PDA

View Full Version : Command Service



GOPATS3000
2006-12-21, 22:03
This is truly the most difficult Malware I've had to remove. To make matters worse I work on a computer at my office (or shop really) that is used by several other employees. I've had a difficult time fighting off certain problems, but I've got most of them...except Command Service! This program is evil. It makes my explorer browser close randomly. Very frustrating.

Here is my hijack this log.

Logfile of HijackThis v1.99.1
Scan saved at 2:54:59 PM, on 12/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\T3duZXI\command.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\{85B8E11E-0965-1033-0307-050202050001}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\DOCUME~1\Owner\MYDOCU~1\SSEMBL~1\csrss.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\??stem\??plorer.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - {A6FF9902-569A-746B-9C6F-79E52D6B1197} - C:\WINDOWS\system32\tgnced.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BhoApp Class - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\WinBudget\bin\matrix.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {A6FF9902-569A-746B-9C6F-79E52D6B1197} - C:\WINDOWS\system32\tgnced.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Auas] "C:\DOCUME~1\Owner\MYDOCU~1\SSEMBL~1\csrss.exe" -vt yazr
O4 - HKCU\..\Run: [Gdif] C:\WINDOWS\system32\??stem\??plorer.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://apps.chicago.auctionsolutions.com/4.2/install/isetupml.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs:
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T3duZXI\command.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

GOPATS3000
2006-12-21, 23:39
is there anything else I need to post?

FYI: "BEFORE you POST" -Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)

Angelfire777
2006-12-22, 09:20
Hi, Welcome to Spybot Forum.

*You have executed HijackThis directly from the zip file which means that the backups that it makes will not be saved. We need to extract Hijackthis.

To move Hijackthis:

Double-click your HijackThis.zip file and a window will open showing the HijackThis file. On the left pane, click on the link that says Extract all files.
The Extraction Wizard will open, click on Browse.
This will take you to a Select a Destination Window. Click on the (+) sign beside My computer and when it collapses, click C:\ to highlight it.
Click on Make New Folder. You can name your folder HJT or hijackthis or whatever you want, then click OK
The Hijackthis program will extract to your new folder and you will see the Extraction Complete window. Put a checkmark in the Show extracted files box and then click Finish.
The HijackThis folder will open to show the HijackThis program.

You can run hijackthis from its new location but if you find it more convenient to run it from your desktop, right-click HijackThis.exe and select Send To from the options and then choose Desktop (create shortcut).

___________________________________


*First install MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.htm), please read more about what we are doing.

*Download and unzip hosts.zip from HERE (http://www.mvps.org/winhelp2002/hosts.zip) to a folder (hosts).

*Open up the hosts folder and double-click on the mvps.bat file, it will rename your present HOSTS file to HOSTS.MVP, then it will copy the new HOSTS file to the correct location on your machine.

*Look in your control panels add/remove programs for any of these and uninstall them:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin or Outerinfo in it.
Zolero
Tizzletalk
MediaTickets
Cowabanga

*Download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe

Tutorial for the uninstaller if needed (http://www.outerinfo.com/howto.html)

Reboot when done.

_____________________________

Download combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)

1. Double click combofix.exe & follow the prompts.
2. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

___________________________________

Please download FindAWF (http://noahdfear.geekstogo.com/FindAWF.exe) by noahdfear and save it to your desktop:
Please double-click FindAWF.exe to run it.
If a security alert shows, allow the program to run.
When the tool has completed, a report will open in Notepad.
Please post the results of the awf.txt in your next reply.

On your next reply, please include a fresh HijackThis log, combofix log and the findAWF log.

tashi
2006-12-27, 19:41
Gopats3000?

tashi
2007-01-02, 19:41
This topic is closed due to lack of a response. :spider:

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original topic starter.

Thank you Angelfire777. :)

tashi
2007-01-03, 19:14
Re-opened upon request.

Angelfire777
2007-01-04, 11:57
Post the logs requested please :)

GOPATS3000
2007-01-05, 17:56
Logfile of HijackThis v1.99.1
Scan saved at 10:55:47 AM, on 1/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\{85B8E11E-0965-1033-0307-050202050001}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\T3duZXI\command.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - (no file)
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\system32\ipv6mons.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://apps.chicago.auctionsolutions.com/4.2/install/isetupml.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs:
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T3duZXI\command.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Angelfire777
2007-01-06, 02:09
You didn't post all the logs that I requested..

Since HijackThis creates backups of all it fixes and we want them safe and secured should they be required later, we need to move HijackThis to a permanent folder.

a.) While in your Desktop, right click in the background > Go to New > click Folder > Name the Folder HJT

b.) After creating the folder, find your HijackThis.exe (it looks like a detonator with some dynamites). Then, drag and drop that file to the new folder you created.

