Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

removing command service


  • Please log in to reply

#1
js8386

js8386

    Member

  • Member
  • PipPip
  • 13 posts
Ii am sure you guys get this problem a lot, but i have it now and i need your help to fix it. I have command service on my computer and i can't get rid of it. I have ran ad-ware and spybot. They both detect it but can't remove it. here is my hijackthis log .


Logfile of HijackThis v1.99.1
Scan saved at 8:48:36 PM, on 9/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\swncu.exe
C:\WINDOWS\system32\swncu.exe
C:\WINDOWS\system32\swncu.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE
C:\Documents and Settings\Joe\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\swncu.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,dsugfsi.exe
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [bfbpul] C:\WINDOWS\system32\cnwxun.exe reg_run
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [xchqv] C:\WINDOWS\system32\cnwxun.exe reg_run
O4 - Global Startup: uuiyb.exe
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\lC6olaj31do.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


any help will be much apreciated.
  • 0

Advertisements


#2
js8386

js8386

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
anyone know how to fix this. please help.
  • 0

#3
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

Hmm you have alot more than the command problem. We can fix that but lets get rid of the more serious infections first :blink:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • 0

#4
js8386

js8386

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thank you for your help here is the combo fix log.

Joe - 06-09-09 9:49:41.48
ComboFix 06.09.07 - Running from: C:\Documents and Settings\Joe\Desktop

Microsoft Windows XP [Version 5.1.2600]

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{9810866B-B27D-4C3A-BEBF-B9F12637ECDA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9810866B-B27D-4C3A-BEBF-B9F12637ECDA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9810866B-B27D-4C3A-BEBF-B9F12637ECDA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9810866B-B27D-4C3A-BEBF-B9F12637ECDA}\InprocServer32]
@="C:\\WINDOWS\\system32\\pEpsvc.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{1A01D53A-0B33-4C09-915C-7306DFBCF633}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1A01D53A-0B33-4C09-915C-7306DFBCF633}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1A01D53A-0B33-4C09-915C-7306DFBCF633}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1A01D53A-0B33-4C09-915C-7306DFBCF633}\InprocServer32]
@="C:\\WINDOWS\\system32\\lC6olaj31do.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\system32\dn0801due.dll
C:\WINDOWS\system32\dn6601jse.dll
C:\WINDOWS\system32\gymf32.dll
C:\WINDOWS\system32\h60q0gd5e60.dll
C:\WINDOWS\system32\jtro0793e.dll
C:\WINDOWS\system32\kvdinben.dll
C:\WINDOWS\system32\l06olaj31do.dll
C:\WINDOWS\system32\lC6olaj31do.dll
C:\WINDOWS\system32\mvlsl9371.dll


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


O4 - HKCU\...\Run C:\WINDOWS\system32\cnwxun.exe
O4 - HKLM\...\Run C:\WINDOWS\system32\cnwxun.exe
F2 -REG:system.ini: Shell C:\WINDOWS\system32\swncu.exe
F2 -REG:system.ini: UserInit C:\WINDOWS\system32\dsugfsi.exe


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-09-08 18:10 127488 cnwxun.exe.qoo
06-09-08 18:10 127488 uuiyb.exe.qoo
06-09-08 18:14 28672 swncu.exe.qoo
06-09-08 18:50 206 bidfl.dll.qoo
06-09-08 18:10 53 pvcocq.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\bk.exe


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\keyboard1.dat
C:\deskbar3.exe
C:\MTE3NDI6ODoxNgnew.exe
C:\nwnmff_17.exe
C:\stub_113_4_0_4_0newer.exe
C:\warebundlenewer.exe
C:\WINDOWS\system32\rpcc.exe
C:\WINDOWS\justin.exe
C:\WINDOWS\uninst104.exe
C:\Program Files\Deskbar


((((((((((((((((((((((((((((((( Files Created from 2006-08-09 to 2006-09-09 ))))))))))))))))))))))))))))))))))


