Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can Someone Look At This


  • Please log in to reply
15 replies to this topic

#1 catlover07

catlover07

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 25 June 2007 - 01:06 PM

I know I have a problem just not sure if anyone can tell me if its in here. I have no idea what is what and do not want to willy nilly fix it. I have a problem with smithfraud-c and with virtumundo and winfixer, Spybot cant delete the problems..any assstanc would be appreciated.




Logfile of HijackThis v1.99.1
Scan saved at 11:03:07 AM, on 6/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\pyynrqfr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\AOL\1174627074\ee\AOLSoftware.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\WINDOWS\svhost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\wanmpsvc.exe
c:\program files\common files\aol\1174627074\ee\AOLOpenRide.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3607B634-25E9-4869-A680-1B6B3489C8E2} - \
O2 - BHO: (no name) - {4BB62340-77B0-4C4A-8D29-5DDEBDC6D35A} - C:\WINDOWS\system32\ssqpq.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {634F19F5-816B-D9CC-4F1B-8F8DBE2782CF} - C:\WINDOWS\system32\gqdx.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1174627074\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Startup: AOL OpenRide.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/...ns.10.6.0.4.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174708704218
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{019A4211-0E2E-4DE0-AA03-E4B1E0CD860D}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{019A4211-0E2E-4DE0-AA03-E4B1E0CD860D}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\pyynrqfr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 25 June 2007 - 06:06 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum catlover07 :thumbsup:

Download Killbox by Option^Explicit:
http://download.bleepingcomputer.com/spyware/KillBox.exe
Save it to your desktop.
Please double-click Killbox.exe to run it.
Select: 'Delete on Reboot'.
Then Click on the 'All Files' button.
Please copy ALL the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\pyynrqfr.exe
C:\WINDOWS\svhost.exe
C:\WINDOWS\poolsv.exe


Return to Killbox,go to the File menu,and choose 'Paste from Clipboard'.
Click the red-and-white Delete File button.
Click 'Yes' at the 'Delete on Reboot' prompt.
Click OK at any 'PendingFileRenameOperations' prompt.
If your computer does not restart automatically,please restart it manually.

After rebooting, open up Killbox again.
Click 'File'>'Logs'>'Actions History Log'.
Post this log in your next reply.

*********************

Click on Start>Run and type Services.msc then hit Ok.
Scroll down and find the service called:
DomainService
When you find it, double-click on it.
In the next window that opens, click the 'Stop' button.
Then change the 'Startup Type:' to 'Disabled'.
Now press Apply and then Ok and close any open windows.


Click on Start/Run,type CMD then press Ok.
At the Command Prompt copy and paste the following command,then press Enter:

SC DELETE DomainService

Then type EXIT then press Enter.

Restart your pc.

*********************

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

*********************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


*********************

Download SmitfraudFix (by S!Ri), to your desktop.
Double click on Smitfraudfix.cmd
Select option 1 Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy and paste the content of that report into your next reply.

*IMPORTANT*
Do NOT run any other options until you are asked to do so!

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 catlover07

catlover07
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 25 June 2007 - 09:43 PM

Pocket Killbox version 2.0.0.881
Running on Windows XP as Danielle(Administrator)
was started @ Monday, June 25, 2007, 6:59 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\pyynrqfr.exe


# 2 [Delete on Reboot]
Path = C:\WINDOWS\svhost.exe


# 3 [Delete on Reboot]
Path = C:\WINDOWS\poolsv.exe


I Rebooted @ 7:04:25 PM
Killbox Closed(Exit) @ 7:04:37 PM
__________________________________________________

Pocket Killbox version 2.0.0.881
Running on Windows XP as Danielle(Administrator)
was started @ Monday, June 25, 2007, 7:07 PM





VundoFix V6.5.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 9:26:27 AM 6/25/2007

Listing files found while scanning....

C:\windows\system32\eqkpgovc.exe
C:\WINDOWS\system32\hggddaw.dll
C:\windows\system32\hggedda.dll
C:\WINDOWS\system32\hsxbcxot.dll
C:\windows\system32\npsshxuo.ini
C:\windows\system32\ouxhsspn.dll
C:\windows\system32\qpqss.bak1
C:\windows\system32\qpqss.bak2
C:\windows\system32\qpqss.ini
C:\WINDOWS\system32\ssqpq.dll
C:\WINDOWS\system32\toxcbxsh.ini
C:\WINDOWS\system32\vraoubvd.dll

Beginning removal...

Attempting to delete C:\windows\system32\eqkpgovc.exe
C:\windows\system32\eqkpgovc.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\hggddaw.dll
C:\WINDOWS\system32\hggddaw.dll Has been deleted!

