PDA

View Full Version : Command Service Virus



SCAT79
2006-05-16, 07:23
Hey guys, I recently went to a url to download something and several virus's have been injected :( I downloaded several removal programs and I have gotten rid of alot of them. The only one I can't seem to remove is a Command Service virus. Spybot says to restart my computer in safe mode, remove it and delete a folder which I have absolutely no clue where it is. When I do this I cannot even remove the program with spybot ( i have 1.4)
even in safe mode.

This virus is annoying as it creates popups randomly wich also bypass norton firewall. I have hijackthis and this is my log..

Logfile of HijackThis v1.99.1
Scan saved at 12:10:12 AM, on 5/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\SYSC00.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\ms04884702792.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\slenyeiA.exe
C:\WINDOWS\errorhandler.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\win3208027928847.exe
C:\WINDOWS\sys01792884702.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\EQAdvice\EQAdvice.exe
C:\Program Files\PECarlin\PECarlin.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Jose Escatel\Desktop\Antivirus\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,niaeowp.exe
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [PowerDVD] C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe /autostart
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ms04884702792] C:\WINDOWS\ms04884702792.exe
O4 - HKLM\..\Run: [slenyeiA] C:\WINDOWS\slenyeiA.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [win3208027928847] C:\WINDOWS\win3208027928847.exe
O4 - HKLM\..\Run: [sys01792884702] C:\WINDOWS\sys01792884702.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
O4 - HKCU\..\Run: [PECarlin] "C:\Program Files\PECarlin\PECarlin.exe"
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_07\bin\npjpi141_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_07\bin\npjpi141_07.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Descargas - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\eurokazaa\local.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147569238531
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\j2l4lc3q1f.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

I can delete one of the files but not the other 2 files. ..

HKEY_LOCAL_MACHINE\System\ControlSet002\Services\c mdService
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\c mdService

Please help I cannot do anything with any kind of program to remove this devious program :confused:

pskelley
2006-05-16, 17:13
Hello Jose and welcome to the forum. The command.exe is a glitchy thing in Spybot and we will fix it later, but I need to tell you that is far from being your worse problem. You have a Look2Me adware infection and also are infected by the Alcan worm and a Qoologic trojan. My suggestion at this point would be to stay offline as much as possible until you are clean, these infections do attract others. We have quite a bit of work to do and if this sounds like what you wish to do, and it will not be fast or easy, then we will start by removing the Look2Me infection.

Jose, you have called your HJT folder Antivirus and that is fine with me, just do not store anything not related to HJT in that folder. If you do need it for other stuff, move HJT to here: C:\HJT\HijackThis.exe, thanks.

Thanks to Atribune and any others who helped with this fix

Please download Look2Me-Destroyer.exe (http://www.atribune.org/ccount/click.php?id=7) to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

More info:

If for some reason Look2Me-Destroyer doesn't reopen check that task scheduler is running.
If it isnt you can use sc.exe to start it

start>run sc start schedule press enter.

Post C:\Look2Me-Destroyer.txt and a new HiJackThis log, this is a start and we have much to do. Please include any comments you think will help.

Thanks...pskelley
Safer Networking Forums

SCAT79
2006-05-16, 17:46
Heya , thanks for the help. I didn't expect my problems to include a worm and a trojan , lol. Anyway I did as you said and downloaded the l2m destroyer program. I ran it and below is the file along with the new hijack this log. However , when I restarted my computer l2m did not restart by itself automatically. I recieved no firewall notifications at all and it didn't seem like the program was attempting any kind of connections to the internet.


New Hijackthis Log

Logfile of HijackThis v1.99.1
Scan saved at 10:45:16 AM, on 5/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\ms04884702792.exe
C:\WINDOWS\slenyeiA.exe
C:\WINDOWS\errorhandler.exe
C:\WINDOWS\win3208027928847.exe
C:\WINDOWS\sys01792884702.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\EQAdvice\EQAdvice.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\PECarlin\PECarlin.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jose Escatel\Desktop\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,niaeowp.exe
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [PowerDVD] C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe /autostart
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ms04884702792] C:\WINDOWS\ms04884702792.exe
O4 - HKLM\..\Run: [slenyeiA] C:\WINDOWS\slenyeiA.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [win3208027928847] C:\WINDOWS\win3208027928847.exe
O4 - HKLM\..\Run: [sys01792884702] C:\WINDOWS\sys01792884702.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
O4 - HKCU\..\Run: [PECarlin] "C:\Program Files\PECarlin\PECarlin.exe"
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_07\bin\npjpi141_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_07\bin\npjpi141_07.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Descargas - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\eurokazaa\local.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147569238531
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



Here is my l2m Destroyer log.


