Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

qoologoic.bj - need to remove [CLOSED]


  • This topic is locked This topic is locked

#1
bjaked

bjaked

    Member

  • Member
  • PipPip
  • 12 posts
hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 8:13:08 PM, on 9/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\mofccn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\dxwgc.exe
C:\WINDOWS\System32\dxwgc.exe
C:\WINDOWS\System32\dxwgc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\tasknt.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hjt\hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\dxwgc.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,ntdkmst.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [lgjtcl] C:\WINDOWS\System32\mofccn.exe reg_run
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [icqud] C:\WINDOWS\System32\mofccn.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: fvrdi.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QXNobGV5\command.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Time Service (Time) - Unknown owner - C:\WINDOWS\System32\nlkfev7gowaei.exe (file missing)
O23 - Service: Network Station Task Manager (TKNT) - Unknown owner - C:\WINDOWS\tasknt.exe
  • 0

Advertisements


#2
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hello and welcome :blink:

-----

Please print these instructions out, or write them down, as you can't read them during the fix.

Download SDFix and save it to your desktop.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
5) Login to your usual account.
  • Once in Safe Mode, right-click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Copy and paste the contents of the results file Report.txt from the SDFix folder in your next reply.
----

Also please download Combofix to your desktop:
  • Double-click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply along with the SDFix results. :whistling:
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • 0

#3
bjaked

bjaked

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
SDfix was installed and run in safe mode. upon rebooting the bat file started up and it said it would take 2 to 3 minutes.

It is still running after 30 minutes with the hard drive light on almost continuously (blinks occasionally).

Is it this program hung???

Can I abort this? How?

:whistling: :blink:
  • 0

#4
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Reboot your machine please...

Try if the SDFix report file was created in its folder? Let me know if it has been created and post the log here.

Then can you also run ComboFix :whistling:
  • 0

#5
bjaked

bjaked

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
SDFix: Version 1.24
-------------------------

Mon 09/18/2006
03:06 PM


Microsoft Windows XP [Version 5.1.2600]

Running from: C:\Documents and Settings\admin1\Desktop\SDFix\SDFix


Stage One...


Checking Services...

Name:
-------


Path:
-------





Repairing Registry...

Restoring Default Hosts File...

Stage One Complete

Rebooting!

Stage Two...

Registry Cleaning Finished...

Checking For Malware Files:
----------------------------------




Combo fix log

admin1 - 06-09-20 20:42:14.78 Service Pack 2
ComboFix 06.09.14 - Running from: C:\Documents and Settings\admin1\Desktop

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\Common Files\WNSXS~1
C:\QooBox\Purity\WINDOWS\TSKS~1
C:\QooBox\Purity\WINDOWS\system32\PPATCH~1
C:\QooBox\Purity\WINDOWS\system32\PPATCH~1\PPATCH~1


((((((((((((((((((((((((((((((( Files Created from 2006-08-20 to 2006-09-20 ))))))))))))))))))))))))))))))))))