_______________________

Run combofix and findAWF per my previous instructions then post all the logs that I have asked for.

GOPATS3000
2007-01-07, 20:24
Find AWF report by noahdfear ©2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~

25600 "C:\Program Files\AIM\aim.exe"
25600 "C:\Program Files\iTunes\iTunesHelper.exe"
25600 "C:\WINDOWS\system32\hkcmd.exe"
25600 "C:\WINDOWS\system32\NeroCheck.exe"
25600 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"


25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\AIM\BAK

08/01/2006 02:35 PM 67,112 aim.exe
1 File(s) 67,112 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 09:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/25/2006 06:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

12/14/2003 11:07 PM 118,784 hkcmd.exe
12/14/2003 11:20 PM 155,648 igfxtray.exe
07/09/2001 10:50 AM 155,648 NeroCheck.exe
3 File(s) 430,080 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

07/14/2005 09:16 PM 58,992 ccApp.exe
1 File(s) 58,992 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

25600 Nov 8 2006 "C:\Program Files\AIM\aim.exe"
67112 Aug 1 2006 "C:\Program Files\AIM\bak\aim.exe"
25600 Nov 8 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Nov 8 2006 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
282624 Dec 22 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
25600 Nov 8 2006 "C:\WINDOWS\system32\hkcmd.exe"
118784 Dec 14 2003 "C:\WINDOWS\system32\bak\hkcmd.exe"
155648 Dec 14 2003 "C:\WINDOWS\system32\bak\igfxtray.exe"
25600 Nov 8 2006 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
25600 Nov 8 2006 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
58992 Jul 14 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"


end of report

GOPATS3000
2007-01-07, 20:25
Owner - 07-01-07 13:14:47.79 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Owner\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Owner\Application Data\Install.dat
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\Program Files\Cowabanga
C:\Program Files\Common Files\{35B8E11E-0965-1033-0307-050202050001}
C:\Program Files\Common Files\{85B8E11E-0965-1033-0307-050202050001}
C:\WINDOWS\T3duZXI

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Owner\Application Data\ASEMBL~1
C:\QooBox\Purity\Program Files\Common Files\CURITY~1
C:\QooBox\Purity\WINDOWS\system32\MCROSO~1
C:\QooBox\Purity\WINDOWS\system32\PPATCH~1
C:\QooBox\Purity\WINDOWS\system32\STEM~1
C:\QooBox\Purity\WINDOWS\system32\PPATCH~1\nslookup.exe


((((((((((((((((((((((((((((((( Files Created from 2006-12-07 to 2007-01-07 ))))))))))))))))))))))))))))))))))


2007-01-07 08:59 36,864 --a------ C:\WINDOWS\system32\svchosts.exe
2007-01-07 08:58 2,116 --a------ C:\36525025.exe
2007-01-03 09:50 <DIR> d-------- C:\Program Files\Ipwindows
2006-12-12 16:34 <DIR> dr-h----- C:\Documents and Settings\Owner\Recent
2006-12-12 11:40 <DIR> d-------- C:\Program Files\CCleaner
2006-12-11 15:41 <DIR> d-------- C:\Program Files\ąppPatch
2006-12-07 04:45 <DIR> d-------- C:\Program Files\WinBudget


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-07 13:17 -------- d-------- C:\Program Files\Common Files\{85B8E11E-0965-1033-0307-050202050001}
2007-01-07 13:17 -------- d-------- C:\Program Files\Common Files
2007-01-07 13:13 2 --a------ C:\WINDOWS\system32\wnsapisv.exe
2007-01-03 10:15 -------- d-------- C:\Program Files\Common Files\Java
2006-12-22 19:24 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-12-22 12:24 -------- d-------- C:\Program Files\QuickTime
2006-12-11 17:50 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-08 18:26 -------- d-------- C:\Program Files\Common Files\kizr
2006-12-08 15:35 -------- d-------- C:\Program Files\Symantec
2006-12-08 15:35 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-12-02 15:27 69 --a-s---- C:\WINDOWS\test.bat
2006-11-22 15:27 -------- d-------- C:\Documents and Settings\Owner\Application Data\acccore
2006-11-22 15:25 -------- d-------- C:\Program Files\Common Files\Nullsoft
2006-11-22 15:25 -------- d-------- C:\Program Files\Common Files\AOL
2006-11-22 15:25 -------- d-------- C:\Program Files\AIM6
2006-11-22 10:47 -------- d-------- C:\Program Files\LimeWire
2006-11-20 14:02 -------- d-------- C:\Documents and Settings\Owner\Application Data\Real
2006-11-20 13:58 -------- d-------- C:\Program Files\Common Files\xing shared
2006-11-20 13:58 -------- d-------- C:\Program Files\Common Files\Real
2006-11-20 13:57 -------- d-------- C:\Program Files\Real
2006-11-17 10:06 -------- d-------- C:\Program Files\Auction Client
2006-11-16 13:39 -------- d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2006-11-16 13:27 -------- d-------- C:\Documents and Settings\Owner\Application Data\Google
2006-11-16 12:33 -------- d-------- C:\Program Files\Google
2006-11-16 12:31 -------- d-------- C:\Documents and Settings\Owner\Application Data\Sun
2006-11-16 12:30 -------- d-------- C:\Program Files\Java
2006-11-16 09:54 -------- d-------- C:\Program Files\Yahoo!
2006-11-08 20:50 25600 --a------ C:\WINDOWS\system32\NeroCheck.exe
2006-11-08 20:50 25600 --a------ C:\WINDOWS\system32\hkcmd.exe
2006-11-08 20:50 -------- d-------- C:\Program Files\Messenger
2006-11-08 20:50 -------- d-------- C:\Program Files\iTunes
2006-11-08 20:50 -------- d-------- C:\Program Files\AIM
2006-11-08 15:05 -------- d-------- C:\Program Files\iPod
2006-11-08 15:01 -------- d-------- C:\Program Files\Apple Software Update


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"
"Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"DeleteDLL"="cmd.exe /c del C:\\PROGRA~1\\COMMON~1\\{35B8E~1\\Bar888.dll > nul"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SoundMan"="SOUNDMAN.EXE"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"{85B8E11E-0965-1033-0307-050202050001}"="\"C:\\Program Files\\Common Files\\{85B8E11E-0965-1033-0307-050202050001}\\Update.exe\" te-110-12-0000213"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,c4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax DllCmd 4.0.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\eFax DllCmd 4.0.lnk"
"backup"="C:\\WINDOWS\\pss\\eFax DllCmd 4.0.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\EFAXME~1.0\\J2GDLL~1.EXE /R"
"item"="eFax DllCmd 4.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu 4.0.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\eFax Tray Menu 4.0.lnk"
"backup"="C:\\WINDOWS\\pss\\eFax Tray Menu 4.0.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\EFAXME~1.0\\J2GTray.exe "
"item"="eFax Tray Menu 4.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\QuickBooks Update Agent.lnk"
"backup"="C:\\WINDOWS\\pss\\QuickBooks Update Agent.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Intuit\\QUICKB~1\\QBUpdate\\qbupdate.exe "
"item"="QuickBooks Update Agent"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Webshots.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\Webshots.lnk"
"backup"="C:\\WINDOWS\\pss\\Webshots.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Webshots\\Launcher.exe /t"
"item"="Webshots"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=dword:00000003
"ccSetMgr"=dword:00000002
"ccPwdSvc"=dword:00000003
"ccEvtMgr"=dword:00000002

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 07-01-07 13:17:18.46
C:\ComboFix.txt ... 07-01-07 13:17

GOPATS3000
2007-01-07, 20:26
:oops:

Logfile of HijackThis v1.99.1
Scan saved at 1:25:17 PM, on 1/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\{85B8E11E-0965-1033-0307-050202050001}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Webshots\webshots.scr
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - (no file)
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\system32\ipv6mons.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{85B8E11E-0965-1033-0307-050202050001}] "C:\Program Files\Common Files\{85B8E11E-0965-1033-0307-050202050001}\Update.exe" te-110-12-0000213
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://apps.chicago.auctionsolutions.com/4.2/install/isetupml.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs:
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000213 (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Angelfire777
2007-01-08, 14:37
*You still haven't relocated HijackThis like I told you before...I have asked you 3 times already...Please follow instructions..

Since HijackThis creates backups of all it fixes and we want them safe and secured should they be required later, we need to move HijackThis to a permanent folder.

a.) While in your Desktop, right click in the background > Go to New > click Folder > Name the Folder HJT

b.) After creating the folder, find your HijackThis.exe (it looks like a detonator with some dynamites). Then, drag and drop that file to the new folder you created.


*An optional that I would recommend be uninstalled.

LimeWire
This program is very likely the reason your system is infested with malware. Even when a program like this is not infected itself, it will still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I recommend that you remove this program from your system.

*Click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found.

*Reboot


*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

O2 - BHO: (no name) - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - (no file)
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\system32\ipv6mons.dll (file missing)
O4 - HKLM\..\Run: [{85B8E11E-0965-1033-0307-050202050001}] "C:\Program Files\Common Files\{85B8E11E-0965-1033-0307-050202050001}\Update.exe" te-110-12-0000213
O20 - AppInit_DLLs:
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000213 (file missing)

Close your browsers and all open windows except for HijackThis, then click "Fix checked".


*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type delservices.bat in the File name and save it to your desktop.


@echo off
sc stop "COM+ Messages"
sc delete "COM+ Messages"

Do Not use it yet!