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 5/16/2006 10:35:10 AM

Infected! C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP687\A0284572.dll
Infected! C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP687\A0284573.dll
Infected! C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP687\A0284574.dll
Infected! C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP687\A0284575.dll
Infected! C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP687\A0284576.dll
Infected! C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP687\A0284577.dll

Attempting to delete infected files...

Attempting to delete: C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP687\A0284572.dll
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP687\A0284572.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP687\A0284573.dll
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP687\A0284573.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP687\A0284574.dll
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP687\A0284574.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP687\A0284575.dll
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP687\A0284575.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP687\A0284576.dll
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP687\A0284576.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP687\A0284577.dll
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP687\A0284577.dll Deleted successfully!

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded






Hopefully I did everything the right way. :sick:

pskelley
2006-05-16, 17:58
Jose you did fine, keep up the good work because we have a ways to go. Here is the Look2me marker in the first HJT log:
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\j2l4lc3q1f.dll
as you will see, it is missing from the second log after Destroyer did the job.

Now let's go after the Qoologic trojan, here is the marker in the log so you will know. If it is gone, then you followed the directions and the fix worked:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,niaeowp.exe

Thanks to LonnyRJones and any others who helped with QooFix.

Download Brute Force Uninstaller to your C:\
http://www.merijn.org/files/bfu.zip
Unzip it to a folder of its own (C:\BFU). So BFU should be on your root. In most cases this is C:\
Download qoofix.bat: http://downloads.subratam.org/Lon/qooFix.bat
(rightclick on this link and choose save as)
Place qoofix.bat in your C:\BFU - folder. (Important!)
Doubleclick qooFix.bat, Close all browsers and explorer folders.
Choose option 1 (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
After the PC has restarted please post another hijackthis log.

Thanks...

SCAT79
2006-05-16, 18:21
Thanks again for all the help. I checked the log for the L2M and ran the scan again. There were no corrupted files etc.

This is the new HijackThis log after running the BFU program.




Logfile of HijackThis v1.99.1
Scan saved at 11:17:07 AM, on 5/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\ms04884702792.exe
C:\WINDOWS\slenyeiA.exe
C:\WINDOWS\errorhandler.exe
C:\WINDOWS\win3208027928847.exe
C:\WINDOWS\sys01792884702.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\EQAdvice\EQAdvice.exe
C:\Program Files\PECarlin\PECarlin.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jose Escatel\Desktop\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [PowerDVD] C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe /autostart
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ms04884702792] C:\WINDOWS\ms04884702792.exe
O4 - HKLM\..\Run: [slenyeiA] C:\WINDOWS\slenyeiA.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [win3208027928847] C:\WINDOWS\win3208027928847.exe
O4 - HKLM\..\Run: [sys01792884702] C:\WINDOWS\sys01792884702.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
O4 - HKCU\..\Run: [PECarlin] "C:\Program Files\PECarlin\PECarlin.exe"
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_07\bin\npjpi141_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_07\bin\npjpi141_07.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Descargas - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\eurokazaa\local.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147569238531
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



I did not see the --

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,niaeowp.exe

anywhere in the log file.

pskelley
2006-05-16, 18:52
Yes, the Qoofix appears to have worked fine. This next fix will remove a lot of junk put there by the Alcan worm. I am going to follow it up with HJT and some of the stuff will be gone after the Alcanfix is run. Not to be concerned if it is not there, just do not miss any. Let's start like this:

1) This program: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe see this information:
http://www.clickz.com/news/article.php/3561546
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
and this: http://www3.ca.com/securityadvisor/pest/Pest.aspx?id=453088059 please open Start > All Programs > Add Remove programs and uninstall: anything Viewpoint, LimeWire and any other program you know does not belong there. If you are not sure, let me know and I will look.

2) How to make files and folders visible:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.


3) 1. Please download Ewido Anti-Malware (http://www.ewido.net/en/download/)
Install ewido anti-malware
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
Exit Ewido, do not run the scan yet!
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates (http://download.ewido.net/ewido-signatures-full-current.exe)

2. Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

4. Once in Safe Mode, Open Ewido:
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti-malware.

5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.