Attempting to delete C:\windows\system32\hggedda.dll
C:\windows\system32\hggedda.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hsxbcxot.dll
C:\WINDOWS\system32\hsxbcxot.dll Could not be deleted.

Attempting to delete C:\windows\system32\npsshxuo.ini
C:\windows\system32\npsshxuo.ini Has been deleted!

Attempting to delete C:\windows\system32\ouxhsspn.dll
C:\windows\system32\ouxhsspn.dll Has been deleted!

Attempting to delete C:\windows\system32\qpqss.bak1
C:\windows\system32\qpqss.bak1 Has been deleted!

Attempting to delete C:\windows\system32\qpqss.bak2
C:\windows\system32\qpqss.bak2 Has been deleted!

Attempting to delete C:\windows\system32\qpqss.ini
C:\windows\system32\qpqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqpq.dll
C:\WINDOWS\system32\ssqpq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\toxcbxsh.ini
C:\WINDOWS\system32\toxcbxsh.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vraoubvd.dll
C:\WINDOWS\system32\vraoubvd.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 9:36:57 AM 6/25/2007

Listing files found while scanning....

C:\windows\system32\hsxbcxot.dll

Beginning removal...

Attempting to delete C:\windows\system32\hsxbcxot.dll
C:\windows\system32\hsxbcxot.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 7:13:49 PM 6/25/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...




2006-12-28 21:35	  803	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Danielle\Desktop\Internet Explorer.lnk.vir
2007-06-06 16:06	  274432	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\S7\wbb22.exe.vir
2007-06-12 01:01	  32768	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\o09PrEz\o09PrEz1099.exe.vir
2007-06-12 01:12	  99855	--a------	C:\Qoobox\Quarantine\C\WINDOWS\b122.exe.vir
2007-06-16 15:13	  86056	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\S4\wen2.exe.vir
2007-06-18 23:00	  115606	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\S2\mwspasrt83122.exe.vir
2007-06-20 07:55	  10838	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\S7\wr620.exe.vir
2007-06-21 16:11	  164787	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\core.cache.dsk.vir
2007-06-21 16:11	  72832	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\core.sys.vir
2007-06-21 16:40	  20	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode.vir
2007-06-21 16:40	  5	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr.vir
2007-06-21 16:48	  3630	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Danielle\APPLIC~1\WinAntiSpyware 2007\Logs\update.log.vir
2007-06-24 17:47	  500	--a------	C:\Qoobox\Quarantine\C\WINDOWS\wr.txt.vir
2007-06-25 19:26	  1220	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_CORE.reg.cf
2007-06-25 19:26	  218930	--a------	C:\Qoobox\Quarantine\catchme2007-06-25_192958.03.zip
2007-06-25 19:26	  340	--a------	C:\Qoobox\Quarantine\catchme.log
2007-06-25 19:26	  994	--a------	C:\Qoobox\Quarantine\Registry_backups\services_core.reg.cf


Folder PATH listing
Volume serial number is 40F7-04CB
C:\QOOBOX
\---Quarantine
	|   catchme.log
	|   catchme2007-06-25_192958.03.zip
	|   
	+---C
	|   +---DOCUME~1
	|   |   +---ALLUSE~1
	|   |   |   \---APPLIC~1
	|   |   |	   \---WinAntiSpyware 2007
	|   |   |		   \---Data
	|   |   |				   Abbr.vir
	|   |   |				   ProductCode.vir
	|   |   |				   
	|   |   \---Danielle
	|   |	   +---APPLIC~1
	|   |	   |   \---WinAntiSpyware 2007
	|   |	   |	   \---Logs
	|   |	   |			   update.log.vir
	|   |	   |			   
	|   |	   \---Desktop
	|   |			   Internet Explorer.lnk.vir
	|   |			   
	|   \---WINDOWS
	|	   |   b122.exe.vir
	|	   |   wr.txt.vir
	|	   |   
	|	   \---system32
	|		   +---drivers
	|		   |	   core.cache.dsk.vir
	|		   |	   core.sys.vir
	|		   |	   
	|		   +---o09PrEz
	|		   |	   o09PrEz1099.exe.vir
	|		   |	   
	|		   +---S2
	|		   |	   mwspasrt83122.exe.vir
	|		   |	   
	|		   +---S4
	|		   |	   wen2.exe.vir
	|		   |	   
	|		   \---S7
	|				   wbb22.exe.vir
	|				   wr620.exe.vir
	|				   
	\---Registry_backups
			LEGACY_CORE.reg.cf
			services_core.reg.cf