*Please download DelDomains (http://www.mvps.org/winhelp2002/DelDomains.inf) by WinHelp2002 and save it to your desktop:
Right-click on DelDomains.inf, and choose Install.
You may not see any noticeable changes or prompts; this is normal.
Then, please restart your computer, and post a new HijackThis log.
You will have to re-immunize with SpywareBlaster, IE-SPYAD, and/or Spybot - Search & Destroy after doing this.

*Please download ResetProtocolDefaults (http://www.mvps.org/winhelp2002/ResetProtocolDefaults.reg) by WinHelp2002 and save it to your desktop:
Locate ResetProtocolDefaults.reg which should be on your desktop.
Right-click and select: Merge.
OK the prompt.
_______________________

You may want to print these instructions here or save them in notepad since you'll work offline.

Reboot into Safe Mode.

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.
________________________

*Locate delservices.bat on your Desktop and double-click on it.

*Using Windows Explorer, find and delete these files:

C:\WINDOWS\system32\svchosts.exeIMPORTANT:There is a legit file called svchost.exe in the same folder as the infected file. The file we want to delete it svchosts.exe (It has an extra s on its name)
C:\36525025.exe
C:\WINDOWS\system32\wnsapisv.exe

Did you create this batch file? If not, delete it:

C:\WINDOWS\test.bat


*Delete this folder:

C:\Program Files\Ipwindows
C:\Program Files\Common Files\{85B8E11E-0965-1033-0307-050202050001}
C:\Program Files\Common Files\kizr

Delete the following folder if you uninstalled Limewire:

C:\Program Files\LimeWire

Empty your Recycle bin.

______________________________

*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type fix.reg in the File name and save it to your desktop.


REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"DeleteDLL"=-




Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Close notepad. Make sure that all windows are closed.

Find the fix.reg file on your desktop.
Double click it.
It will then ask if you want the file merged to your registry.
Answer Yes.


*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type restore.bat in the File name and save it to your desktop.


if exist "C:\Program Files\AIM\aim.exe" del /q "C:\Program Files\AIM\aim.exe"
copy "C:\Program Files\AIM\bak\aim.exe" "C:\Program Files\AIM"
del /q "C:\Program Files\AIM\bak\aim.exe"
rmdir "C:\Program Files\AIM\bak"

if exist "C:\Program Files\iTunes\iTunesHelper.exe" del /q "C:\Program Files\iTunes\iTunesHelper.exe"
copy "C:\Program Files\iTunes\bak\iTunesHelper.exe" "C:\Program Files\iTunes"
del /q "C:\Program Files\iTunes\bak\iTunesHelper.exe"
rmdir "C:\Program Files\iTunes\bak"

if exist "C:\WINDOWS\system32\hkcmd.exe" del /q "C:\WINDOWS\system32\hkcmd.exe"
copy "C:\WINDOWS\system32\bak\hkcmd.exe" "C:\WINDOWS\system32"
del /q "C:\WINDOWS\system32\bak\hkcmd.exe"

if exist "C:\WINDOWS\system32\igfxtray.exe" del /q "C:\WINDOWS\system32\igfxtray.exe"
copy "C:\WINDOWS\system32\bak\igfxtray.exe" "C:\WINDOWS\system32"
del /q "C:\WINDOWS\system32\bak\igfxtray.exe"

if exist "C:\WINDOWS\system32\NeroCheck.exe" del /q "C:\WINDOWS\system32\NeroCheck.exe"
copy "C:\WINDOWS\system32\bak\NeroCheck.exe" "C:\WINDOWS\system32"
del /q "C:\WINDOWS\system32\bak\NeroCheck.exe"
rmdir "C:\WINDOWS\system32\bak"

if exist "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" del /q "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
copy "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe" "C:\Program Files\Common Files\Symantec Shared"
del /q "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
rmdir "C:\Program Files\Common Files\Symantec Shared\bak"

del /q "C:\Program Files\QuickTime\bak\qttask.exe"
rmdir "C:\Program Files\QuickTime\bak"

rmdir "C:\PROGRA~1\MESSEN~1\BAK"


Double click restore.bat then please run FindAWF again to make sure nothing is left.

Reboot to normal mode.

________________________________

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, Click Options > Change settings
Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
Back at the main window, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply

On your next reply, please include a fresh HijackThis log, findAWF report, CureIT log and a description on how your machine is running.

GOPATS3000
2007-01-08, 21:02
The is keyboard has an F-Key Lock. So I am going to have to find a keyboard without one. Sorry about the delay.

Angelfire777
2007-01-09, 12:34
That's alright. Post back when you're done:bigthumb:

tashi
2007-01-16, 19:05
GOPATS3000, how is it going? :)

tashi
2007-01-23, 01:09
GOPATS3000,this topic is closed due to lack of a response. :spider:

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original topic starter.


Thank you Angelfire777. :)