(please hold those logs until we finish, remember that some of this junk may be gone, just do not miss any)


4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ms04884702792] C:\WINDOWS\ms04884702792.exe
O4 - HKLM\..\Run: [slenyeiA] C:\WINDOWS\slenyeiA.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [win3208027928847] C:\WINDOWS\win3208027928847.exe
O4 - HKLM\..\Run: [sys01792884702] C:\WINDOWS\sys01792884702.exe
O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
O4 - HKCU\..\Run: [PECarlin] "C:\Program Files\PECarlin\PECarlin.exe"
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O9 - Extra button: Descargas - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\eurokazaa\local.htm (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) RIGHT Click on Start then click on Explore. Locate and delete these items:
c:\eurokazaa\ >>> folder

C:\WINDOWS\SYSC00.exe >>> file

C:\WINDOWS\ms04884702792.exe >>> file

C:\WINDOWS\slenyeiA.exe >>> file

C:\WINDOWS\errorhandler.exe >>> file

C:\WINDOWS\win3208027928847.exe >>> file

C:\WINDOWS\sys01792884702.exe >>> file

C:\Program Files\EQAdvice\ >>> folder

C:\Program Files\PECarlin\ >>> folder

C:\Program Files\AWS\ >>> folder

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

6) Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Restart the computer and post the ewido scan results, a new HJT log and any comments you think will help.

Jose, your Java program is outdated: C:\Program Files\Java\j2re1.4.1_07\bin\ <<< that will get you infected quick and may be the reason for this infection? Use this information to get Java updated and secure: http://forums.spybot.info/showthread.php?t=2559

If all goes well, we will be close, Thanks...Phil

SCAT79
2006-05-16, 21:02
I did almost everything you said with the exception of the BFU directions because I do not have a alcanshorty.bfu file only a alcanshorty.txt file so I could not complete that step. I did run the Ewido scan ( took about 1.5 hours to scan) and saved a report.

These are the reports. Once I get the alcanshorty.bfu file I can do the rest.



Ewido log


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:45:27 PM, 5/16/2006
+ Report-Checksum: B89BED06

+ Scan result:

