exe
C:\WINDOWS\system32\smpi1\lib06.exe
C:\WINDOWS\system32\smpi1\lib67.exe
C:\WINDOWS\system32\smpi1\lpc22.exe
C:\Program Files\Common Files\svchost.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\dwdsregt.exe
C:\WINDOWS\system32\mit.bat
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\dnsersnd.dll
C:\WINDOWS\sammy3.exe
C:\WINDOWS\rau001978.exe
C:\Program Files\thesearchaccelerator
C:\WINDOWS\system32\smpi1
C:\Temp\tn3
C:\WINDOWS\system32\drivers\core.sys
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\WINDOWS\SSTEM3~1
C:\qoobox\purity\C\WINDOWS\SSTEM3~1\s?stem32


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_NET_AGENT
-------\core
-------\Net Agent


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-21 ))))))))))))))))))))))))))))))))))


2007-05-21 13:20 262,708 ---hs---- C:\WINDOWS\system32\yabbb.dll
2007-05-21 11:13 <DIR> d-------- C:\Program Files\Hijack This
2007-05-18 14:14 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-05-18 09:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Symantec Temporary Files
2007-05-18 09:41 87,248 --a------ C:\DOCUME~1\Mark\APPLIC~1\winantiviruspro2007freeinstall[1].exe
2007-05-18 09:34 93,696 --a------ C:\WINDOWS\system32\drvcov.dll
2007-05-18 09:34 17,408 --a------ C:\WINDOWS\system32\avp.exe
2007-05-17 18:14 <DIR> d-------- C:\Program Files\Windows Defender
2007-05-17 18:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-05-17 16:21 11,776 --a------ C:\WINDOWS\smanager.7.exe
2007-05-17 16:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\myCleanerPC
2007-05-17 16:20 932 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-05-17 16:20 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-05-17 16:20 <DIR> d-------- C:\Program Files\Ofb11
2007-05-17 16:20 <DIR> d-------- C:\Program Files\myCleanerPC
2007-05-14 14:35 <DIR> d-------- C:\DOCUME~1\Mark\APPLIC~1\Stamps.com Internet Postage
2007-05-14 14:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\{E23E3BED-ADD9-4DF7-B375-5EC5E69FD666}
2007-05-14 14:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}
2007-05-14 14:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\{0BE4A41F-2461-43DE-B799-C509D8395034}
2007-05-14 14:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\{AB89557A-DCAD-4657-A970-8F9A3EFFB34D}


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-21 20:21:43 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-05-21 17:12:59 1,880 ----a-w C:\WINDOWS\AUTOLNCH.REG
2007-05-18 17:15:40 -------- d-----w C:\Program Files\Norton AntiVirus
2007-05-18 17:11:13 -------- d-----w C:\Program Files\Symantec
2007-05-18 00:48:01 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-18 00:46:17 -------- d-----w C:\Program Files\Building Systems Design
2007-05-14 21:36:31 -------- d-----w C:\Program Files\Stamps.com
2007-05-04 21:21:31 -------- d-----w C:\Program Files\pdf995
2007-05-01 17:53:25 2,241 ----a-w C:\WINDOWS\panose.bin
2007-04-20 18:10:47 794 ---ha-w C:\os350521.bin
2007-04-18 23:17:06 -------- d-----w C:\DOCUME~1\Mark\APPLIC~1\acccore
2007-04-18 23:16:49 -------- d-----w C:\Program Files\AIM6
2007-04-18 23:16:07 -------- d-----w C:\Program Files\Common Files\AOL
2007-04-18 23:15:02 335 ----a-w C:\WINDOWS\nsreg.dat
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-03-19 19:46:06 -------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-06 09:41:30 90,112 ----a-w C:\WINDOWS\KVTE66.exe
2007-02-10 10:03:21 268,704 ----a-w C:\WINDOWS\OfB11_Setup.exe
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx [2001-04-16 16:39]
{3E1500AC-87A5-416b-A211-82E848649DA9}=C:\PROGRA~1\Ofb11\Ofb11.dll [2007-05-17 16:20]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll [2006-10-12 04:25]
{9566395F-43D2-4c64-B525-B501FFA276E2}=mscoree.dll []
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar4.dll [2007-01-20 00:55]
{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}=C:\WINDOWS\system32\dnsersnd.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 18:44]
"Hpppta"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe" [2000-12-05 13:02]
"HPLJ Config"="C:\Program Files\Hewlett-Packard\hp LaserJet 3015_3020_3030_3380\SetConfig.exe" [2003-03-31 17:32]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2005-04-08 11:18]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 11:37]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 06:03]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 06:03]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-21 21:41]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11]
"HPWPTOOLBOX"="C:\Program Files\Hewlett-Packard\HP Business Inkjet 2800 series\Toolbox\HPWPTBX.exe" [2004-10-21 03:31]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 04:10]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"avp"="C:\WINDOWS\system32\avp.exe" [2007-05-18 09:34]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 01:04]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 19:22]
"NAV CfgWiz"="C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\CfgWiz.exe" [2006-09-06 19:37]
"SManager"="smanager.7.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-06 10:20]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-03-23 14:18]