2006-09-18 13:10 163,840 --a------ C:\WINDOWS\system32\igfxres.dll
2006-09-18 10:35 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-09-18 08:44 9,728 --------- C:\WINDOWS\system32\comsdupd.exe
2006-09-18 08:44 896,512 --------- C:\WINDOWS\system32\wmspdmoe.dll
2006-09-18 08:44 88,064 --------- C:\WINDOWS\system32\p2pnetsh.dll
2006-09-18 08:44 870,784 --------- C:\WINDOWS\system32\ati3d1ag.dll
2006-09-18 08:44 86,016 --------- C:\WINDOWS\system32\p2pgasvc.dll
2006-09-18 08:44 86,016 --------- C:\WINDOWS\system32\mdmxsdk.dll
2006-09-18 08:44 81,920 --------- C:\WINDOWS\system32\ieencode.dll
2006-09-18 08:44 81,408 --------- C:\WINDOWS\system32\wscsvc.dll
2006-09-18 08:44 8,192 --------- C:\WINDOWS\system32\smbinst.exe
2006-09-18 08:44 75,776 --------- C:\WINDOWS\system32\strmfilt.dll
2006-09-18 08:44 73,832 --------- C:\WINDOWS\system32\slcoinst.dll
2006-09-18 08:44 73,796 --------- C:\WINDOWS\system32\slserv.exe
2006-09-18 08:44 71,680 --------- C:\WINDOWS\system32\blastcln.exe
2006-09-18 08:44 7,680 --------- C:\WINDOWS\system32\kbdsmsno.dll
2006-09-18 08:44 7,680 --------- C:\WINDOWS\system32\kbdsmsfi.dll
2006-09-18 08:44 7,168 --------- C:\WINDOWS\system32\kbdukx.dll
2006-09-18 08:44 7,168 --------- C:\WINDOWS\system32\kbdno1.dll
2006-09-18 08:44 7,168 --------- C:\WINDOWS\system32\kbdfi1.dll
2006-09-18 08:44 60,416 --------- C:\WINDOWS\system32\fwcfg.dll
2006-09-18 08:44 6,656 --------- C:\WINDOWS\system32\kbdinmal.dll
2006-09-18 08:44 6,656 --------- C:\WINDOWS\system32\kbdinben.dll
2006-09-18 08:44 6,144 --------- C:\WINDOWS\system32\kbdmlt48.dll
2006-09-18 08:44 6,144 --------- C:\WINDOWS\system32\kbdmlt47.dll
2006-09-18 08:44 6,144 --------- C:\WINDOWS\system32\kbdinbe1.dll
2006-09-18 08:44 526,848 --------- C:\WINDOWS\system32\p2psvc.dll
2006-09-18 08:44 52,224 --------- C:\WINDOWS\system32\mspmsnsv.dll
2006-09-18 08:44 516,768 --------- C:\WINDOWS\system32\ativvaxx.dll
2006-09-18 08:44 50,688 --------- C:\WINDOWS\system32\btpanui.dll
2006-09-18 08:44 50,176 --------- C:\WINDOWS\system32\xmlprovi.dll
2006-09-18 08:44 5,632 --------- C:\WINDOWS\system32\kbdmaori.dll
2006-09-18 08:44 49,152 --------- C:\WINDOWS\system32\powercfg.exe
2006-09-18 08:44 484,864 --------- C:\WINDOWS\system32\wmspdmod.dll
2006-09-18 08:44 48,640 --------- C:\WINDOWS\system32\pnrpnsp.dll
2006-09-18 08:44 44,032 --------- C:\WINDOWS\system32\twext.dll
2006-09-18 08:44 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2006-09-18 08:44 397,056 --------- C:\WINDOWS\system32\s3gnb.dll
2006-09-18 08:44 384,512 --------- C:\WINDOWS\system32\mp4sdmod.dll
2006-09-18 08:44 377,984 --------- C:\WINDOWS\system32\ati2dvaa.dll
2006-09-18 08:44 32,866 --------- C:\WINDOWS\system32\slrundll.exe
2006-09-18 08:44 32,866 --------- C:\WINDOWS\slrundll.exe
2006-09-18 08:44 32,768 --------- C:\WINDOWS\system32\ativtmxx.dll
2006-09-18 08:44 32,285 --------- C:\WINDOWS\system32\hsfcisp2.dll
2006-09-18 08:44 312,320 --------- C:\WINDOWS\system32\p2pgraph.dll
2006-09-18 08:44 310,272 --------- C:\WINDOWS\system32\mp43dmod.dll
2006-09-18 08:44 30,208 --------- C:\WINDOWS\system32\bthserv.dll
2006-09-18 08:44 29,184 --------- C:\WINDOWS\system32\sdhcinst.dll
2006-09-18 08:44 286,792 --------- C:\WINDOWS\system32\slextspk.dll
2006-09-18 08:44 24,576 --------- C:\WINDOWS\system32\httpapi.dll
2006-09-18 08:44 233,472 --------- C:\WINDOWS\system32\wmpdxm.dll
2006-09-18 08:44 23,040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-09-18 08:44 229,376 --------- C:\WINDOWS\system32\ati2cqag.dll
2006-09-18 08:44 201,728 --------- C:\WINDOWS\system32\ati2dvag.dll
2006-09-18 08:44 20,992 --------- C:\WINDOWS\system32\bthci.dll
2006-09-18 08:44 2,113,536 --------- C:\WINDOWS\system32\dxdiagn.dll
2006-09-18 08:44 193,024 --------- C:\WINDOWS\system32\fsquirt.exe
2006-09-18 08:44 188,508 --------- C:\WINDOWS\system32\slgen.dll
2006-09-18 08:44 17,408 --------- C:\WINDOWS\system32\winshfhc.dll
2006-09-18 08:44 168,448 --------- C:\WINDOWS\system32\wmerror.dll
2006-09-18 08:44 16,896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-09-18 08:44 151,552 --------- C:\WINDOWS\system32\wmidx.dll
2006-09-18 08:44 15,872 --------- C:\WINDOWS\system32\w3ssl.dll