SmitFraudFix v2.195

Scan done at 19:36:14.65, Mon 06/25/2007
Run from C:\Documents and Settings\Danielle\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\AOL\1174627074\ee\AOLSoftware.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\common files\aol\1174627074\ee\AOLOpenRide.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\Danielle


C:\Documents and Settings\Danielle\Application Data


Start Menu


C:\DOCUME~1\Danielle\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 66.171.50.251
DNS Server Search Order: 66.171.40.85

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1D0DF88B-52EE-4417-8D66-EF8C51D7A713}: DhcpNameServer=66.171.50.251 66.171.40.85
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1D0DF88B-52EE-4417-8D66-EF8C51D7A713}: DhcpNameServer=66.171.50.251 66.171.40.85
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1D0DF88B-52EE-4417-8D66-EF8C51D7A713}: DhcpNameServer=66.171.50.251 66.171.40.85
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=66.171.50.251 66.171.40.85
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=66.171.50.251 66.171.40.85
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=66.171.50.251 66.171.40.85


Scanning for wininet.dll infection


End



Logfile of HijackThis v1.99.1
Scan saved at 7:41:15 PM, on 6/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\AOL\1174627074\ee\AOLSoftware.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\common files\aol\1174627074\ee\AOLOpenRide.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3607B634-25E9-4869-A680-1B6B3489C8E2} - \
O2 - BHO: (no name) - {4BB62340-77B0-4C4A-8D29-5DDEBDC6D35A} - C:\WINDOWS\system32\ssqpq.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {634F19F5-816B-D9CC-4F1B-8F8DBE2782CF} - C:\WINDOWS\system32\gqdx.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1174627074\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Startup: AOL OpenRide.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/...ns.10.6.0.4.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174708704218
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{019A4211-0E2E-4DE0-AA03-E4B1E0CD860D}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{019A4211-0E2E-4DE0-AA03-E4B1E0CD860D}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.e


I did all of the above that you have asked, here are all the logs you requested, I thank you so much for all your help, it is much appreciated! I will wait for a reply, and again thank you so vvery much.

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 26 June 2007 - 03:48 AM

You haven't posted the whole Combofix.txt
Double click on combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Posted Image
Posted Image

#5 catlover07

catlover07
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 26 June 2007 - 10:25 AM

"Danielle" - 2007-06-26 8:21:39 - ComboFix 07-06-26.4 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-26 to 2007-06-26 )))))))))))))))))))))))))))))))


2007-06-25 19:24 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-25 18:59 <DIR> d-------- C:\!KillBox
2007-06-25 09:53 3,116 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-25 09:26 <DIR> d-------- C:\VundoFix Backups
2007-06-25 09:22 122,900 --a------ C:\WINDOWS\system32\fmvhiwwk.exe
2007-06-24 20:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-24 20:50 5,037,072 --a------ C:\Program Files\spybotsd14.exe
2007-06-24 09:20 122,900 --a------ C:\WINDOWS\system32\hltifmry.exe
2007-06-24 09:20 122,900 --a------ C:\WINDOWS\system32\dofngash.exe
2007-06-23 08:22 122,900 --a------ C:\WINDOWS\system32\pioxeyix.exe
2007-06-23 08:19 4,628 --a------ C:\WINDOWS\system32\soqhyijv.exe
2007-06-22 08:19 122,900 --a------ C:\WINDOWS\system32\vlxlneup.exe
2007-06-22 07:39 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2007-06-21 20:27 497 ---hs---- C:\WINDOWS\system32\cccdd.ini2
2007-06-21 16:10 <DIR> d-------- C:\Temp
2007-06-18 11:59 163,840 --a------ C:\Program Files\TTC.dll
2007-06-09 03:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-07 20:13 <DIR> d-------- C:\DOCUME~1\Danielle\APPLIC~1\CyberLink
2007-06-07 20:02 82,432 --a------ C:\WINDOWS\system32\msxml4r.dll
2007-06-07 20:02 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2007-06-07 20:02 198,144 --------- C:\WINDOWS\system32\_psisdecd.dll
2007-06-07 20:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Cyberlink
2007-06-07 20:01 89,088 --------- C:\WINDOWS\system32\atl71.dll
2007-06-07 20:01 1,060,864 --------- C:\WINDOWS\system32\MFC71.dll
2007-06-07 20:01 1,047,552 --------- C:\WINDOWS\system32\MFC71u.dll
2007-06-07 19:59 <DIR> d-------- C:\Program Files\Digital Photo Navigator 1.5
2007-06-07 19:59 <DIR> d-------- C:\MyWorks
2007-05-31 19:54 <DIR> d-------- C:\DOCUME~1\Nick\APPLIC~1\AOL
2007-05-31 19:51 <DIR> d-------- C:\Program Files\AOL 9.0a


