PDA

View Full Version : command.exe



ricsgarage
2008-03-29, 22:48
I am trying to get rid of command.exe. I see it running in my processes and tried to remove it, but it does not go away. After a reboot, several command windows open and close, then the computer runs very slowly. Also, firefox will not run at all, IE has become mostly useless.

I have combined a hijack log and a spybot log in this post. I am on a different computer seeking help.

I appreciate any help.

888888888888888888888888888888888888888888

StartupList report, 3/29/2008, 3:08:41 PM
StartupList version: 1.52.2
Started from : C:\computer_utilities\hijack\HijackThis.EXE
Detected: Windows 2000 (WinNT 5.00.2195)
Detected: Internet Explorer v5.00 (5.00.2920.0000)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\netdde.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\UmljIERvdWdsYXM\command.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\dns.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng6.exe
C:\WINNT\System32\MsgSys.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\msiexec.exe
C:\WINNT\Explorer.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Palm\HOTSYNC.EXE
C:\WINNT\System32\rundll32.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe
C:\computer_utilities\Spybot - Search & Destroy\SpybotSD.exe
C:\computer_utilities\hijack\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Logo Calibration Loader.lnk = C:\software\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
ProfileReminder.lnk = C:\software\Eye-One Match 3\ProfileReminder.exe
Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NGServer = C:\Program Files\Symantec\Ghost\ngserver.exe
vptray = C:\Program Files\NavNT\vptray.exe
AtiPTA = atiptaxx.exe
BMf3ee6bd2 = Rundll32.exe "C:\WINNT\System32\thlvwyxv.dll",s
f0dd584e = rundll32.exe "C:\WINNT\System32\rhnhndqh.dll",b

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

JavaCore = C:\Program Files\\JavaCore\\JavaCore.exe
SpybotSD TeaTimer = C:\computer_utilities\Spybot - Search & Destroy\TeaTimer.exe

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Task Scheduler jobs:

bupchef.job
carnutz.job
getHYSL.job
kill.job
logoff.job
Shortcut to sendmail in customer_track.job
startserver.job
verse.job

--------------------------------------------------

Enumerating Download Program Files:

[{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}]
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[{1C78AB3F-A857-482E-80C0-3A1E5238A565}]
CODEBASE = file://C:\install.cab

[{31435657-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[EPUImageControl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\EPUWalcontrol.dll
CODEBASE = http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?39534.7207060185

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\Macromed\Flash\Flash8a.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 6,375 bytes
Report generated in 8.893 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only



========================================================= spybot 3/29/2008 ===========================


Command Service: System Service (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

Command Service: [SBI $552E2618] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService\\SYSTEM\CurrentControlSet\Services\mchInjDrv

Command Service: [SBI $8791CCEF] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService\\SYSTEM\CurrentControlSet\Services\mchInjDrv

Command Service: [SBI $23EF4E2A] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService\\SYSTEM\CurrentControlSet\Services\mchInjDrv

Command Service: [SBI $D9E7976F] Library (File, nothing done)
C:\WINNT\system32\atmtd.dll

Command Service: [SBI $D9E7976F] Library (File, nothing done)
C:\WINNT\system32\atmtd.dll._

Command Service: [SBI $C53578BD] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Command Service: [SBI $F0D8CEEE] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService

User abort!: Scan was not completed successfully. ()



--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-03-28 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-03-26 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-03-26 Includes\DialerC.sbi (*)
2008-03-26 Includes\HeavyDuty.sbi (*)
2008-03-19 Includes\Hijackers.sbi (*)
2008-03-26 Includes\HijackersC.sbi (*)
2008-02-27 Includes\Keyloggers.sbi (*)
2008-03-26 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-03-26 Includes\Malware.sbi (*)
2008-03-26 Includes\MalwareC.sbi (*)
2008-03-26 Includes\PUPS.sbi (*)
2008-03-26 Includes\PUPSC.sbi (*)
2008-03-26 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-03-26 Includes\SecurityC.sbi (*)
2008-03-19 Includes\Spybots.sbi (*)
2008-03-26 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-03-19 Includes\Trojans.sbi (*)
2008-03-26 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

ricsgarage
2008-03-29, 23:56
it appears to be having more fun...