2006-09-18 08:44 14,336 --------- C:\WINDOWS\system32\auditusr.exe
2006-09-18 08:44 13,824 --------- C:\WINDOWS\system32\wscntfy.exe
2006-09-18 08:44 13,824 --------- C:\WINDOWS\system32\cmsetacl.dll
2006-09-18 08:44 129,536 --------- C:\WINDOWS\system32\xmlprov.dll
2006-09-18 08:44 118,784 --------- C:\WINDOWS\system32\msdadiag.dll
2006-09-18 08:44 116,224 --------- C:\WINDOWS\system32\p2p.dll
2006-09-18 08:44 114,688 --------- C:\WINDOWS\system32\wmpasf.dll
2006-09-18 08:44 108,032 --------- C:\WINDOWS\system32\wshbth.dll
2006-09-18 08:44 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2006-09-18 08:44 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2006-09-18 08:44 1,689,088 --------- C:\WINDOWS\system32\d3d9.dll
2006-09-18 08:44 1,119,744 --------- C:\WINDOWS\system32\wmsdmoe2.dll
2006-09-18 08:44 1,001,472 --------- C:\WINDOWS\system32\wmvdmoe2.dll
2006-09-18 08:30 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-09-17 23:23 82,944 --a------ C:\dllmx.exe
2006-09-17 21:49 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2006-09-17 21:49 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-09-17 21:47 124,184 --a------ C:\WINDOWS\system32\wuauclt.exe
2006-09-17 21:47 1,343,768 --a------ C:\WINDOWS\system32\wuaueng.dll
2006-09-17 21:32 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-09-17 21:32 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2006-09-17 20:45 163,840 --a------ C:\WINDOWS\win320945-13992643.exe
2006-09-05 11:03 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-09-04 20:02 926 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-09-04 20:01 126,976 --a------ C:\WINDOWS\system32\ieserv.exe
2006-08-24 11:16 214,749 --a------ C:\WINDOWS\srvfalkagn.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-20 20:18 -------- d-a------ C:\Program Files\Common Files
2006-09-20 12:25 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-19 10:03 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-19 07:39 -------- d-------- C:\Program Files\Windows Media Player
2006-09-18 16:13 -------- d-------- C:\Program Files\TClock
2006-09-18 13:09 -------- d-------- C:\Program Files\Messenger
2006-09-18 13:02 -------- d-------- C:\Program Files\Internet Explorer
2006-09-18 12:31 -------- d-------- C:\Program Files\Outlook Express
2006-09-18 12:31 -------- d-------- C:\Program Files\Common Files\System
2006-09-18 10:14 -------- d-------- C:\Documents and Settings\admin1\Application Data\Macromedia
2006-09-18 08:44 -------- d-------- C:\Program Files\Movie Maker
2006-09-18 08:37 -------- d-------- C:\Program Files\Windows NT
2006-09-18 08:37 -------- d-------- C:\Program Files\NetMeeting
2006-09-18 00:00 -------- d-------- C:\Program Files\Norton AntiVirus
2006-09-17 23:53 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-17 23:51 -------- d-------- C:\Program Files\SymNetDrv
2006-09-17 23:51 -------- d-------- C:\Program Files\Symantec
2006-09-17 22:08 -------- d--h----- C:\Program Files\WindowsUpdate
2006-09-17 22:07 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-09-17 22:05 -------- d-------- C:\Documents and Settings\admin1\Application Data\Identities
2006-09-17 22:04 -------- d---s---- C:\Documents and Settings\admin1\Application Data\Microsoft
2006-09-17 21:47 -------- d-------- C:\Program Files\MSN
2006-09-17 21:32 62 --ahs---- C:\Documents and Settings\admin1\Application Data\desktop.ini
2006-09-15 22:52 124016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-09-05 10:57 -------- d-------- C:\Program Files\Common Files\Adobe
2006-09-05 10:50 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-05 10:50 -------- d-------- C:\Program Files\Google
2006-09-05 10:50 -------- d-------- C:\Program Files\Common Files\àdobe
2006-09-05 10:50 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-09-05 10:49 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-05 10:48 -------- d-------- C:\Program Files\Lavasoft
2006-09-05 10:47 -------- d-------- C:\Program Files\Picasa2
2006-09-05 10:43 159743 --a------ C:\WINDOWS\Google Pack Screensaver Uninstaller.exe
2006-09-04 21:01 -------- d-------- C:\Program Files\Microsoft AntiSpyware
2006-08-31 19:32 -------- d-------- C:\Program Files\NoAdware3