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-26 01:37:13 -------- d-----w C:\Program Files\Common Files\AOL
2007-06-25 17:56:03 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-22 14:31:10 -------- d-----w C:\Program Files\Yahoo!
2007-06-22 04:25:35 -------- d-----w C:\Program Files\Norton Internet Security
2007-06-11 01:31:19 38,816 ----a-w C:\DOCUME~1\Danielle\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-06-08 03:03:47 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-08 03:03:12 -------- d-----w C:\Program Files\CyberLink
2007-06-07 16:53:02 -------- d-----w C:\DOCUME~1\Danielle\APPLIC~1\AOL
2007-06-07 16:51:33 -------- d-----w C:\Program Files\America Online 9.0
2007-06-07 01:06:12 -------- d-----w C:\Program Files\Toribash-2.5
2007-06-01 02:51:36 -------- d-----w C:\Program Files\Common Files\aolshare
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-05 14:18:59 -------- d-----w C:\Program Files\AOL 9.0
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-18 06:49:06 54,784 ----a-w C:\WINDOWS\system32\Inetwh32.dll
2007-04-18 06:49:06 1,044,480 ----a-w C:\WINDOWS\system32\roboex32.dll
2007-04-18 06:49:03 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 05:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 05:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-13 17:31:03 103,984 ----a-w C:\WINDOWS\system32\AOLDial.dll
2004-08-04 10:00:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 10:00:00 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 10:00:00 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 10:00:00 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 10:00:00 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 10:00:00 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2004-08-04 10:00:00 553,472 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 10:00:00 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 10:00:00 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]
{3607B634-25E9-4869-A680-1B6B3489C8E2}=\ [2007-06-25 19:30]
{4BB62340-77B0-4C4A-8D29-5DDEBDC6D35A}=C:\WINDOWS\system32\ssqpq.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2005-11-07 06:20]
{634F19F5-816B-D9CC-4F1B-8F8DBE2782CF}=C:\WINDOWS\system32\gqdx.dll []
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}=C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll [2007-03-23 13:35]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 13:29]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}=C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll [2003-10-22 10:38]
{BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll [2003-08-17 17:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 18:45]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2003-10-22 10:42]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-12-28 19:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-28 19:05]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-29 22:05]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 18:20 C:\WINDOWS\stsystra.exe]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-02-18 21:27]
"HostManager"="C:\Program Files\Common Files\AOL\1174627074\ee\AOLSoftware.exe" [2006-09-25 17:52]
"EverioService"="C:\Program Files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-22 21:10]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-06-12 19:40]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35c7f5d8-c4ea-11db-95b5-00038a000015}]
AutoRun\command- F:\JDSecure\Windows\JDSecure20.exe


Contents of the 'Scheduled Tasks' folder
2007-06-23 03:21:09 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
2007-06-26 15:24:03 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-26 08:24:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-26 8:24:30
C:\ComboFix-quarantined-files.txt ... 2007-06-26 08:24

--- E O F ---

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 26 June 2007 - 10:50 AM

Please double-click Killbox.exe to run it.
Select: 'Delete on Reboot'.
Then Click on the 'All Files' button.
Please copy ALL the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\fmvhiwwk.exe
C:\WINDOWS\system32\hltifmry.exe
C:\WINDOWS\system32\dofngash.exe
C:\WINDOWS\system32\pioxeyix.exe
C:\WINDOWS\system32\soqhyijv.exe
C:\WINDOWS\system32\vlxlneup.exe
C:\WINDOWS\system32\cccdd.ini2


Return to Killbox,go to the File menu,and choose 'Paste from Clipboard'.
Click the red-and-white Delete File button.
Click 'Yes' at the 'Delete on Reboot' prompt.
Click OK at any 'PendingFileRenameOperations' prompt.
If your computer does not restart automatically,please restart it manually.

After rebooting, open up Killbox again.
Click 'File'>'Logs'>'Actions History Log'.
Post this log in your next reply.

Also post a new Hijackthis log please.

Posted Image
Posted Image

#7 catlover07

catlover07
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 26 June 2007 - 11:16 AM

I ran Killbox.exe again 2 things it never gives me a prompt that asks me to click yes to delete on reboot and it does not give me an option to click ok at any pendingfilerenameoperations prompt.