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070521-130152-160
O4 - HKLM\..\Run: [SManager] smanager.7.exe

backup-20070521-130152-908
O4 - HKCU\..\Run: [Dlte] "C:\WINDOWS\SSTEM3~1\chkntfs.exe" -vt yazb

backup-20070521-130152-645
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)

backup-20070521-130152-154
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvcov.dll,startup

backup-20070521-130152-790
O3 - Toolbar: File Print FedEx Kinko's - {9566395f-43d2-4c64-b525-b501ffa276e2} - mscoree.dll (file missing)

backup-20070521-130152-822
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels32.exe

backup-20070521-130152-288
O4 - HKLM\..\Run: [{12-2F-FF-FE-ZN}] C:\windows\system32\nodsregm.exe CHD001

backup-20070521-130152-185
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
Contents of the 'Scheduled Tasks' folder
2007-05-17 15:41:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-21 20:25:02 C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-21 13:24:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-21 13:28:44 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-21 13:28

--- E O F ---
(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dnuhgglk.dll
C:\WINDOWS\system32\ggtxonrt.dll
C:\WINDOWS\system32\gkuqfivj.dll
C:\WINDOWS\system32\pgbmsxkl.dll
C:\WINDOWS\system32\qopqn.dll
C:\WINDOWS\system32\vtsro.dll
C:\WINDOWS\system32\yabby.dll
C:\WINDOWS\system32\cbxvusr.dll
C:\WINDOWS\system32\xxyyawt.dll
C:\WINDOWS\system32\windig32.dll
C:\WINDOWS\system32\tstwa.bak1
C:\WINDOWS\system32\tstwa.bak2
C:\WINDOWS\system32\tstwa.ini
C:\WINDOWS\system32\tstwa.ini2
C:\WINDOWS\system32\tstwa.tmp
C:\WINDOWS\system32\klgghund.ini
C:\WINDOWS\system32\trnoxtgg.ini
C:\WINDOWS\system32\nqpoq.ini
C:\WINDOWS\system32\orstv.ini
C:\WINDOWS\system32\tstwa.bak1
C:\WINDOWS\system32\tstwa.bak2
C:\WINDOWS\system32\tstwa.ini
C:\WINDOWS\system32\tstwa.ini2
C:\WINDOWS\system32\tstwa.tmp
C:\WINDOWS\system32\awtst.dll
C:\WINDOWS\system32\hggebxv.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\dlh9jkd1q8.exe
C:\WINDOWS\system32\smpi1\lb5.exe
C:\WINDOWS\system32\smpi1\lb66.exe
C:\WINDOWS\system32\smpi1\lib06.exe
C:\WINDOWS\system32\smpi1\lib67.exe
C:\WINDOWS\system32\smpi1\lpc22.exe
C:\Program Files\Common Files\svchost.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\dwdsregt.exe
C:\WINDOWS\system32\mit.bat
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\dnsersnd.dll
C:\WINDOWS\sammy3.exe
C:\WINDOWS\rau001978.exe
C:\Program Files\thesearchaccelerator
C:\WINDOWS\system32\smpi1
C:\Temp\tn3
C:\WINDOWS\system32\drivers\core.sys
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\WINDOWS\SSTEM3~1
C:\qoobox\purity\C\WINDOWS\SSTEM3~1\s?stem32