2006-08-21 05:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-17 11:48 -------- d-------- C:\Program Files\Seekmo Programs
2006-08-17 11:20 214752 --a------ C:\Setup100.exe
2006-08-14 20:52 78848 --a------ C:\WINDOWS\system32\nsp7.dll
2006-08-14 19:40 1167 --a------ C:\WINDOWS\system32\lppfc47b.sys
2006-08-14 05:09 -------- d-------- C:\Program Files\Common Files\rikw
2006-08-14 05:04 0 --a------ C:\WINDOWS\win32074345-1399262006.exe
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-15 16:52 12288 --a------ C:\pcdr32.exe
2006-07-09 05:27 286 --a------ C:\WINDOWS\autoupdate.bat
2006-06-22 01:06 69120 --a------ C:\WINDOWS\system32\ciodm.dll
2006-06-22 01:06 1435648 --a------ C:\WINDOWS\system32\query.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"BCMSMMSG"="BCMSMMSG.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonceex]
@=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000000
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\MSN Gaming Zone\\kyzer.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\MSN\\howypyp.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{AC98EBA7-0958-1033-1018-040502200001}"="\"C:\\Program Files\\Common Files\\{AC98EBA7-0958-1033-1018-040502200001}\\Update.exe\" mc-110-12-0000488"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{AC98EBA7-0958-1033-1018-040502200001}"="\"C:\\Program Files\\Common Files\\{AC98EBA7-0958-1033-1018-040502200001}\\Update.exe\" mc-110-12-0000488"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Kodak EasyShare software.lnk"
"backup"="C:\\WINDOWS\\pss\\Kodak EasyShare software.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKE~1\\bin\\EASYSH~1.EXE -h"
"item"="Kodak EasyShare software"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Kodak software updater.lnk"
"backup"="C:\\WINDOWS\\pss\\Kodak software updater.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKS~1\\7288971\\Program\\KODAKS~1.EXE "
"item"="Kodak software updater"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20060917-202115-768
O23 - Service: Time Service (Time) - Unknown owner - C:\WINDOWS\System32\nlkfev7gowaei.exe (file missing)
backup-20060917-202115-241
O23 - Service: Network Station Task Manager (TKNT) - Unknown owner - C:\WINDOWS\tasknt.exe
backup-20060917-202115-235
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
backup-20060917-202115-964
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
backup-20060917-202115-555
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QXNobGV5\command.exe (file missing)
backup-20060917-202114-827
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
backup-20060917-202114-692
O4 - Global Startup: fvrdi.exe
backup-20060917-202114-493
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
backup-20060917-202114-226
O4 - HKCU\..\Run: [icqud] C:\WINDOWS\System32\mofccn.exe reg_run
backup-20060917-202114-201
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
backup-20060917-202114-386
O4 - HKLM\..\Run: [lgjtcl] C:\WINDOWS\System32\mofccn.exe reg_run
backup-20060917-202114-477
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,ntdkmst.exe
backup-20060917-202114-684
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\dxwgc.exe
backup-20060917-192209-903
O23 - Service: Network Station Task Manager (TKNT) - Unknown owner - C:\WINDOWS\tasknt.exe
backup-20060917-192209-793
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QXNobGV5\command.exe (file missing)
backup-20060917-192209-208
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
backup-20060917-192209-351
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
backup-20060917-192209-204
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\jt0007dme.dll (file missing)
backup-20060917-192209-692
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
backup-20060917-192147-513
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\System32\xeymi.dll
backup-20060917-192147-908
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn....FreeInstall.cab
backup-20060917-192147-690
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nu.../FIX/WinATS.cab
backup-20060917-192147-270
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - mk:@MSITStore:C:\WINDOWS\TEMP\mma.chm::/joysavsht.cab