Here is the log again. thank you






Pocket Killbox version 2.0.0.881
Running on Windows XP as Danielle(Administrator)
was started @ Monday, June 25, 2007, 6:59 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\pyynrqfr.exe


# 2 [Delete on Reboot]
Path = C:\WINDOWS\svhost.exe


# 3 [Delete on Reboot]
Path = C:\WINDOWS\poolsv.exe


I Rebooted @ 7:04:25 PM
Killbox Closed(Exit) @ 7:04:37 PM
__________________________________________________

Pocket Killbox version 2.0.0.881
Running on Windows XP as Danielle(Administrator)
was started @ Monday, June 25, 2007, 7:07 PM

Killbox Closed(Exit) @ 7:08:24 PM
__________________________________________________

Pocket Killbox version 2.0.0.881
Running on Windows XP as Danielle(Administrator)
was started @ Tuesday, June 26, 2007, 9:06 AM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\fmvhiwwk.exe


# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\hltifmry.exe


# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\dofngash.exe


# 4 [Delete on Reboot]
Path = C:\WINDOWS\system32\pioxeyix.exe


# 5 [Delete on Reboot]
Path = C:\WINDOWS\system32\soqhyijv.exe


# 6 [Delete on Reboot]
Path = C:\WINDOWS\system32\vlxlneup.exe


# 7 [Delete on Reboot]
Path = C:\WINDOWS\system32\cccdd.ini2


I Rebooted @ 9:08:14 AM
Killbox Closed(Exit) @ 9:08:33 AM
__________________________________________________

Pocket Killbox version 2.0.0.881
Running on Windows XP as Danielle(Administrator)
was started @ Tuesday, June 26, 2007, 9:11 AM


heres the hijack this log



Logfile of HijackThis v1.99.1
Scan saved at 9:15:13 AM, on 6/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\AOL\1174627074\ee\AOLSoftware.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\common files\aol\1174627074\ee\AOLOpenRide.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3607B634-25E9-4869-A680-1B6B3489C8E2} - \
O2 - BHO: (no name) - {4BB62340-77B0-4C4A-8D29-5DDEBDC6D35A} - C:\WINDOWS\system32\ssqpq.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {634F19F5-816B-D9CC-4F1B-8F8DBE2782CF} - C:\WINDOWS\system32\gqdx.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1174627074\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Startup: AOL OpenRide.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/...ns.10.6.0.4.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174708704218
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{019A4211-0E2E-4DE0-AA03-E4B1E0CD860D}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{019A4211-0E2E-4DE0-AA03-E4B1E0CD860D}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 26 June 2007 - 11:35 AM

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {3607B634-25E9-4869-A680-1B6B3489C8E2} - \
O2 - BHO: (no name) - {4BB62340-77B0-4C4A-8D29-5DDEBDC6D35A} - C:\WINDOWS\system32\ssqpq.dll (file missing)
O2 - BHO: (no name) - {634F19F5-816B-D9CC-4F1B-8F8DBE2782CF} - C:\WINDOWS\system32\gqdx.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#9 catlover07

catlover07
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 26 June 2007 - 11:37 AM

Richie,

When I run killbox and I try to paste from clipboard it does not paste the files.

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 26 June 2007 - 11:40 AM

Ok,run Avenger before running the SuperAntiSpyware instructions.

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\system32\fmvhiwwk.exe
C:\WINDOWS\system32\hltifmry.exe
C:\WINDOWS\system32\dofngash.exe
C:\WINDOWS\system32\pioxeyix.exe
C:\WINDOWS\system32\soqhyijv.exe
C:\WINDOWS\system32\vlxlneup.exe
C:\WINDOWS\system32\cccdd.ini2

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.
Posted Image
Posted Image

#11 catlover07

catlover07
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 26 June 2007 - 12:16 PM

Okay well unfortuatly I have already run superantispyware, I did not get your reply in time. here is the superantispyware log you requested. I guess I got a little ahead of myself....I was confidently thinking I was turning into a fix it pro...I will humble myself back to rookie level and be more patient!