2006-09-08 18:22 84,480 --a------ C:\WINDOWS\system32\mscdaux.dll
2006-09-08 18:21 138 --a------ C:\WINDOWS\file.bat
2006-09-08 18:12 45,065 --a------ C:\WINDOWS\TIELT001.exe
2006-09-08 18:12 32,768 --a------ C:\WINDOWS\unstall.exe
2006-09-08 18:12 267,228 --a------ C:\WINDOWS\popupwithcast.exe
2006-09-08 18:12 2,560 --a------ C:\WINDOWS\ac3_0002.exe
2006-09-08 18:12 139,264 --a------ C:\WINDOWS\MirarSetup_876057.exe
2006-09-08 18:12 115,160 --a------ C:\WINDOWS\Eim03.exe
2006-09-08 18:11 928 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-09-08 18:11 61,952 --a------ C:\WINDOWS\system32\hms35111.dll
2006-09-08 18:11 45,056 --a--c--- C:\TIGEN001.exe
2006-09-08 18:11 1,233 --a------ C:\WINDOWS\system32\hms35111.sys
2006-09-08 18:10 353,280 --a--c--- C:\803_104.exe
2006-09-08 18:10 23,552 --a------ C:\WINDOWS\system32\dsugfsi.exe
2006-09-08 18:10 2,560 --a--c--- C:\ac3_0003.exe
2006-09-08 18:10 1,140,000 -r-hs---- C:\WINDOWS\bxglusr.exe
2006-09-08 18:09 53,120 --a------ C:\WINDOWS\srvdatoyrs.exe
2006-09-08 18:09 30,208 --a--c--- C:\SS1001newer.exe
2006-09-08 18:09 215,308 --a------ C:\WINDOWS\srvdthadta.exe
2006-09-08 18:08 48,190 --a------ C:\WINDOWS\RDFX4.exe
2006-09-08 18:08 365,568 --a--c--- C:\814.exe
2006-08-21 15:48 53,248 --a------ C:\WINDOWS\uni_ehhhh.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-09 09:53 -------- d-------- C:\Program Files\Prevx1
2006-09-08 19:26 -------- d-------- C:\Program Files\Enigma Software Group
2006-09-08 18:08 -------- d-------- C:\Program Files\Online Services
2006-09-08 18:08 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-09-08 18:08 -------- d-------- C:\Program Files\Internet Explorer
2006-09-08 18:06 -------- d-------- C:\Program Files\Common Files\Services
2006-09-08 18:06 -------- d-------- C:\Program Files\Common Files
2006-09-08 18:03 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-08 18:02 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-09-08 18:00 -------- d-------- C:\Program Files\Common Files\DESIGNER
2006-09-08 17:57 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-08 12:34 -------- d-------- C:\Program Files\PokerStars
2006-08-30 17:05 -------- d-------- C:\Program Files\PartyPoker.net
2006-08-29 14:59 -------- d-------- C:\Documents and Settings\Joe\Application Data\Azureus
2006-08-28 20:24 -------- d-------- C:\Program Files\Warcraft III
2006-08-25 16:14 -------- d---s---- C:\Documents and Settings\Joe\Application Data\Microsoft
2006-08-24 11:55 13568 --a------ C:\WINDOWS\system32\drivers\pxrd.sys
2006-08-20 19:57 -------- d-------- C:\Documents and Settings\Joe\Application Data\Prevx
2006-08-20 17:39 -------- d-------- C:\Documents and Settings\Joe\Application Data\Lavasoft
2006-08-20 17:38 -------- d-------- C:\Program Files\Lavasoft
2006-08-20 16:51 -------- d-------- C:\Program Files\Yahoo!
2006-08-20 15:56 -------- d-------- C:\Documents and Settings\Joe\Application Data\SpamBlocker
2006-08-20 01:18 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-20 01:17 -------- d-------- C:\Program Files\QuickTime
2006-08-20 01:13 -------- d-------- C:\Program Files\iTunes
2006-08-19 18:18 -------- d-------- C:\Program Files\Full Tilt Poker
2006-08-12 00:08 -------- d-------- C:\Program Files\PokerRoom.com
2006-08-10 18:47 7552 --a------ C:\WINDOWS\system32\drivers\pxcom.sys
2006-08-10 18:47 265472 --a------ C:\WINDOWS\system32\drivers\pxfsf.sys
2006-08-10 18:47 18432 --a------ C:\WINDOWS\system32\drivers\pxtdi.sys
2006-08-10 18:47 11648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
2006-08-10 18:47 100864 --a------ C:\WINDOWS\system32\drivers\PxEmu.sys
2006-08-10 16:20 -------- d-------- C:\Documents and Settings\Joe\Application Data\SpamBlockerUtility_Icons
2006-08-07 21:27 2829 --a------ C:\WINDOWS\War3Unin.pif
2006-08-07 21:27 139264 --a------ C:\WINDOWS\War3Unin.exe
2006-08-03 22:36 -------- d-------- C:\Program Files\PartyGaming
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-16 23:51 -------- d-------- C:\Program Files\LimeWire
2006-07-16 02:58 -------- d-------- C:\Program Files\TexasCalculatem


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
@=""
"PrevxOne"="C:\\Program Files\\Prevx1\\PXConsole.exe"
"SpyHunter"="C:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"SpybotSnD"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Internet Explorer\\kyzexewiv.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Online Services\\howyv.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,d0,02,00,00,00,00,00,00,d0,02,00,00,66,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Sat 09/09/2006 9:56:10.67
ComboFix.txt
  • 0