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_NET_AGENT
-------\core
-------\Net Agent


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-21 ))))))))))))))))))))))))))))))))))


Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 13:35, on 2007-05-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WiredRed\EPopS\EPopS.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Business Inkjet 2800 series\Toolbox\HPWPTBX.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\avp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\smanager.7.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\WiredRed\EPop\EPopB.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\ComboFix\31055.cfexe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: File Print FedEx Kinko's - {9566395F-43D2-4c64-B525-B501FFA276E2} - mscoree.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [Hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe /ICON
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 3015_3020_3030_3380\SetConfig.exe -c Network -p -pn "" -n 1 -l 1033 -sl 120000
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPWPTOOLBOX] C:\Program Files\Hewlett-Packard\HP Business Inkjet 2800 series\Toolbox\HPWPTBX.exe "-i"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avp] C:\WINDOWS\system32\avp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\CfgWiz.exe" /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ePop.lnk = C:\Program Files\WiredRed\EPop\EPopB.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: e/pop Server (RServer) - WiredRed Software - C:\Program Files\WiredRed\EPopS\EPopS.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Thanks!

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:22 PM

Posted 21 May 2007 - 04:29 PM

Hello,

Is your Norton/Symantec up to date? Because I actually cannot believe it left so many malware related files on your system... :thumbsup:

We are not finished yet, still A LOT to perform..
So perform next steps in the right order without missing any step! Important!

* Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following bold part into the Suspicious File Packer window:

C:\os350521.bin
C:\WINDOWS\AUTOLNCH.REG
C:\WINDOWS\system32\avp.exe


Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.

After performing above...

* Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Where it says: "Paste List of Files/Folders to be Moved", copy and paste next bold part into that Window:

    C:\WINDOWS\system32\yabbb.dll
    C:\DOCUME~1\Mark\APPLIC~1\winantiviruspro2007freeinstall[1].exe
    C:\WINDOWS\system32\drvcov.dll
    C:\WINDOWS\system32\avp.exe
    C:\WINDOWS\smanager.7.exe
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\myCleanerPC
    C:\WINDOWS\system32\winpfz32.sys
    C:\Program Files\Ofb11
    C:\Program Files\myCleanerPC
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\{E23E3BED-ADD9-4DF7-B375-5EC5E69FD666}
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\{0BE4A41F-2461-43DE-B799-C509D8395034}
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\{AB89557A-DCAD-4657-A970-8F9A3EFFB34D}
    C:\WINDOWS\KVTE66.exe
    C:\WINDOWS\OfB11_Setup.exe



  • Then click the red Moveit! button below.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.. Then it will reboot your computer.
Even though OTMoveIT didn't ask to reboot your computer - reboot anyway, this since moved files may still be in use.

Then, after reboot,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll
O2 - BHO: File Print FedEx Kinko's - {9566395F-43D2-4c64-B525-B501FFA276E2} - mscoree.dll (file missing)
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll (file missing)
O4 - HKLM\..\Run: [avp] C:\WINDOWS\system32\avp.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Rescan again with Combofix and post the log your get (C:\Combofix.txt) in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 marker20

marker20
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 21 May 2007 - 06:28 PM

Thanks for your help so far. My Norton Antivirus is actually NOT up do date, because although my firm paid for and downloaded the update it cannot "configure" itself. I've been trying for about a week now to have the symantec customer service people help me fix the problem, but to no avail. This is just one more computer-related headache I'm currently dealing with. Thankfully you have been much more helpful.