8888888888888888888888888888888888888888888

Command Service: System Service (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

Command Service: [SBI $552E2618] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService\\SYSTEM\CurrentControlSet\Services\mchInjDrv

Command Service: [SBI $8791CCEF] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService\\SYSTEM\CurrentControlSet\Services\mchInjDrv

Command Service: [SBI $23EF4E2A] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService\\SYSTEM\CurrentControlSet\Services\mchInjDrv

Command Service: [SBI $D9E7976F] Library (File, nothing done)
C:\WINNT\system32\atmtd.dll

Command Service: [SBI $D9E7976F] Library (File, nothing done)
C:\WINNT\system32\atmtd.dll._

Command Service: [SBI $C53578BD] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Command Service: [SBI $F0D8CEEE] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService

Virtumonde.dll: [SBI $8AEDD710] Library (File, nothing done)
C:\WINNT\system32\jituimcx.dll

Virtumonde.dll: [SBI $8AEDD710] Library (File, nothing done)
C:\WINNT\system32\rhnhndqh.dll

Virtumonde.dll: [SBI $8AEDD710] Library (File, nothing done)
C:\WINNT\system32\tuvsp.dll

Virtumonde.dll: [SBI $E6921A50] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11C69347-8544-4941-843D-1244CA3CD8C7}

Virtumonde.dll: [SBI $E6921A50] Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11C69347-8544-4941-843D-1244CA3CD8C7}

Virtumonde.dll: [SBI $E6921A50] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ee94134d-9f7a-414d-8412-8413483a4cd3}

Virtumonde.dll: [SBI $E6921A50] Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ee94134d-9f7a-414d-8412-8413483a4cd3}

Virtumonde: [SBI $42352499] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1275210071-484763869-1343024091-500\Software\Microsoft\rdfa

Virtumonde: [SBI $47E741CD] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws

Virtumonde: [SBI $7342F9D9] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1275210071-484763869-1343024091-500\Software\Microsoft\aldd

Right Media: Tracking cookie (Internet Explorer: administrator) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-03-28 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-03-26 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-03-26 Includes\DialerC.sbi (*)
2008-03-26 Includes\HeavyDuty.sbi (*)
2008-03-19 Includes\Hijackers.sbi (*)
2008-03-26 Includes\HijackersC.sbi (*)
2008-02-27 Includes\Keyloggers.sbi (*)
2008-03-26 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-03-26 Includes\Malware.sbi (*)
2008-03-26 Includes\MalwareC.sbi (*)
2008-03-26 Includes\PUPS.sbi (*)
2008-03-26 Includes\PUPSC.sbi (*)
2008-03-26 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-03-26 Includes\SecurityC.sbi (*)
2008-03-19 Includes\Spybots.sbi (*)
2008-03-26 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-03-19 Includes\Trojans.sbi (*)
2008-03-26 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

ricsgarage
2008-03-31, 04:05
bump me

Shaba
2008-04-07, 12:12
Hi ricsgarage

Please post a "normal" HijackThis log next, instructions below :)


Open HijackThis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

ricsgarage
2008-04-08, 01:45
Thanks for the reply here is the log:

888888888888888888888888888888888888888888888888888

Logfile of HijackThis v1.98.0
Scan saved at 7:45:58 PM, on 4/7/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\netdde.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\dns.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng6.exe
C:\WINNT\System32\MsgSys.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Palm\HOTSYNC.EXE
C:\computer_utilities\hijack\HijackThis.exe

O2 - BHO: (no name) - {6F5235AE-938B-4245-AB9A-ACB8544E3821} - C:\WINNT\System32\tuvsp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\computer_utilities\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Logo Calibration Loader.lnk = C:\software\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O4 - Global Startup: ProfileReminder.lnk = C:\software\Eye-One Match 3\ProfileReminder.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = douglas1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = douglas1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = douglas1

Shaba
2008-04-08, 15:51
Hi

Your HijackThis is "a bit" outdated. Please delete it first.