HKLM\SOFTWARE\Dsi -> Adware.Delfin : Cleaned without backup
C:\503_617.exe -> Trojan.Small : Cleaned without backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned without backup
C:\Program Files\EQAdvice\EQAdvice.exe -> Adware.CASClient : Cleaned without backup
C:\Program Files\PECarlin\PECarlin.exe -> Adware.CASClient : Cleaned without backup
C:\Program Files\Windows Media Player\nigybemyg.dll -> Downloader.Small.ctp : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP649\A0260184.exe -> Adware.PurityScan : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP677\A0279061.exe -> Downloader.Small.ajc : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP678\A0279164.dll -> Adware.PurityScan : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP678\A0279165.exe -> Adware.ClickSpring : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP678\A0279166.exe -> Dropper.VB.mz : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP678\A0279279.exe -> Adware.NewDotNet : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP678\A0279280.exe -> Adware.NewDotNet : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP679\A0280004.exe -> Downloader.VB.tw : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP679\A0280005.exe -> Downloader.VB.tw : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP679\A0280006.exe -> Adware.Enbrow : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP679\A0280007.exe -> Downloader.Qoologic.at : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP679\A0280009.dll -> Adware.NewDotNet : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP679\A0280020.exe -> Downloader.PurityScan.cl : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP679\A0280022.dll -> Adware.NewDotNet : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280355.dll -> Adware.Aws : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280364.dll -> Downloader.Dyfuca : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280365.exe -> Downloader.Dyfuca.ei : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280366.exe -> Adware.180Solutions : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280367.dll -> Adware.180Solutions : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280369.exe -> Adware.180Solutions : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280370.exe -> Adware.PurityScan : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280371.exe -> Adware.Look2Me : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280372.exe -> Downloader.Keenval : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280373.dll -> Adware.180Solutions : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280375.exe/whAgent.exe -> Adware.WebHancer : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280376.dll -> Adware.180Solutions : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280377.exe -> Downloader.Small.buy : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280378.exe -> Downloader.Dyfuca.ei : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280379.exe -> Dropper.Small.qn : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280380.exe -> Downloader.TSUpdate.o : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280381.exe -> Downloader.Agent.ac : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280382.DLL -> Adware.Look2Me : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280387.dll -> Downloader.Agent.agw : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280388.exe -> Downloader.Qoologic.bj : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280389.exe -> Downloader.Qoologic.bj : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280390.exe -> Downloader.Qoologic.bj : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280391.dll -> Downloader.Qoologic.bj : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280393.exe -> Downloader.Qoologic.bj : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280394.exe -> Trojan.Qoologic : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280396.dll -> Adware.CommAd : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280397.exe -> Adware.CommAd : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP680\A0280398.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP681\A0280468.exe -> Dropper.Agent.hl : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP681\A0280474.dll -> Downloader.Small.ctp : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP681\A0280475.exe -> Downloader.Small.ajc : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP685\A0283214.exe -> Hijacker.VB.ij : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP685\A0283215.exe -> Downloader.VB.ys : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP685\A0283216.exe -> Downloader.VB.aci : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP685\A0283218.exe -> Adware.NewDotNet : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP685\A0283219.exe -> Adware.NewDotNet : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP685\A0283220.exe -> Downloader.Adload.bi : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP685\A0283221.exe -> Downloader.Adload.bj : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP685\A0283222.exe -> Downloader.Adload.ap : Cleaned without backup
C:\System Volume Information\_restore{46609B41-6F7E-4E3E-BFB9-61DAA8CD27C0}\RP685\A0283223.exe -> Downloader.Small.cpu : Cleaned without backup
C:\Tagasaurus.exe -> Dropper.Agent.hl : Cleaned without backup
C:\WINDOWS\errorhandler.exe -> Downloader.VB.nw : Cleaned without backup
C:\WINDOWS\ms04884702792.exe -> Adware.Enbrow : Cleaned without backup
C:\WINDOWS\NDNuninstall5_48.exe -> Adware.NewDotNet : Cleaned without backup
C:\WINDOWS\NDNuninstall5_64.exe -> Adware.NewDotNet : Cleaned without backup
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned without backup
C:\WINDOWS\offun.exe -> Downloader.VB.nw : Cleaned without backup
C:\WINDOWS\slenyeiA.exe -> Hijacker.VB.ij : Cleaned without backup
C:\WINDOWS\SYSC00.exe -> Trojan.VB.tg : Cleaned without backup
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : Cleaned without backup
C:\WINDOWS\visfx500.exe -> Dropper.Agent.aie : Cleaned without backup
C:\WINDOWS\wnu_43.exe -> Trojan.Qoologic : Cleaned without backup


::Report End



HijackThis Log



Logfile of HijackThis v1.99.1
Scan saved at 2:02:26 PM, on 5/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\win3208027928847.exe
C:\WINDOWS\sys01792884702.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jose Escatel\Desktop\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PowerDVD] C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe /autostart
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [win3208027928847] C:\WINDOWS\win3208027928847.exe
O4 - HKLM\..\Run: [sys01792884702] C:\WINDOWS\sys01792884702.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147569238531
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

SCAT79
2006-05-16, 21:05
I stopped and exited out of safe mode right after the step where i needed the alcanshorty.bfu file and posted it here on the forums. If I have to repeat this whole step to scan and run the bfu I will do it later on tonight. But I didn't recieve the alcanshorty.bfu file needed to run it the proper way .

pskelley
2006-05-16, 21:42
I stopped and exited out of safe mode right after the step where i needed the alcanshorty.bfu file and posted it here on the forums. If I have to repeat this whole step to scan and run the bfu I will do it later on tonight. But I didn't recieve the alcanshorty.bfu file needed to run it the proper way .


3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Step three is where you get the file: alcanshorty.bfu You must follow the directions exactly, you do not click it, you must right click and (on my computer it is) "Save target as" You must save it to: Save it in the same folder you made earlier (c:\BFU). or it will not work. You can try again if you wish, no need to run ewido again. If you want you can try to remove the rest manually with HJT as it seems you got a lot of it. I will give you those instructions now, this is what did not get remove the first time:


Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(you must be showing all hidden files and folder or you may not see the bad stuff)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [win3208027928847] C:\WINDOWS\win3208027928847.exe
O4 - HKLM\..\Run: [sys01792884702] C:\WINDOWS\sys01792884702.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Navigate to and delete these items:

C:\WINDOWS\win3208027928847.exe >>> file

C:\WINDOWS\sys01792884702.exe >>> file

Now restart the computer and Post a new HJT log and let me know how the computer is running now.