So here is my new Combofix Log:

"Mark" - 2007-05-21 16:08:55 Service Pack 2
ComboFix 07-05.21.6.V - Running from: "C:\Documents and Settings\Mark\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\WINDOWS\SSTEM3~1
C:\qoobox\purity\C\WINDOWS\SSTEM3~1\s?stem32


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-21 ))))))))))))))))))))))))))))))))))


2007-05-21 13:28 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-21 11:13 <DIR> d-------- C:\Program Files\Hijack This
2007-05-18 14:14 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-05-18 09:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Symantec Temporary Files
2007-05-17 18:14 <DIR> d-------- C:\Program Files\Windows Defender
2007-05-17 18:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-05-17 16:20 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-05-14 14:35 <DIR> d-------- C:\DOCUME~1\Mark\APPLIC~1\Stamps.com Internet Postage


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-21 23:02:48 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-05-21 17:12:59 1,880 ----a-w C:\WINDOWS\AUTOLNCH.REG
2007-05-18 17:15:40 -------- d-----w C:\Program Files\Norton AntiVirus
2007-05-18 17:11:13 -------- d-----w C:\Program Files\Symantec
2007-05-18 00:48:01 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-18 00:46:17 -------- d-----w C:\Program Files\Building Systems Design
2007-05-14 21:36:31 -------- d-----w C:\Program Files\Stamps.com
2007-05-04 21:21:31 -------- d-----w C:\Program Files\pdf995
2007-05-01 17:53:25 2,241 ----a-w C:\WINDOWS\panose.bin
2007-04-20 18:10:47 794 ---ha-w C:\os350521.bin
2007-04-18 23:17:06 -------- d-----w C:\DOCUME~1\Mark\APPLIC~1\acccore
2007-04-18 23:16:49 -------- d-----w C:\Program Files\AIM6
2007-04-18 23:16:07 -------- d-----w C:\Program Files\Common Files\AOL
2007-04-18 23:15:02 335 ----a-w C:\WINDOWS\nsreg.dat
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-03-19 19:46:06 -------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx [2001-04-16 16:39]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll [2006-10-12 04:25]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar4.dll [2007-01-20 00:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 18:44]
"Hpppta"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe" [2000-12-05 13:02]
"HPLJ Config"="C:\Program Files\Hewlett-Packard\hp LaserJet 3015_3020_3030_3380\SetConfig.exe" [2003-03-31 17:32]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2005-04-08 11:18]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 11:37]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 06:03]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 06:03]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-21 21:41]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11]
"HPWPTOOLBOX"="C:\Program Files\Hewlett-Packard\HP Business Inkjet 2800 series\Toolbox\HPWPTBX.exe" [2004-10-21 03:31]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 04:10]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 01:04]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 19:22]
"NAV CfgWiz"="C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\CfgWiz.exe" [2006-09-06 19:37]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-06 10:20]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-03-23 14:18]


Contents of the 'Scheduled Tasks' folder
2007-05-17 15:41:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-21 23:05:49 C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-21 16:11:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-21 16:12:27
C:\ComboFix-quarantined-files.txt ... 2007-05-21 16:12
C:\ComboFix2.txt ... 2007-05-21 13:29

--- E O F ---

Here's my HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 16:22, on 2007-05-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\WiredRed\EPop\EPopB.exe
C:\Program Files\WiredRed\EPopS\EPopS.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [Hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe /ICON
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 3015_3020_3030_3380\SetConfig.exe -c Network -p -pn "" -n 1 -l 1033 -sl 120000
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPWPTOOLBOX] C:\Program Files\Hewlett-Packard\HP Business Inkjet 2800 series\Toolbox\HPWPTBX.exe "-i"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\CfgWiz.exe" /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ePop.lnk = C:\Program Files\WiredRed\EPop\EPopB.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: e/pop Server (RServer) - WiredRed Software - C:\Program Files\WiredRed\EPopS\EPopS.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Thank You!!

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:22 PM

Posted 22 May 2007 - 12:19 AM

Hi,

Your log looks clean again.
Just an important thing to perform though..

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click "Delete".
  • Click "Delete Files", "Delete cookies" and "Delete history"
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Let me know in your next reply how things are now.

Concerning your Norton, do next first:
* Download: HostsXpert
Unzip hoster to an own folder, eg C:\HostsXpert
Start Hoster.exe, click 'Restore Original Hosts' and click OK.