Click here (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to download HJTInstall.exe
Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

ricsgarage
2008-04-09, 02:15
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:14 PM, on 4/8/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\netdde.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\dns.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng6.exe
C:\WINNT\System32\MsgSys.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Palm\HOTSYNC.EXE
C:\WINZIP\winzip32.exe
C:\computer_utilities\hijack\hijack2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://weather.yahoo.com/forecast/USGA0353.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {C33668E6-4F95-4923-B736-AABE39DED0E4} - C:\WINNT\System32\tuvsp.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NGServer] C:\Program Files\Symantec\Ghost\ngserver.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\computer_utilities\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logo Calibration Loader.lnk = C:\software\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ProfileReminder.lnk = C:\software\Eye-One Match 3\ProfileReminder.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\aim\aim.exe
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = douglas1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = douglas1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = douglas1
O20 - Winlogon Notify: ssqpooo - ssqpooo.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NGDatabase (ngdbserv) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGServer) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

--
End of file - 5265 bytes

Shaba
2008-04-09, 12:03
Hi

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post:

- a fresh HijackThis log
- combofix report

ricsgarage
2008-04-10, 15:36
The infected computer had some difficulty logging off during/after combofix ran. I had to power it off, it appeared Norton (NAV) was running and still detecting Vundo and the tuvsp.dll.

The following errors popped up:
1) your maximum registry size is too small... increase it
2) nircmd.exe - dll initialization failed - because the window is shutting down
3) catchme.cfexe - dll initialization failed - because the window is shutting down

The computer is so slow now that the system messages take about 5 minutes each to go away each time I cloick the OK button. The system messages (messenger service) are telling me that Trojan Vundo is on my machine in tuvsp.dll.

Just for your information, the computer was plugged back into the network to load combofix (it needed to get to a site to download data) then unplugged again. It was unplugged because it appeared that it was being accessed remotely, but I was not sure.

When the machine did reboot, the NAV window returned, along with the combofix window. I only added this because combofix said not to run any programs. but NAV was running already. Also there is a screen calibration profile reminder that pops up when my computer logs on. I cancelled this.

I will post the log when it finishes, thanks for your help and patience.