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/26/2007 at 10:05 AM

Application Version : 3.9.1008

Core Rules Database Version : 3261
Trace Rules Database Version: 1272

Scan type : Complete Scan
Total Scan Time : 00:10:53

Memory items scanned : 495
Memory threats detected : 0
Registry items scanned : 5275
Registry threats detected : 0
File items scanned : 34231
File threats detected : 117

Adware.Tracking Cookie
C:\Documents and Settings\Danielle\Cookies\danielle@cpvfeed[2].txt
C:\Documents and Settings\Danielle\Cookies\danielle@questionmarket[1].txt
C:\Documents and Settings\Danielle\Cookies\danielle@atwola[1].txt
C:\Documents and Settings\Danielle\Cookies\danielle@adopt.specificclick[1].txt
C:\Documents and Settings\Danielle\Cookies\danielle@reztrack[2].txt
C:\Documents and Settings\Danielle\Cookies\danielle@ads.web.aol[1].txt
C:\Documents and Settings\Danielle\Cookies\danielle@2o7[2].txt
C:\Documents and Settings\Danielle\Cookies\danielle@pch.122.2o7[1].txt
C:\Documents and Settings\Danielle\Cookies\danielle@revsci[2].txt
C:\Documents and Settings\Danielle\Cookies\danielle@tribalfusion[2].txt
C:\Documents and Settings\Danielle\Cookies\danielle@nextag[1].txt
C:\Documents and Settings\Danielle\Cookies\danielle@shortmedia.us.intellitxt[1].txt
C:\Documents and Settings\Danielle\Cookies\danielle@imrworldwide[1].txt
C:\Documents and Settings\Danielle\Cookies\danielle@www.googleadservices[2].txt
C:\Documents and Settings\Danielle\Cookies\danielle@tacoda[1].txt
C:\Documents and Settings\Danielle\Cookies\danielle@ar.atwola[1].txt
C:\Documents and Settings\Danielle\Cookies\danielle@specificclick[2].txt
C:\Documents and Settings\Danielle\Cookies\danielle@atdmt[2].txt
C:\Documents and Settings\Danielle\Cookies\danielle@adopt.euroclick[2].txt
C:\Documents and Settings\Danielle\Cookies\danielle@ads.pointroll[1].txt
C:\Documents and Settings\Danielle\Cookies\danielle@doubleclick[1].txt
C:\Documents and Settings\Erica\Cookies\erica@2.adbrite[2].txt
C:\Documents and Settings\Erica\Cookies\erica@2o7[1].txt
C:\Documents and Settings\Erica\Cookies\erica@ad.yieldmanager[1].txt
C:\Documents and Settings\Erica\Cookies\erica@adbrite[2].txt
C:\Documents and Settings\Erica\Cookies\erica@adbrite[3].txt
C:\Documents and Settings\Erica\Cookies\erica@adopt.euroclick[2].txt
C:\Documents and Settings\Erica\Cookies\erica@adrevolver[2].txt
C:\Documents and Settings\Erica\Cookies\erica@ads.adbrite[2].txt
C:\Documents and Settings\Erica\Cookies\erica@ads.pointroll[1].txt
C:\Documents and Settings\Erica\Cookies\erica@ads.web.aol[2].txt
C:\Documents and Settings\Erica\Cookies\erica@advertising[2].txt
C:\Documents and Settings\Erica\Cookies\erica@ar.atwola[2].txt
C:\Documents and Settings\Erica\Cookies\erica@as-us.falkag[1].txt
C:\Documents and Settings\Erica\Cookies\erica@atdmt[2].txt
C:\Documents and Settings\Erica\Cookies\erica@atwola[1].txt
C:\Documents and Settings\Erica\Cookies\erica@bluestreak[1].txt
C:\Documents and Settings\Erica\Cookies\erica@casalemedia[2].txt
C:\Documents and Settings\Erica\Cookies\erica@citi.bridgetrack[1].txt
C:\Documents and Settings\Erica\Cookies\erica@doubleclick[1].txt
C:\Documents and Settings\Erica\Cookies\erica@edge.ru4[2].txt
C:\Documents and Settings\Erica\Cookies\erica@fastclick[2].txt
C:\Documents and Settings\Erica\Cookies\erica@fl01.ct2.comclick[2].txt
C:\Documents and Settings\Erica\Cookies\erica@interclick[2].txt
C:\Documents and Settings\Erica\Cookies\erica@media.adrevolver[1].txt
C:\Documents and Settings\Erica\Cookies\erica@mediaplex[1].txt
C:\Documents and Settings\Erica\Cookies\erica@precisionclick[1].txt
C:\Documents and Settings\Erica\Cookies\erica@questionmarket[2].txt
C:\Documents and Settings\Erica\Cookies\erica@realmedia[2].txt
C:\Documents and Settings\Erica\Cookies\erica@revsci[1].txt
C:\Documents and Settings\Erica\Cookies\erica@sales.liveperson[1].txt
C:\Documents and Settings\Erica\Cookies\erica@sales.liveperson[2].txt
C:\Documents and Settings\Erica\Cookies\erica@server.iad.liveperson[1].txt