Then try to update again.
If that didn't work, uninstall Norton, reboot your computer and reinstall it again.
You say you are already receiving help from the symantec customer service people... so if no luck with them either, I suggest you install a free alternative instead, because we really need to get this machine protected and Virusdefinitions up to date.
Look in my signature below under Antivirus for the ones I recommend. A great and free Antivirus is Avira. It's great in detection and removal. It also doesn't slow down your system that much as Norton does.
Keep in mind, if you decide to install another Antivirus, make sure you uninstall Norton first.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 marker20

marker20
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 22 May 2007 - 02:01 PM

Thanks a million! Let me first say that I have no more pop-ups or adware problems, which is a great relief. My situation has changed somewhat since your last response so I haven't fully followed your latest instructions; here's why:

Our company's computer guy came in today and uninstalled Windows Defender and my unconfigured Norton Antivirus and installed Symantec Antivirus corporate version, which evidently never needs to be renewed. Do you know anything about this program?

I was also unable to install the JRE-- which may tie into a larger problem I'm having. Since removing the adware I'm having trouble opening certain links and visiting certain sites. I cannot open the gmail or hotmail pages, the browser just stays blank. I have an iGoogle homepage and cannot click on the separate tabs that should take you to other screens. I was also unable to download JRE; when I clicked on the "windows offline installation" link, nothing happened. I'm having trouble opening certain pop-up windows, for example a "demo" page on the Hewlett-Packard website and an email link on the symantec website. Do you know what may be causing this?

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:22 PM

Posted 22 May 2007 - 02:40 PM

Hi,

This is a bit confusing now since your company's computer guy modified some things as well now.

unconfigured Norton Antivirus

How do you mean? When you install another version of Norton, the previous version should be uninstalled.

nstalled Symantec Antivirus corporate version, which evidently never needs to be renewed. Do you know anything about this program?

I am not a big fan of Norton/Symantec in general since many people are having problems with it and actually it wouldn't suprise me that the problems with your Internet are caused by Norton. Because the problems you are describing are typically an issue which happens in most cases when Symantec is present (although I have seen it with Zonealarm as well)... and since the ccomputer guy installed another version of Norton and you're having these problems now..... hmmm

But ofcourse it could be because of the malware you were dealing with previously which corrupted some settings although I see similar infections everyday and deal with them and never heard a user complaining about these issues afterwards. But everything is possible here.

Anyway, it looks like you cannot login into SSL secured sites (hotmail - gmail) , you're having problems with certain scripts on pages (could be blocked by a firewall/Antivirus) and/or most probably your jscript.dll is not properly registered either anymore + other dlls. We'll look into that as well and fix it with a tool.


First, make sure metarefresh is enabled:

1. Open an IE window
2. Click Tools menu
3. Click Internet Options
4. Click the Security tab
5. Select the Internet web content zone
6. Click Custom Level
7. Scroll down to Allow Meta Refresh and select Enable
8. Click OK until you completely close IE

If that didn't fix the problem, start your computer in Windows Safe mode (with networking support - because it is supposed to have Internet Connection in Windows safe mode to test if it works there)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode with networking support from the menu that will appear and press Enter.

Then test if it works in Windows safe mode, if you cannot click the urls - links, open hotmail and gmail.
If it DOES work in Windows Safe mode, then it's your Norton/Symantec interfering - this since Norton/Symantec isn't loaded in Windows safe mode.
In that case let me know and don't proceed with the following steps.

If it also doesn't work in Windows safe mode, do next in Windows normal mode..

* Download Dial-a-fix from here:
http://wiki.djlizard.net/Dial-a-fix#Mirror...2C_and_articles
Then close your Internet Explorer
Doubleclick dial-a-fix.exe to start it.
Under "SSL/HTTPS/Cryptography", check the box: "Fix SSL/HTTPS/Cryptsvc".
Then click the GO button below.

Then look if that solved your problem for Hotmail and gmail. Then, we'll have to reregister some "programming dlls" and Internet Explorer related dlls as well. To do this, also use dial-a-fix for that. (close your Internet explorer again)
Open dial-a-fix and under the "Registration Center", check the checkboxes: "Programming cores/runtimes" and "explorer/IE/OE/Shell/WMP"
Then click the GO button below.

Let me know if any of them fixed your problem.

Edited to fix link for dial-a-fix

Edited by miekiemoes, 22 May 2007 - 02:48 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:22 PM

Posted 02 June 2007 - 03:49 PM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users