#5
js8386

js8386

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I will be back later. so please post what i should do next and i will read it later.
  • 0

#6
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :blink:

Man that was a mess :whistling:

Please download the following items and save them all to your desktop( unzip them to the desktop if needed):

ATF Cleaner by Atribune.
Killbox by Option^Explicit.
delcmdservice (by Marckie)

1) Run ATF CleanerDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

2) Run delcmdservice (By Marckie)* Unzip the content to your Desktop (a folder named delcmdservice)
* Double-click on the delcmdservice folder
* Double-click on delreg.bat to launch the tool

3) Run Killbox by Option^Explicit
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\mscdaux.dll
    C:\WINDOWS\TIELT001.exe
    C:\WINDOWS\unstall.exe
    C:\WINDOWS\popupwithcast.exe
    C:\WINDOWS\ac3_0002.exe
    C:\WINDOWS\MirarSetup_876057.exe
    C:\WINDOWS\system32\winpfg32.sys
    C:\WINDOWS\system32\hms35111.dll
    C:\TIGEN001.exe
    C:\803_104.exe
    C:\WINDOWS\system32\dsugfsi.exe
    C:\WINDOWS\bxglusr.exe
    C:\WINDOWS\srvdatoyrs.exe
    C:\SS1001newer.exe
    C:\WINDOWS\RDFX4.exe
    C:\814.exe
    C:\WINDOWS\uni_ehhhh.exe


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

After the reboot Please post a fresh Hijack log

Thanks :help:
  • 0

#7
js8386

js8386

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
i ran the three programs and here isi my new hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 11:50:52 PM, on 9/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Joe\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#8
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Do you still get the command service problem ( your log log looks good)
  • 0

#9
js8386

js8386

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
no the pop-ups have stopped. but it seems like they are still trying to pop up, but they are unable to open the browser window if that makes sense. The extra junk programs that were associated with this infectioin appear to be removed so other that that everything looks good. thanks a lot.
  • 0

#10
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

Lets run an online scan. You were pretty infected, so ther may be more than Hijack can see

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

  • 0

Advertisements


#11
js8386

js8386

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
here is my active scan report