C:\Documents and Settings\Erica\Cookies\erica@server.iad.liveperson[2].txt
C:\Documents and Settings\Erica\Cookies\erica@tacoda[1].txt
C:\Documents and Settings\Erica\Cookies\erica@trafficmp[2].txt
C:\Documents and Settings\Erica\Cookies\erica@tremor.adbureau[2].txt
C:\Documents and Settings\Erica\Cookies\erica@tribalfusion[1].txt
C:\Documents and Settings\Erica\Cookies\erica@www.smartadserver[2].txt
C:\Documents and Settings\Erica\Cookies\erica@xiti[1].txt
C:\Documents and Settings\Erica\Cookies\erica@zedo[1].txt
C:\Documents and Settings\JJ\Cookies\jj@2o7[1].txt
C:\Documents and Settings\JJ\Cookies\jj@advertising[2].txt
C:\Documents and Settings\JJ\Cookies\jj@atdmt[2].txt
C:\Documents and Settings\JJ\Cookies\jj@bizrate[1].txt
C:\Documents and Settings\JJ\Cookies\jj@bs.serving-sys[2].txt
C:\Documents and Settings\JJ\Cookies\jj@doubleclick[1].txt
C:\Documents and Settings\JJ\Cookies\jj@e-2dj6wfmicgcpoao.stats.esomniture[2].txt
C:\Documents and Settings\JJ\Cookies\jj@e-2dj6wjkycgd5gkq.stats.esomniture[2].txt
C:\Documents and Settings\JJ\Cookies\jj@e-2dj6wjkyckd5cdq.stats.esomniture[2].txt
C:\Documents and Settings\JJ\Cookies\jj@e-2dj6wjmicodpkgo.stats.esomniture[2].txt
C:\Documents and Settings\JJ\Cookies\jj@jumpman23.112.2o7[1].txt
C:\Documents and Settings\JJ\Cookies\jj@sales.liveperson[1].txt
C:\Documents and Settings\JJ\Cookies\jj@sales.liveperson[3].txt
C:\Documents and Settings\JJ\Cookies\jj@serving-sys[2].txt
C:\Documents and Settings\JJ\Cookies\jj@statcounter[1].txt
C:\Documents and Settings\JJ\Cookies\jj@tribalfusion[1].txt
C:\Documents and Settings\JJ\Cookies\jj@www.googleadservices[1].txt
C:\Documents and Settings\JJ\Cookies\jj@www.smartadserver[1].txt
C:\Documents and Settings\JJ\Cookies\jj@xiti[1].txt
C:\Documents and Settings\Nick\Cookies\nick@2o7[1].txt
C:\Documents and Settings\Nick\Cookies\nick@ad.yieldmanager[1].txt
C:\Documents and Settings\Nick\Cookies\nick@adlegend[1].txt
C:\Documents and Settings\Nick\Cookies\nick@adrevolver[2].txt
C:\Documents and Settings\Nick\Cookies\nick@ads.addynamix[1].txt
C:\Documents and Settings\Nick\Cookies\nick@ads.pointroll[1].txt
C:\Documents and Settings\Nick\Cookies\nick@advertising[1].txt
C:\Documents and Settings\Nick\Cookies\nick@ar.atwola[1].txt
C:\Documents and Settings\Nick\Cookies\nick@as-us.falkag[2].txt
C:\Documents and Settings\Nick\Cookies\nick@atdmt[2].txt
C:\Documents and Settings\Nick\Cookies\nick@atwola[2].txt
C:\Documents and Settings\Nick\Cookies\nick@bs.serving-sys[2].txt
C:\Documents and Settings\Nick\Cookies\nick@carasexe[2].txt
C:\Documents and Settings\Nick\Cookies\nick@casalemedia[2].txt
C:\Documents and Settings\Nick\Cookies\nick@doubleclick[1].txt
C:\Documents and Settings\Nick\Cookies\nick@drivecleaner[1].txt
C:\Documents and Settings\Nick\Cookies\nick@edge.ru4[2].txt
C:\Documents and Settings\Nick\Cookies\nick@fastclick[1].txt
C:\Documents and Settings\Nick\Cookies\nick@go.drivecleaner[1].txt
C:\Documents and Settings\Nick\Cookies\nick@go.drivecleaner[3].txt
C:\Documents and Settings\Nick\Cookies\nick@media.adrevolver[1].txt
C:\Documents and Settings\Nick\Cookies\nick@mediaplex[1].txt
C:\Documents and Settings\Nick\Cookies\nick@mediaservices.myspace[1].txt
C:\Documents and Settings\Nick\Cookies\nick@precisionclick[2].txt
C:\Documents and Settings\Nick\Cookies\nick@questionmarket[2].txt
C:\Documents and Settings\Nick\Cookies\nick@revsci[2].txt
C:\Documents and Settings\Nick\Cookies\nick@serving-sys[2].txt
C:\Documents and Settings\Nick\Cookies\nick@statcounter[2].txt
C:\Documents and Settings\Nick\Cookies\nick@stats.drivecleaner[2].txt
C:\Documents and Settings\Nick\Cookies\nick@tacoda[2].txt
C:\Documents and Settings\Nick\Cookies\nick@trafficmp[1].txt
C:\Documents and Settings\Nick\Cookies\nick@tremor.adbureau[1].txt
C:\Documents and Settings\Nick\Cookies\nick@tribalfusion[2].txt
C:\Documents and Settings\Nick\Cookies\nick@www.burstnet[1].txt
C:\Documents and Settings\Nick\Cookies\nick@www.drivecleaner[2].txt
C:\Documents and Settings\Nick\Cookies\nick@xiti[1].txt
C:\Documents and Settings\Nick\Cookies\nick@zedo[2].txt