ricsgarage
2008-04-10, 15:55
ComboFix 08-04-09.8 - administrator 04/10/2008 0:21:22.1 - NTFSx86
Microsoft Windows 2000 Server 5.0.2195.0.1252.1.1033.18.182 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\CPV
C:\Program Files\JavaCore
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\JavaCore\UnInstall.exe
C:\Program Files\Temporary
C:\WINNT\BMf3ee6bd2.xml
C:\WINNT\pskt.ini
C:\WINNT\system32\config\SAM.SAV
C:\WINNT\system32\encwbsdb.dll
C:\WINNT\system32\epdiemgf.dll
C:\WINNT\system32\pac.txt
C:\WINNT\system32\psvut.ini
C:\WINNT\system32\psvut.ini2
C:\WINNT\system32\sulieamx.dll
C:\WINNT\system32\wnutpael.dll
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-03 22:55 . 08-04-05 00:44 1,956,524 --ahs---- C:\WINNT\system32\cjuyhpoy.ini
2008-04-02 21:50 . 08-04-03 22:55 1,659,737 --ahs---- C:\WINNT\system32\gilosafy.ini
2008-04-02 00:09 . 08-02-22 03:33 69,632 --a------ C:\WINNT\system32\javacpl.cpl
2008-04-02 00:07 . 08-04-02 00:09 <DIR> d-------- C:\Program Files\Java
2008-04-02 00:07 . 08-04-02 00:07 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-01 23:58 . 02-01-26 03:16 1,994,240 --a--c--- C:\WINNT\system32\dllcache\msi.dll
2008-04-01 23:58 . 08-04-01 23:52 1,822,848 --a------ C:\temp\InstMsiW.exe
2008-04-01 23:58 . 02-01-26 02:58 847,872 --a--c--- C:\WINNT\system32\dllcache\msimsg.dll
2008-04-01 23:58 . 02-01-26 03:14 304,640 --a--c--- C:\WINNT\system32\dllcache\msihnd.dll
2008-04-01 23:58 . 02-01-26 03:15 63,488 --a--c--- C:\WINNT\system32\dllcache\msiexec.exe
2008-04-01 23:58 . 02-01-26 03:15 39,936 --a--c--- C:\WINNT\system32\dllcache\msisip.dll
2008-04-01 23:58 . 02-01-26 02:59 27,136 --a--c--- C:\WINNT\system32\dllcache\mspatcha.dll
2008-04-01 23:50 . 08-04-01 23:29 15,918,488 --a------ C:\temp\jre-6u5-windows-i586-p.exe
2008-04-01 21:15 . 08-04-02 21:44 2,284,057 --ahs---- C:\WINNT\system32\cgcgjqjj.ini
2008-03-30 22:25 . 08-03-30 22:25 687,592 --a------ C:\WINNT\system32\atmtd.dll._
2008-03-30 22:25 . 08-03-30 22:25 687,592 --a------ C:\WINNT\system32\atmtd.dll
2008-03-30 11:38 . 08-04-01 21:13 1,583,757 --ahs---- C:\WINNT\system32\myejwlkn.ini
2008-03-29 15:54 . 08-03-29 15:54 1,583,637 --ahs---- C:\WINNT\system32\hqdnhnhr.ini
2008-03-29 02:06 . 08-03-30 21:44 438 --a------ C:\WINNT\wininit.ini
2008-03-29 00:12 . 08-04-09 21:49 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-28 09:03 . 08-03-28 09:03 1,583,852 --ahs---- C:\WINNT\system32\oavapowg.ini
2008-03-27 22:08 . 08-03-27 22:08 6,039,144 --a------ C:\temp\Firefox Setup 2.0.0.13.exe
2008-03-27 21:11 . 08-03-27 23:01 1,583,295 --ahs---- C:\WINNT\system32\qkolkark.ini2
2008-03-27 08:41 . 08-03-27 23:01 1,583,295 --ahs---- C:\WINNT\system32\qkolkark.ini
2008-03-27 08:39 . 08-03-27 08:39 273,920 --a------ C:\WINNT\system32\tuvsp.dll
2008-03-24 18:02 . 08-03-28 22:46 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-24 02:33 . 08-03-24 02:38 <DIR> d-a------ C:\WINNT\system32\aqVreo01

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 03:44 --------- d-----w C:\Program Files\Symantec
2006-09-18 00:52 50,624 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2006-04-15 02:39 23,360 ----a-w C:\WINNT\Fonts\chopin_script.zip
2005-12-04 21:38 271 ---h--w C:\Program Files\desktop.ini
2005-12-04 21:38 21,952 ---h--w C:\Program Files\folder.htt
2004-04-21 22:51 641,172 ----a-w C:\WINNT\inf\inf.zip
1999-12-07 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E40F489-1DD2-4307-A8FE-02E0523AB1F2}]
08-03-27 08:39 273920 --------- C:\WINNT\System32\tuvsp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NGServer"="C:\Program Files\Symantec\Ghost\ngserver.exe" [00-07-27 18:03 876532]
"vptray"="C:\Program Files\NavNT\vptray.exe" [01-09-24 07:59 73728]
"AtiPTA"="atiptaxx.exe" [01-09-27 02:39 245760 C:\WINNT\system32\atiptaxx.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [99-12-07 08:00 186640]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-12-15 00:11:24 113664]
HotSync Manager.lnk - C:\Palm\HOTSYNC.EXE [2003-10-16 23:37:58 299008]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-12-15 00:11:24 113664]
Logo Calibration Loader.lnk - C:\software\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe [2007-01-27 19:20:00 708608]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
ProfileReminder.lnk - C:\software\Eye-One Match 3\ProfileReminder.exe [2007-01-27 19:20:00 954368]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-07 00:04:00 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpooo]
ssqpooo.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINNT\System32\tuvsp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv REG_MULTI_SZ Tapisrv

*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2008-04-05 02:30:06 C:\WINNT\Tasks\bupchef.job"
- C:\dbases\bupchef.bat
- C:\dbases
"2003-11-22 16:36:24 C:\WINNT\Tasks\carnutz.job"
- C:\Documents and Settings\Administrator\Desktop\new vids\check for new vids\carnutz.exe
"2008-04-04 21:15:00 C:\WINNT\Tasks\getHYSL.job"
- C:\HALjunk\hal gods\my stuff\getHYSL\exe\getHYSL.exe
"2004-07-31 03:58:30 C:\WINNT\Tasks\kill.job"
- C:\Documents and Settings\Administrator\Desktop\techplay\batchfiles\kill.bat
"2008-04-10 04:17:02 C:\WINNT\Tasks\logoff.job"
- C:\slightly organized junk\vbis programs\get off the computer\exe\logoff.exe
"2004-01-20 02:09:45 C:\WINNT\Tasks\Shortcut to sendmail in customer_track.job"
- C:\Documents and Settings\Administrator\Desktop\Shortcut to sendmail in customer_track.MAM
"2004-03-01 05:02:27 C:\WINNT\Tasks\startserver.job"
- C:\Documents and Settings\Administrator\Desktop\techplay\batchfiles\startserver.bat
"2008-04-10 13:00:00 C:\WINNT\Tasks\verse.job"
- C:\HALjunk\hal gods\my stuff\random\once exe\verse.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 09:29:57
Windows 5.0.2195 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\winlogon.exe
-> C:\WINNT\System32\NavLogon.dll
-> ?:\WINNT\System32\CLBCATQ.DLL

PROCESS: C:\WINNT\system32\lsass.exe
-> C:\WINNT\System32\tuvsp.dll
.
------------------------ Other Running Processes ------------------------
.
SystemRoot\System32\smss.exe [184]
??\C:\WINNT\system32\csrss.exe [212]
??\C:\WINNT\system32\winlogon.exe [236]
C:\WINNT\system32\services.exe [264]
C:\WINNT\system32\lsass.exe [276]
C:\WINNT\system32\svchost.exe [484]
C:\WINNT\system32\spoolsv.exe [504]
C:\WINNT\system32\netdde.exe [532]
C:\WINNT\System32\msdtc.exe [748]
C:\Program Files\NavNT\defwatch.exe [880]
C:\WINNT\system32\Dfssvc.exe [896]
C:\WINNT\System32\svchost.exe [916]
C:\WINNT\system32\hidserv.exe [944]
C:\WINNT\System32\llssrv.exe [960]
C:\Program Files\Symantec\Ghost\ngserver.exe [1016]
C:\Program Files\NavNT\rtvscan.exe [1040]
C:\WINNT\system32\ntfrs.exe [1072]
C:\WINNT\system32\regsvc.exe [1104]
C:\WINNT\System32\locator.exe [1116]
C:\WINNT\System32\svchost.exe [1136]
C:\WINNT\System32\termsrv.exe [1156]
C:\WINNT\System32\WBEM\WinMgmt.exe [1216]
C:\WINNT\system32\svchost.exe [1240]
C:\WINNT\System32\dns.exe [1252]
C:\Program Files\Symantec\Ghost\bin\dbserv.exe [876]
C:\Program Files\Symantec\Ghost\bin\rteng6.exe [1452]
C:\WINNT\System32\MsgSys.EXE [1764]
C:\WINNT\system32\CF6894.exe [1932]
C:\Program Files\NavNT\vptray.exe [1940]
C:\WINNT\System32\atiptaxx.exe [376]
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [1972]
C:\Palm\HOTSYNC.EXE [1636]
C:\WINNT\Explorer.exe [1888]
C:\ComboFix\catchme.cfexe [1772]
.
**************************************************************************
.
Completion time: 2008-04-10 9:49:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-10 13:48:01
Pre-Run: 36,344,037,376 bytes free
Post-Run: 36,280,516,608 bytes free


88888888888888888888888888888888888888888888888888
88888888888888 HJT LOG 888888888888888888888
88888888888888888888888888888888888888888888888888


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:54, on 2008-04-10
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\netdde.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\dns.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng6.exe
C:\WINNT\System32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Palm\HOTSYNC.EXE
C:\WINNT\Explorer.exe
C:\computer_utilities\hijack\hijack2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://weather.yahoo.com/forecast/USGA0353.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0E40F489-1DD2-4307-A8FE-02E0523AB1F2} - C:\WINNT\System32\tuvsp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NGServer] C:\Program Files\Symantec\Ghost\ngserver.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logo Calibration Loader.lnk = C:\software\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ProfileReminder.lnk = C:\software\Eye-One Match 3\ProfileReminder.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\aim\aim.exe
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = douglas1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = douglas1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = douglas1
O20 - Winlogon Notify: ssqpooo - ssqpooo.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NGDatabase (ngdbserv) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGServer) - Symantec New Zealand Limited - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

--
End of file - 5345 bytes

Shaba
2008-04-10, 16:01
Hi

Better but not done yet.

Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINNT\system32\cjuyhpoy.ini
C:\WINNT\system32\gilosafy.ini
C:\WINNT\system32\cgcgjqjj.ini
C:\WINNT\system32\atmtd.dll._
C:\WINNT\system32\atmtd.dll
C:\WINNT\system32\myejwlkn.ini
C:\WINNT\system32\hqdnhnhr.ini
C:\WINNT\system32\oavapowg.ini
C:\WINNT\system32\qkolkark.ini2
C:\WINNT\system32\qkolkark.ini
C:\WINNT\system32\tuvsp.dll

Folder::
C:\WINNT\system32\aqVreo01

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E40F489-1DD2-4307-A8FE-02E0523AB1F2}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpooo]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

ricsgarage
2008-04-11, 08:17
One blue screen on first reboot. Could not find boot sector. It asked me to please look for a virus...

Two attempts at booting again and the machine is hanging at the 'Starting Up' intro window for Windows 2000 Server Family. I am going to let it sit for a while to see if it gets past the 'Starting Up' window.

Will check in the morning, yawning too much right now.

Machine is not plugged in to the network.

Shaba
2008-04-11, 11:27
Hi

Try to use Last Known Good Configuration if it doesn't go through.

ricsgarage
2008-04-11, 18:29
I believe it uses last known good configuration each time it boots, and frankly I don't know how to change that, but I will look into it.

I will post again as soon as I can get it to boot up.

Should I try safe mode?

Shaba
2008-04-11, 19:02
Hi

See here (http://www.computerhope.com/issues/ch000626.htm)

ricsgarage
2008-04-12, 02:25
I really do appreciate your help with this, even if I end up with a pile of smoking computer parts.

The computer is still not booting up with last known good configuration.

I tried safe mode with command prompt and it still did not boot.

I do have another computer I can move this hard drive to if needed.

Also I think I have fixed this same computer with the wk2 server cd if that is an option (non virus related issue).

Shaba
2008-04-12, 12:10
Hi

Then a repair installation of windows is the best idea here.

ricsgarage
2008-04-15, 06:49
the bios has the boot order set to start with the CD, but the machine is not booting from the CD. Am I msiing something?

ricsgarage
2008-04-15, 06:53
I think the CD is fried - going to buy a new one.

ricsgarage
2008-04-15, 07:02
I think the CD is fried - going to buy a new one.

CD player is fried

Shaba
2008-04-15, 15:40
Hi

Ok, post back after that :)

ricsgarage
2008-04-17, 05:18
I cannot get the machine to boot from CD. When I hit F8 there is no choice to boot from CD. If I just put the CD in the drive the machine spins the CD, but does not boot from it.

My bios is set to boot from CD first. I have PNP turned on.

Shaba
2008-04-17, 11:17
Hi

Then I think that the best way would be taking computer to store for check and repair, unfortunately.

ricsgarage
2008-04-17, 16:24
I believe you are correct. I appreciate your time and assistance.

Shaba
2008-04-22, 15:37
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.