backup-20060917-192146-582
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarr...138302D2D2D.exe
backup-20060917-192146-945
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.driveclea...leanerstart.cab
backup-20060917-192146-316
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadc...FreeInstall.cab
backup-20060917-192146-276
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
backup-20060917-192146-541
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
backup-20060917-192146-104
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
backup-20060917-192145-176
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
backup-20060917-192145-583
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
backup-20060917-192145-430
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
backup-20060917-192145-711
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
backup-20060917-192145-326
O4 - Global Startup: fvrdi.exe
backup-20060917-192145-821
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
backup-20060917-192145-142
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
backup-20060917-192144-724
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\rwinnpex.exe
backup-20060917-192144-691
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
backup-20060917-192144-157
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
backup-20060917-192144-591
O4 - HKCU\..\Run: [icqud] C:\WINDOWS\System32\mofccn.exe reg_run
backup-20060917-192144-778
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\rwinnpex.exe GEN001
backup-20060917-192144-760
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
backup-20060917-192144-348
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
backup-20060917-192144-587
O4 - HKLM\..\Run: [{8E-EB-BA-A7-ZN}] C:\windows\system32\omdsregl.exe GEN001
backup-20060917-192144-788
O4 - HKLM\..\Run: [win320945-13992643] C:\WINDOWS\win320945-13992643.exe
backup-20060917-192144-200
O4 - HKLM\..\Run: [lgjtcl] C:\WINDOWS\System32\mofccn.exe reg_run
backup-20060917-192144-142
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
backup-20060917-192144-473
O4 - HKLM\..\Run: [w00a54f9.dll] RUNDLL32.EXE w00a54f9.dll,I2 002fc479000a54f9
backup-20060917-192144-582
O4 - HKLM\..\Run: [newname] C:\\nwnmff_16.exe
backup-20060917-192144-580
O4 - HKLM\..\Run: [ms049264345-139] C:\WINDOWS\ms049264345-139.exe
backup-20060917-192144-977
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\System32\wfxqhv.exe"
backup-20060917-192144-749
O4 - HKLM\..\Run: [lppfc47b] RUNDLL32.EXE wb228b7c.dll,n 002fc47900000003b228b7c
backup-20060917-192144-479
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
backup-20060917-192144-699
O4 - HKLM\..\Run: [w22984ac.dll] RUNDLL32.EXE w22984ac.dll,I2 002fc479022984ac
backup-20060917-192144-406
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
backup-20060917-192144-135
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20060917-192144-614
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
backup-20060917-192144-407
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
backup-20060917-192144-144
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
backup-20060917-192144-667
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
backup-20060917-192144-121
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
backup-20060917-192144-339
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
backup-20060917-192144-905
O3 - Toolbar: (no name) - {34F459B8-1D37-4FF2-9EFA-192D8E3ABA6F} - (no file)
backup-20060917-192144-459
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
backup-20060917-192144-128
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll (file missing)
backup-20060917-192144-993
O3 - Toolbar: Seekmo Toolbar - {53E0B6E8-A51D-448B-B692-40B67B285543} - C:\Program Files\Seekmo Programs\Seekmo Toolbar\SeekmoTB.dll
backup-20060917-192144-260
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
backup-20060917-192144-916
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\dxwgc.exe
backup-20060917-192144-696
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ntdkmst.exe
backup-20060917-192144-422
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mrfindalo...h.asp?bid=13900

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Administrator.job

Completion time: Wed 09/20/2006 20:42:50.11
ComboFix.txt
  • 0

#6
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
I'm not sure why SDFix didn't work out as it should have.

Lets run the following scans at this point....

Please run the F-Secure Online Scanner

Note: This scanner is for Internet Explorer only!
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically.
  • The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy & paste the entire report in your next reply.
-----

Download GMER:
  • Unzip it and double-click GMER.exe
  • Click the rootkit-tab and click scan.
  • Once done, click Copy.
  • This will copy the results to clipboard.
  • Paste the results in your next reply.
-----

And last but not least
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "Open ADS Spy.."
  • Click on "Scan"
  • Click on "Save Log..."
  • Copy and past the list from the notebook onto your post along with the Gmer and the F-Secure online results. :whistling:

  • 0

#7
bjaked

bjaked

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Scanning Report
Thursday, September 21, 2006 09:14:25 - 10:26:21
Computer name: ASHLEY1
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 97 malware found
Backdoor.Win32.HacDef.fv (virus)
C:\DLLMX.EXE (Renamed)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\20FC3A05.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\271F1D45.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\283B620C.SYS (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3E994DB6.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\75176053.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\76DA26F8.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\796A7990.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\796D238D.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7BB3550D.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7BB67F0A.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7BEA1ED0.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7C323A81.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7C496068.SYS (Renamed & Submitted)
Backdoor.Win32.HacDef.fw (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\04D21904.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\6949571B.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\6DE91927.COM (Renamed & Submitted)
Backdoor.Win32.HacDef.ga (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2381791C.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\282F4427.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2F12351B.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\51E85815.EXE (Renamed & Submitted)
Backdoor.Win32.SdBot.aad (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\23833ED5.EXE (Renamed)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2912351F.EXE (Renamed)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2E16299A.EXE (Renamed)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7C464559.COM (Renamed & Submitted)
Multidrp.JD (virus)
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\BZAN7MXZ\RDFX4[1].EXE
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
System
System
System
Trojan-Clicker.Win32.Small.jf (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\36CD3CF1.JS (Renamed & Submitted)
Trojan-Clicker.Win32.VB.ij (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\776939C5.EXE (Renamed & Submitted)
Trojan-Clicker.Win32.VB.is (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\358A0055.EXE (Renamed & Submitted)
Trojan-Downloader.MSIL.Agent.c (virus)
C:\RECYCLER\S-1-5-21-2000478354-2111687655-1343024091-500\DC549.EXE (Renamed)
Trojan-Downloader.Win32.Adload.cw (virus)
C:\PCDR32.EXE (Renamed)
Trojan-Downloader.Win32.Adload.cy (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\48750371.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Adload.ff (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\43767DCB.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\475614AD.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4766669B.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\47763889.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\48545F95.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\48580991.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\485E5D8A.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\48610786.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\48685B7F.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Adload.fg (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5A9775C9.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Agent.ahv (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\788D6172.DLL (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\78900B6F.DLL (Renamed & Submitted)
Trojan-Downloader.Win32.Agent.ala (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\091C1FF8.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Agent.aol (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7C5D5C52.DLL (Renamed)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7C60064F.DLL (Renamed)
Trojan-Downloader.Win32.Agent.awb (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\242D4970.DLL (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7B9C2F26.DLL (Renamed & Submitted)
Trojan-Downloader.Win32.Dyfuca.fb (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\43BD54A2.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Small.ajc (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7896507A.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Small.auy (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\46A20F73.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\46A5396F.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Small.cpu (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7C942615.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Small.cyh (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2597153D.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\342949D9.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\46AC0D68.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.VB.afa (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\70805560.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.VB.agk (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\478A3474.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\484E0B9C.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.VB.wz (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\6DE01B32.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7CAE75F9.EXE (Renamed & Submitted)
Trojan-Dropper.Win32.Agent.aie (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3C6A772A.EXE (Renamed)
Trojan-Dropper.Win32.Agent.hl (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\132624C7.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\79EA6DF2.EXE (Renamed & Submitted)
Trojan-Dropper.Win32.Mudrop.bq (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\340C4FFA.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\6DE91927.EXE (Renamed & Submitted)
Trojan-PSW.Win32.LdPinch.arr (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\79EE17EE.EXE (Renamed & Submitted)
Trojan-PSW.Win32.LdPinch.atp (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\46AF3764.EXE (Renamed & Submitted)
Trojan-Proxy.Win32.Bobax.t (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\04C57112.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\04CB450B.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\49590182.EXE (Renamed & Submitted)
Trojan.Win32.Runner.j (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\210E722B.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\66893E57.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\74DA131A.EXE (Renamed & Submitted)
Trojan.Win32.VB.tg (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\0EB31EE9.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4A7D660D.EXE (Renamed & Submitted)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\71A410D9.EXE (Renamed & Submitted)
W32/Smalldrp.GOJ (virus)
C:\SETUP100.EXE
C:\WINDOWS\SRVFALKAGN.EXE
W32/UrlSpy.B.dropper (virus)
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\SETUP1050.EXE
W32/VBTroj.CXE.dropper (virus)
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\99001281.EXE