and a new hijack log.....

Logfile of HijackThis v1.99.1
Scan saved at 10:13:51 AM, on 6/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\AOL\1174627074\ee\AOLSoftware.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
c:\program files\common files\aol\1174627074\ee\AOLOpenRide.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1174627074\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: AOL OpenRide.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/...ns.10.6.0.4.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174708704218
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{019A4211-0E2E-4DE0-AA03-E4B1E0CD860D}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{019A4211-0E2E-4DE0-AA03-E4B1E0CD860D}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 26 June 2007 - 01:08 PM

Your Hijackthis log is clean.
If you have'nt followed the Avenger instructions yet,please do so now.
Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.
Posted Image
Posted Image

#13 catlover07

catlover07
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 26 June 2007 - 01:33 PM

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\eiwnctrn

*******************

Script file located at: \??\C:\Program Files\qukgscbl.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\fmvhiwwk.exe not found!
Deletion of file C:\WINDOWS\system32\fmvhiwwk.exe failed!

Could not process line:
C:\WINDOWS\system32\fmvhiwwk.exe
Status: 0xc0000034



File C:\WINDOWS\system32\hltifmry.exe not found!
Deletion of file C:\WINDOWS\system32\hltifmry.exe failed!

Could not process line:
C:\WINDOWS\system32\hltifmry.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dofngash.exe not found!
Deletion of file C:\WINDOWS\system32\dofngash.exe failed!

Could not process line:
C:\WINDOWS\system32\dofngash.exe
Status: 0xc0000034



File C:\WINDOWS\system32\pioxeyix.exe not found!
Deletion of file C:\WINDOWS\system32\pioxeyix.exe failed!

Could not process line:
C:\WINDOWS\system32\pioxeyix.exe
Status: 0xc0000034



File C:\WINDOWS\system32\soqhyijv.exe not found!
Deletion of file C:\WINDOWS\system32\soqhyijv.exe failed!

Could not process line:
C:\WINDOWS\system32\soqhyijv.exe
Status: 0xc0000034



File C:\WINDOWS\system32\vlxlneup.exe not found!
Deletion of file C:\WINDOWS\system32\vlxlneup.exe failed!

Could not process line:
C:\WINDOWS\system32\vlxlneup.exe
Status: 0xc0000034



File C:\WINDOWS\system32\cccdd.ini2 not found!
Deletion of file C:\WINDOWS\system32\cccdd.ini2 failed!

Could not process line:
C:\WINDOWS\system32\cccdd.ini2
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 26 June 2007 - 01:53 PM

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
Killbox
VundoFix.exe
Combofix
SmitfraudFix
Avenger

C:\VundoFix Backups
C:\!KillBox
C:\Avenger
C:\QooBox

--------------------------------

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

--------------------------------

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u1'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.

--------------------------------

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#15 catlover07

catlover07
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 27 June 2007 - 11:15 AM

Good Morning, Sorry I havent been back, My connection was down, I want to thank you for all the help in getting rid of my problem. I have one concern, I dowloaded the javarun time enviroment(JDK-6u1-windows) and deleted the other as per your instructions . thing is now certain video ,pictures dont come up on websites such as aol welcme screen- blank spot where a picture or video should be? have i done something wrong here? Again thank you for your help. I contiue to run superantispyware, and it continues to pick up adware and i continue to prompt it to delete...I am guesing i just continue to do this for a while. Thank you again for the assistance have a good day!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users