Make sure you do not use System Restore for any reason until we clean it. You can see all of the junk backed up in there in the ewido log, thanks.

SCAT79
2006-05-17, 07:12
Heya thanks for all the help. The ORLY computer runs faster , stronger, and smarter now. My cursor does not chutter all over the screen and i get 0 popus. I can actually keep my settings on my computer ( The task bar keeps my icons on the desktop now whereas before they got deleted somehow ) without any problems.

The cause of these infections , trogans, and worms was most likely the use of a Bit Torrent. That is probably my last time using one of those unless I really know what I am doing.

One suggestion I do have is the downloading of the alcanshorty.bfu file. When I saved this into my C:\BFU folder it saved it as alcanshorty.bfu.txt. The only thing i had to do to fix this was rename the file to alcanshorty.bfu. I ran the test without any sort of problems at all.

Below is the most updated HJT log. Everything runs smooth and well for the time being but I was wondering if it was possible to delete more junk. There are 2 programs that are being blocked from my firewall that I'm really not too sure about - svhost.exe and tgcmd.exe. There are other various files in the HJT log that I am not too familiar like the nimz; I will highlight these in bold.

I ran a final Spybot scan and that same dam Command Service is still there but it does not seem to be causing any sort of problems. It doesn't appear to make any attempts to communicate with the Internet from what I can tell.



Last HJT log:







Logfile of HijackThis v1.99.1
Scan saved at 11:57:53 PM, on 5/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jose Escatel\Desktop\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PowerDVD] C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe /autostart
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147569238531
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

pskelley
2006-05-17, 14:36
OK Jose, great job using the tools and the complex fixes:bigthumb: Looking at the HJT log it is clean of malware. There is one item, an old DPF for Java which is outdated. Use HJT to remove that please:
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

This is important, I can see all of the bad stuff in the System Restorm files in the ewido scan results. This will give you clean files, do this right away.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

I posted the information you provided about the Alcan for the creator of the fix, and as soon as he let's me know why it happened like that, I will post to let you know.

Here are links you can use in the future to find out what things are:
http://www.answersthatwork.com/Tasklist_pages/tasklist.htm
http://www.pacs-portal.co.uk/startup_index.htm
http://computercops.biz/StartupList.html
http://www.sysinfo.org/startuplist.php
http://www.bleepingcomputer.com/startups/

I will cover your comments and respond to them today.

svhost.exe <<< watch the spelling, it should be C:\WINDOWS\system32\svchost.exe and it is a very import item you will see running more than once oftem during routine operation. Here is what you need to know:
http://support.microsoft.com/?kbid=314056 You can't do without that, if the spelling is different than svchost it is usually a problem.

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
http://castlecops.com/startuplist-9746.html

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
http://www.liutilities.com/products/wintaskspro/processlibrary/tgcmd/

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
http://castlecops.com/startuplist-2564.html

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
http://castlecops.com/startuplist-795.html

This should take care of the command.exe issues:
Please download and unzip Ren-cmdservice to your desktop.
It will only work correctly if the folder is placed on your desktop and extracted !!.
http://downloads.subratam.org/Lon/ren-cmdservice.zip
Open the ren-cmdservice folder by doubleclicking it and then doubleclick the
ren-cmdservice.bat file to run the program.
A text will open when it is finished, Post it please.
Then restart the PC run spybot check for and fix any problems found.

Thanks...Phil

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

pskelley
2006-05-17, 15:55
Hi Jose, I received an answer from Metallica, the creator of the Alcra PLUS Remover and I will post that information to the open topic as it may help others to see it. Here is what he had to say:

"Hi Phil,
If you use the Save target as feature of a browser and forget to specify the name and don't save as all filetypes, then you will indeed get alcanshorty.bfu.txt
On the up-side BFU also processes txt files, so it should work anyway."

These infections also change very quickly, so then the fixes have to. I suggest you delete the tools we used with the possible exception of CCleaner and ewido is a good scanner, just stop it from running once the trial is past.

Thanks...Phil

tashi
2006-05-26, 02:21
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a pm and provide a link to the thread.

Applies only to the original topic starter.