Incident Status Location

Potentially unwanted tool:application/mywebsearch Not disinfected c:\windows\system32\f3PSSavr.scr
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Ssk.log
Spyware:spyware/media-motor Not disinfected Windows Registry
Potentially unwanted tool:application/funweb Not disinfected hkey_classes_root\clsid\{00A6FAF6-072E-44cf-8957-5838F569A31D}
Adware:adware/intcodec Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/sqwire Not disinfected Windows Registry
Virus:Trj/Multidropper.BKN Disinfected C:\!KillBox\803_104.exe
Adware:Adware/DollarRevenue Not disinfected C:\!KillBox\ac3_0002.exe
Adware:Adware/Qoologic Not disinfected C:\!KillBox\dsugfsi.exe
Virus:Trj/Downloader.KFW Disinfected C:\!KillBox\hms35111.dll
Adware:Adware/Mirar Not disinfected C:\!KillBox\MirarSetup_876057.exe
Adware:Adware/Deskwizz Not disinfected C:\!KillBox\RDFX4.exe
Adware:Adware/Dyfuca Not disinfected C:\!KillBox\srvdatoyrs.exe
Spyware:Spyware/SurfSideKick Not disinfected C:\!KillBox\SS1001newer.exe
Adware:Adware/Zenosearch Not disinfected C:\!KillBox\TIELT001.exe
Adware:Adware/Zenosearch Not disinfected C:\!KillBox\TIGEN001.exe
Adware:Adware/DigInk Not disinfected C:\!KillBox\uni_ehhhh.exe
Adware:Adware/EliteBar Not disinfected C:\!KillBox\unstall.exe
Adware:Adware/DollarRevenue Not disinfected C:\ac3_0003.exe
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Firefox\Profiles\46m1mi8x.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Firefox\Profiles\46m1mi8x.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Firefox\Profiles\46m1mi8x.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Firefox\Profiles\46m1mi8x.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Firefox\Profiles\46m1mi8x.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Firefox\Profiles\46m1mi8x.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Firefox\Profiles\46m1mi8x.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Firefox\Profiles\46m1mi8x.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Firefox\Profiles\46m1mi8x.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Firefox\Profiles\46m1mi8x.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Firefox\Profiles\46m1mi8x.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Firefox\Profiles\46m1mi8x.default\cookies.txt[.zedo.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Firefox\Profiles\46m1mi8x.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Firefox\Profiles\46m1mi8x.default\cookies.txt[hc2.humanclick.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Firefox\Profiles\46m1mi8x.default\cookies.txt[hc2.humanclick.com/hc/81675143]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Firefox\Profiles\46m1mi8x.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.2o7.net/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.adrevolver.com/]
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.ads.addynamix.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.apmebf.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.ath.belnk.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.belnk.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.burstnet.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.com.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.entrepreneur.com/]
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.fortunecity.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.go.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.maxserving.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.microsofteup.112.2o7.net/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.perf.overture.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.qksrv.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.realmedia.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.revenue.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.serving-sys.com/]
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.spylog.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.statcounter.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.webpower.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.yadro.ru/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[.zedo.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[searchportal.information.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\32mu8o3j.slt\cookies.txt[stat.onestat.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.overture.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[servedby.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.advertising.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.azjmp.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.burstnet.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.adrevolver.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.fastclick.net/]
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.linksynergy.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.qksrv.net/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.bfast.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[searchportal.information.com/sp/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[searchportal.information.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.revenue.net/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.revenue.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.2o7.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[server.iad.liveperson.net/hc/80570461]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.realmedia.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.trafficmp.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.hitbox.com/]
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[data.coremetrics.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[server.iad.liveperson.net/hc/80503492]
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.findwhat.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.statcounter.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.clickbank.net/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.zedo.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[stats.drivecleaner.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.drivecleaner.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[stats.drivecleaner.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[www.drivecleaner.com/.freeware/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[stats.drivecleaner.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.drivecleaner.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.apmebf.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.perf.overture.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[stat.onestat.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.com.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.target.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.atwola.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.go.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.sexlist.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[.yadro.ru/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\Joe\n267g2xg.slt\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Joe\Cookies\[email protected][1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Joe\Cookies\joe@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Joe\Cookies\joe@adrevolver[2].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Joe\Cookies\[email protected][1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Joe\Cookies\[email protected][1].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Joe\Cookies\[email protected][1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Joe\Cookies\joe@realmedia[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Joe\Cookies\joe@tribalfusion[2].txt
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Documents and Settings\Joe\Desktop\hijackthis\backups\backup-20060820-171931-876.dll
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Documents and Settings\Joe\Desktop\hijackthis\backups\backup-20060820-171932-696.dll
Virus:Bck/Galapoper.LK Not disinfected C:\Documents and Settings\Joe\Desktop\Microsoft_Office_2003_Generic_Fixed_v2.rar[install.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Joe\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Joe\Desktop\smitRem.exe[smitRem/Process.exe]
Virus:Trj/Downloader.KFW Disinfected C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\3S8M8QBO\ac3[1].txt
Spyware:Spyware/Media-motor Not disinfected C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\3SGZ2X6L\amm06[1].ocx
Adware:Adware/Mirar Not disinfected C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\3SL76X9W\MirarSetup_876057[1].exe
Adware:Adware/EliteBar Not disinfected C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\3SL76X9W\unstall[1].exe
Adware:Adware/Zenosearch Not disinfected C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\EG7QV0Y2\TIELT001[1].exe
Adware:Adware/Ucmore Not disinfected C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\EG7QV0Y2\ucmoreiex[1].exe
Adware:Adware/Zenosearch Not disinfected C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\EJSHME9D\TIGEN001[1].exe
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\F87U0ZRP\al3[1].txt
Virus:Trj/PayClicker.EC Not disinfected C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\F87U0ZRP\Eim03[1].exe[²íÇ]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\F87U0ZRP\Installer[1].exe
Virus:Trj/Downloader.JYY Disinfected C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\F87U0ZRP\topaff[1].exe
Virus:Trj/PayClicker.EC Disinfected C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\GVIXAJ4J\Justin[1].exe
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\M7TAYQ68\ac3_0003[1].exe
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\W12Z4567\ac3_0002[1].exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\Common Files\mozilla.org\GRE\1.7.13_2006041421\smitRem\Process.exe
Potentially unwanted tool:Application/MyWebSearch Not
  • 0

#12
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

Looks like the panda log got cut off

Did you run ATF cleaner? Go ahead and run it again if you did. Rerun Killbox with the previous instructions but put the below filepath in only:

c:\windows\system32\f3PSSavr.scr


After the reboot

Delete this folder C:\!KillBox

Clean out your Temporary Internet files. Proceed as follows:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.

Is everything running OK now?
  • 0

#13
js8386

js8386

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
hey man i did that. now i have another problem. there is an advertisement followed by what sounds to be like a 2 minute talk show clip, but i don't have any programs running for it and there are no programs that would pertain to it in my task manager. what the heck is that. please help.
  • 0

#14
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
I have no clue. Let me see a new Hijack log please, and what is the ad for?
  • 0

#15
js8386

js8386

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
here is the newest log and by the way the ad is for pampers diapers. of all the possible things it could be it is diapers. lol


Logfile of HijackThis v1.99.1
Scan saved at 10:21:18 PM, on 9/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Documents and Settings\Joe\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP