View Full Version : smitfraud-c and smitfraud-c.toolbar888 problems! need urgent help!
tigerwoodsii
2006-11-30, 12:27
hi i scanned my laptop with spybot and smitfraud-c and smitfraud-c.toolbar888 keep coming up even though i removed them, i've tried for the whole week and i dont know what to do, help please?
attached is my hijackthis log, hijackthis.exe already renamed to scanner.exe
thanks so much
Logfile of HijackThis v1.99.1
Scan saved at 6:49:58 PM, on 11/30/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\tp4serv.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\WLANSTA.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ismini.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator\My Documents\Su Jun's Personal\hijackthis\Scanner.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\System32\ixt0.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\huylpyqq.exe
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\System32\drvgib.dll,startup
O4 - HKCU\..\Run: [ssate.exe] C:\WINDOWS\System32\irun4.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164705255328
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: winche32 - C:\WINDOWS\SYSTEM32\winche32.dll
O21 - SSODL: ACEBBAEE - {27B32F2F-6FD4-0E05-22C3-27885D6507BE} - C:\WINDOWS\System32\Dabmdn32.dll (file missing)
O21 - SSODL: mtklef - {F5740811-429B-4AEA-0CA0-CB65F53CCA77} - C:\WINDOWS\System32\orhk32.dll (file missing)
O21 - SSODL: mtklefa - {E762F58E-F5FD-4657-8F8F-44BD8CB47AA6} - C:\WINDOWS\System32\xgjy32.dll (file missing)
O21 - SSODL: mtkle - {6E8FC503-BC95-45D5-2A9A-71A424C7C3E8} - C:\WINDOWS\System32\edyvf32.dll (file missing)
O21 - SSODL: mtklefap - {A62E88BC-7FC4-4462-73A9-BFBEA58C5C44} - C:\WINDOWS\System32\wahqmj32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WinTab Service (WinTabService) - Unknown owner - C:\WINDOWS\System32\DRIVERS\WtSrv.exe
pskelley
2006-12-04, 14:42
Hello and welcome to the forum, sorry for the wait, logs are many and volunteers are few. If you still need help and are not receiving it at another forum, please do this.
Just so you will know for the future, tashi has created this topic for you:
http://forums.spybot.info/showthread.php?t=1137
Smitfraud-C.Toolbar888 is a FALSE POSITIVE, see this information:
http://forums.spybot.info/showthread.php?t=8668
I see no evidence of the Vundo trojan which is why we rename HJT.
I do see a lot of nasty junk in this log, beside the Smitfraud infection there is:
Win32.Korgo.AB
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39581
http://www.fileresearchcenter.com/I/IPWINS.EXE-7650.html
W32.Blaster
http://www.symantec.com/security_response/writeup.jsp?docid=2003-081315-0500-99
You need to read this information carefully, under the removal tab, there is a tool that needs to be run and information about this worm. This was patched log ago, are your Microsoft Critical Updates all current?
32.Beagle
http://www.symantec.com/security_response/writeup.jsp?docid=2004-030214-1700-99W
You also have a version of this one: 32.Beagle Read the information under the removal tab, there is a tool there to remove it.
Where did you find all of these old infections? Once you run those tools, then continue with these directions. This may well take a while.
http://forums.spybot.info/showthread.php?t=4015 When you finish the instructions, post the three logs in this same topic using the "Post Reply" button.
Please use these instructions when you run AVG Anti-Spyware, make sure you delete or at least quarantine what is located.
http://forums.security-central.us/showthread.php?t=3165
Spybot-S&D: Be sure to follow the directions to save the scan report but do not post it here unless requested by a helper.
Thanks...pskelley
Safer Networking Forums
tigerwoodsii
2006-12-09, 14:30
hi again, here are my 3 logs after i've done all that
thanks alot
SmitFraudFix v2.125
Scan done at 13:16:58.57, Sat 12/09/2006
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\ismini.exe Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 8:34:27 PM 12/9/2006
+ Scan result:
C:\Program Files\Common Files\{AC41BA4E-063F-1033-0521-020204040001}\Update.exe -> Adware.Softomate : Cleaned.
C:\WINDOWS\Temp\win67.tmp.exe -> Downloader.Agent.bca : Cleaned.
C:\WINDOWS\Temp\win94.tmp.exe -> Downloader.Agent.bca : Cleaned.
C:\WINDOWS\Temp\win73.tmp.exe -> Downloader.Zlob.bbq : Cleaned.
::Report end
Logfile of HijackThis v1.99.1
Scan saved at 8:53:12 PM, on 12/9/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\tp4serv.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\WLANSTA.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\System32\ixt0.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\huylpyqq.exe
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\System32\drvgib.dll,startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ssate.exe] C:\WINDOWS\System32\irun4.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164705255328
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: winche32 - winche32.dll (file missing)
O21 - SSODL: ACEBBAEE - {27B32F2F-6FD4-0E05-22C3-27885D6507BE} - C:\WINDOWS\System32\Dabmdn32.dll (file missing)
O21 - SSODL: mtklef - {F5740811-429B-4AEA-0CA0-CB65F53CCA77} - C:\WINDOWS\System32\orhk32.dll (file missing)
O21 - SSODL: mtklefa - {E762F58E-F5FD-4657-8F8F-44BD8CB47AA6} - C:\WINDOWS\System32\xgjy32.dll (file missing)
O21 - SSODL: mtkle - {6E8FC503-BC95-45D5-2A9A-71A424C7C3E8} - C:\WINDOWS\System32\edyvf32.dll (file missing)
O21 - SSODL: mtklefap - {A62E88BC-7FC4-4462-73A9-BFBEA58C5C44} - C:\WINDOWS\System32\wahqmj32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WinTab Service (WinTabService) - Unknown owner - C:\WINDOWS\System32\DRIVERS\WtSrv.exe
pskelley
2006-12-09, 15:32
Thanks for returning your information. Here is hoping you are following all of the directions and running all of the tools I am providing. There is a lot of that junk STILL in the HJT log. Let's proceed like this.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) AVG Anti-Spyware 7.5: Deactivate the Resident Shield- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.
4) TeaTimer will also block the changes we must make, use the information in this link and turn it off until you are done:
http://russelltexas.com/malware/teatimer.htm
5) Start > Control Panel > Add remove programs and uninstall ipwins, PuritySCAN By OIN, OIN or OuterInfo. Uninstall any programs you know do not belong there. If none of this is there, try this uninstaller:
http://www.outerinfo.com/howto.html
6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(some lines may be gone, just do not miss any)
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\System32\ixt0.dll (file missing)
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\huylpyqq.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\System32\drvgib.dll,startup
O4 - HKCU\..\Run: [ssate.exe] C:\WINDOWS\System32\irun4.exe
O4 - Startup: PowerReg SchedulerV2.exe
O20 - Winlogon Notify: winche32 - winche32.dll (file missing)
O21 - SSODL: ACEBBAEE - {27B32F2F-6FD4-0E05-22C3-27885D6507BE} - C:\WINDOWS\System32\Dabmdn32.dll (file missing)
O21 - SSODL: mtklef - {F5740811-429B-4AEA-0CA0-CB65F53CCA77} - C:\WINDOWS\System32\orhk32.dll (file missing)
O21 - SSODL: mtklefa - {E762F58E-F5FD-4657-8F8F-44BD8CB47AA6} - C:\WINDOWS\System32\xgjy32.dll (file missing)
O21 - SSODL: mtkle - {6E8FC503-BC95-45D5-2A9A-71A424C7C3E8} - C:\WINDOWS\System32\edyvf32.dll (file missing)
O21 - SSODL: mtklefap - {A62E88BC-7FC4-4462-73A9-BFBEA58C5C44} - C:\WINDOWS\System32\wahqmj32.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
7) RIGHT Click on Start then click on Explore. Locate and delete these items:
msblast.exe <<< delete that file (search for that one)
C:\WINDOWS\System32\huylpyqq.exe <<< delete that file
C:\Program Files\ipwins\ <<< delete that folder
C:\WINDOWS\System32\drvgib.dll <<< delete that file
C:\WINDOWS\System32\irun4.exe <<< delete that file
8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and then do this:
Thanks to sUBs and anyone who helped with this fix.
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.
Post the log from combofix and a new HJT log.
Thanks
This topic is closed due to lack of a response. :scratch:
If you need it re-opened please send me a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.
tigerwoodsii
2006-12-21, 10:33
here are my combofix log and hjt log, thanks alot for the help
Administrator - 06-12-19 15:48:00.94 Service Pack 1
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Administrator\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{3C41BA4E-063F-1033-0521-020204040001}
C:\Program Files\Common Files\{AC41BA4E-063F-1033-0521-020204040001}
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Program Files\DOBE~1
C:\QooBox\Purity\Program Files\DOBE~1\?dobe
((((((((((((((((((((((((((((((( Files Created from 2006-11-19 to 2006-12-19 ))))))))))))))))))))))))))))))))))
2006-12-06 13:22 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-12-06 13:22 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-12-06 13:22 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-12-06 13:22 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-12-06 13:17 <DIR> d-------- C:\Program Files\Hijackthis
2006-12-05 19:50 68,608 --a------ C:\WINDOWS\system32\locator.exe
2006-12-05 19:50 67,584 --a------ C:\WINDOWS\system32\magnify.exe
2006-12-05 19:50 544,256 --a------ C:\WINDOWS\system32\crypt32.dll
2006-12-05 19:50 51,200 --a------ C:\WINDOWS\system32\narrator.exe
2006-12-05 19:50 238,080 --a------ C:\WINDOWS\system32\newdev.dll
2006-12-05 19:50 212,480 --a------ C:\WINDOWS\system32\osk.exe
2006-12-05 19:50 179,200 --a------ C:\WINDOWS\system32\accwiz.exe
2006-12-05 19:50 125,440 --a------ C:\WINDOWS\system32\shmedia.dll
2006-12-05 19:44 57,344 --a------ C:\WINDOWS\system32\wzcdlg.dll
2006-12-05 19:44 31,232 --a------ C:\WINDOWS\system32\wzcsapi.dll
2006-12-05 19:44 281,088 --a------ C:\WINDOWS\system32\wzcsvc.dll
2006-12-05 19:44 1,630,208 --a------ C:\WINDOWS\system32\netshell.dll
2006-12-05 19:42 831,519 --a------ C:\WINDOWS\system32\mswdat10.dll
2006-12-05 19:42 614,431 --a------ C:\WINDOWS\system32\mswstr10.dll
2006-12-05 19:42 552,989 --a------ C:\WINDOWS\system32\msrepl40.dll
2006-12-05 19:42 53,279 --a------ C:\WINDOWS\system32\msjter40.dll
2006-12-05 19:42 512,029 --a------ C:\WINDOWS\system32\msexch40.dll
2006-12-05 19:42 421,919 --a------ C:\WINDOWS\system32\msrd2x40.dll
2006-12-05 19:42 380,957 --a------ C:\WINDOWS\system32\expsrv.dll
2006-12-05 19:42 358,976 --a------ C:\WINDOWS\system32\msjetoledb40.dll
2006-12-05 19:42 348,189 --a------ C:\WINDOWS\system32\msxbde40.dll
2006-12-05 19:42 348,189 --a------ C:\WINDOWS\system32\mspbde40.dll
2006-12-05 19:42 319,517 --a------ C:\WINDOWS\system32\msexcl40.dll
2006-12-05 19:42 315,423 --a------ C:\WINDOWS\system32\msrd3x40.dll
2006-12-05 19:42 30,749 --a------ C:\WINDOWS\system32\vbajet32.dll
2006-12-05 19:42 258,077 --a------ C:\WINDOWS\system32\mstext40.dll
2006-12-05 19:42 241,693 --a------ C:\WINDOWS\system32\msjtes40.dll
2006-12-05 19:42 213,023 --a------ C:\WINDOWS\system32\msltus40.dll
2006-12-05 19:42 151,583 --a------ C:\WINDOWS\system32\msjint40.dll
2006-12-05 19:42 1,507,356 --a------ C:\WINDOWS\system32\msjet40.dll
2006-12-05 19:30 <DIR> d-------- C:\WINDOWS\PeerNet
2006-12-05 19:27 384,512 --a------ C:\WINDOWS\system32\mp4sdmod.dll
2006-12-05 19:27 316,040 --a------ C:\WINDOWS\system32\mp43dmod.dll
2006-12-05 19:27 241,664 --a------ C:\WINDOWS\system32\mpg4dmod.dll
2006-12-05 19:16 260,096 --a------ C:\WINDOWS\system32\mstask.dll
2006-12-05 19:16 172,544 --a------ C:\WINDOWS\system32\schedsvc.dll
2006-12-05 19:16 10,752 --a------ C:\WINDOWS\system32\mstinit.exe
2006-12-05 14:09 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2006-12-05 14:09 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2006-12-05 13:15 102,400 --a------ C:\WINDOWS\system32\win32spl.dll
2006-12-05 12:23 72,704 --a------ C:\WINDOWS\system32\drvhip.dll
2006-11-29 22:38 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-29 21:46 <DIR> d-------- C:\Program Files\Grisoft
2006-11-29 17:21 10,344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-11-29 16:16 322 --a------ C:\WINDOWS\system32\xyalkh.exe
2006-11-28 23:21 <DIR> d-------- C:\Documents and Settings\Administrator\Contacts
2006-11-28 22:40 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2006-11-28 22:22 322 --a------ C:\WINDOWS\system32\hsnyyb.exe
2006-11-28 21:50 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-11-28 20:11 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2006-11-28 20:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2006-11-28 19:09 991,232 --a------ C:\WINDOWS\system32\esent.dll
2006-11-28 17:47 105,984 --a------ C:\WINDOWS\system32\delme.exe
2006-11-28 16:51 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2006-11-28 16:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-28 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-28 16:32 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2006-11-28 16:32 <DIR> d-------- C:\Program Files\MSN Messenger
2006-11-28 16:23 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-11-28 16:23 <DIR> d-------- C:\WINDOWS\system32\PreInstall
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-12-19 15:49 -------- d-------- C:\Program Files\Common Files
2006-12-05 20:00 -------- d-------- C:\Program Files\Windows Media Player
2006-12-05 16:46 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-12-05 16:42 -------- d-------- C:\Program Files\Symantec
2006-12-05 16:41 48768 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-12-05 16:41 110952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-12-05 14:22 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-12-05 13:33 -------- d-------- C:\Program Files\Norton AntiVirus
2006-11-29 21:11 -------- d-------- C:\Program Files\Outlook Express
2006-11-29 21:11 -------- d-------- C:\Program Files\Common Files\System
2006-11-29 17:29 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2006-11-29 01:13 -------- d-------- C:\Program Files\Messenger
2006-11-28 22:26 2328 --a------ C:\WINDOWS\system32\datkkq32.dll
2006-11-28 21:51 -------- d--h----- C:\Program Files\WindowsUpdate
2006-11-28 21:38 -------- d-------- C:\Program Files\Common Files\EPSON
2006-11-28 20:50 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-28 20:50 -------- d-------- C:\Program Files\Documents To Go
2006-11-28 20:47 -------- d-------- C:\Program Files\FastPro
2006-11-28 20:46 -------- d-------- C:\Program Files\EPSON
2006-11-28 16:34 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-11-28 16:20 -------- d-------- C:\Documents and Settings\Administrator\Application Data\MSN6
2006-11-13 15:33 -------- d-------- C:\Program Files\NetMeeting
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AGRSMMSG"="AGRSMMSG.exe"
"ATIModeChange"="Ati2mdxx.exe"
"TrackPointSrv"="tp4serv.exe"
"BMMGAG"="RunDll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\pwrmonit.dll,StartPwrMonitor"
"UC_SMB"=""
"WLANSTA.EXE"="WLANSTA.EXE START"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SSC_UserPrompt"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^HotSync Manager.lnk]
"path"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\HotSync Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\HotSync Manager.lnkStartup"
"location"="Startup"
"command"="C:\\Palm\\HOTSYNC.EXE "
"item"="HotSync Manager"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced Tools Check]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ADVCHK"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\NORTON~1\\AdvTools\\ADVCHK.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia Connection Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NclConf"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Nokia\\NCLTools\\NclConf.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tgcmd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tgcmd"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe /server\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tp4ex"
"hkey"="HKLM"
"command"="tp4ex.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TPHKMGR"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\ThinkPad\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uahe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dvdplay"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\DOBE~1\\dvdplay.exe\" -vt yazb"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows auto update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msblast"
"hkey"="HKLM"
"command"="msblast.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WService"
"hkey"="HKLM"
"command"="WService.EXE"
"inimapping"="0"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winche32
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\BMMTask.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Administrator.job
Completion time: 06-12-19 15:50:44.19
C:\ComboFix.txt ... 06-12-19 15:50
tigerwoodsii
2006-12-21, 10:34
Logfile of HijackThis v1.99.1
Scan saved at 3:53:26 PM, on 12/19/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\tp4serv.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\WLANSTA.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164705255328
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: winche32 - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WinTab Service (WinTabService) - Unknown owner - C:\WINDOWS\System32\DRIVERS\WtSrv.exe
pskelley
2006-12-21, 23:20
Thanks for returning your information, let's do this now:
Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
TeaTimer will block the changes we must make, turn it off until we are finished:
http://www.malwarehelp.org/how-to-enabledisable-spybot-teatimer.html
AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - (no file)
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/gam...s/y/poti_x.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O20 - Winlogon Notify: winche32 - C:\WINDOWS\
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post a new HJT log. Let me know how the computer is running now.
Thanks
tigerwoodsii
2006-12-25, 05:52
the computer's running faster now, startup is much faster.
here's the new hjt log, thanks alot.
Logfile of HijackThis v1.99.1
Scan saved at 12:14:13 PM, on 12/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\tp4serv.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\WLANSTA.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164705255328
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WinTab Service (WinTabService) - Unknown owner - C:\WINDOWS\System32\DRIVERS\WtSrv.exe
pskelley
2006-12-25, 11:45
Thanks for the feedback, Let's clean System Restore now, System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Here are some ideas that may improve performance.
http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx
http://vlaurie.com/computers2/Articles/runbetter.htm
http://www.linkgrinder.com/tutorials/10_Easy_Steps_to_Speed_Up_Your_Comp_24946_Computers_article.html
http://www.techbuilder.org/recipes/59201471
Safe surfing and Merry Christmas:D:
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.