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 20164
System: 3881
Not scanned: 5
Actions:
Disinfected: 1
Renamed: 77
Deleted: 0
None: 19
Submitted: 68
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\12043BFFC49E10EFE49239849C3266E4_CDFBE618-D9C5-46DB-8F6F-8612E1CEA673
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\TP7543.EXE

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-09-21
F-Secure Libra: 2.4.1, 2006-09-20
F-Secure Orion: 1.2.37, 2006-09-21
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Draco: 1.0.35, 0259-24-212
F-Secure Pegasus: 1.19.0, 2006-08-14
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

==========================================================================================================================================

GMER 1.0.11.11349 - http://www.gmer.net
Rootkit 2006-09-21 10:52:17
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.11 ----

SSDT FFBCD070 ZwConnectPort
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT 81A25280 ZwOpenThread
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess

---- Processes - GMER 1.0.11 ----

Process CCAPP.EXE (*** hidden *** ) [868] 81A3BCD0
Process CCEVTMGR.EXE (*** hidden *** ) [476] FE4D9730
Process SPBBCSvc.exe (*** hidden *** ) [1712] FE6A9020

---- Files - GMER 1.0.11 ----

ADS ...

---- EOF - GMER 1.0.11 ----
==========================================================================================================================================

Logfile of HijackThis v1.99.1
Scan saved at 10:53:36 AM, on 9/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\admin1\Desktop\gmer\gmer.exe
C:\hjt\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1158590034838
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec.../ols3/fscax.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Network Station Task Manager (TKNT) - Unknown owner - C:\WINDOWS\tasknt.exe (file missing)
  • 0

#8
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ok you can delete Gmer if you wish.. :blink:

Please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Removeservice.bat. to your desktop.

@echo off
sc stop "Network Station Task Manager"
sc delete TKNT

Double-click on Removeservice.bat. A window will pop up and close. This is normal.

-----

Lets run Ewido and update the definition files..
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    • If you aren't able to finish the update within Ewido for a reason or another, you can install the manual updates here.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine". This is important, please make sure to do this setting!
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-select "Only if threats were found"
Close Ewido Anti-spyware, DO NOT run a scan just yet, we will shortly.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
  • IMPORTANT: Do not open any other windows or programs while Ewido is scanning, it may interfere with the scanning process:
  • Lauch Ewido Anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • Ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close Ewido and reboot your system back into Normal Mode and post back with the Ewido results. :whistling:

  • 0

#9
bjaked

bjaked

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:57:50 PM 9/21/2006

+ Scan result:



C:\DLLMX.0XE -> Backdoor.HacDef.fv : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-2000478354-2111687655-1343024091-500\DC549.0XE -> Downloader.Agent.c : Cleaned with backup (quarantined).
C:\Documents and Settings\admin1\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\admin1\Cookies\[email protected][1].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\admin1\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).


::Report end
  • 0

#10
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Please post a fresh ComboFix log along with a fresh HijackThis log.... Also let me know hows the system acting at the moment :whistling:
  • 0

#11
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP