Results 1 to 10 of 12

Thread: Command Service

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default Command Service

    Well, i read a great deal of all the posts concerning this malware. I also read the posts in which was told this is not malware. But i want to make sure.
    I did a full Norton scan. The only thing it couldn't remove was a file called: 'C:\WINDOWS\system32\ppiaoa.exe'
    If i try a system restore, it isn't able to restore to a previous point. I m a little confused at the moment. Thanks for your help in advance!

    Here are my logs:

    Spybot:
    --------

    CoolWWWSearch.WCADW: IE Search page (Registry change, fixed)
    HKEY_USERSS-1-5-21-527237240-1383384898-682003330-1003\Software\Microsoft\Internet Explorer\Main\Local Page=about:blank

    CoolWWWSearch.WCADW: IE start page (Registry change, fixed)
    HKEY_USERSS-1-5-21-527237240-1383384898-682003330-1003\Software\Microsoft\Internet Explorer\Main\Start Page=about:blank

    CoolWWWSearch.WCADW: IE start page (Registry change, fixed)
    HKEY_USERSS-1-5-21-527237240-1383384898-682003330-1003\Software\Microsoft\Internet Explorer\Main\Default_Page_URL=about:blank

    CoolWWWSearch.WCADW: IE Search page (Registry change, fixed)
    HKEY_LOCAL_MACHINESoftware\Microsoft\Internet Explorer\Main\Local Page=about:blank

    CoolWWWSearch.WCADW: IE start page (Registry change, fixed)
    HKEY_LOCAL_MACHINESoftware\Microsoft\Internet Explorer\Main\Start Page=about:blank

    CoolWWWSearch.WCADW: IE start page (Registry change, fixed)
    HKEY_LOCAL_MACHINESoftware\Microsoft\Internet Explorer\Main\Default_Page_URL=about:blank

    Command Service: Settings (Registry key, fixing failed)
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

    Command Service: Settings (Registry key, fixing failed)
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

    Command Service: Settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService

    HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)


    HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)


    FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)


    FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)


    FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)


    FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)


    FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)


    HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)


    HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)


    MediaPlex: Tracking cookie (Firefox: default) (Cookie, fixed)



    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

    2005-05-31 blindman.exe (1.0.0.1)
    2005-05-31 SpybotSD.exe (1.4.0.3)
    2005-05-31 TeaTimer.exe (1.4.0.2)
    2005-12-10 unins000.exe (51.41.0.0)
    2005-05-31 Update.exe (1.4.0.0)
    2005-05-31 advcheck.dll (1.0.2.0)
    2005-05-31 aports.dll (2.1.0.0)
    2005-05-31 borlndmm.dll (7.0.4.453)
    2005-05-31 delphimm.dll (7.0.4.453)
    2005-05-31 SDHelper.dll (1.4.0.0)
    2005-05-31 Tools.dll (2.0.0.2)
    2005-05-31 UnzDll.dll (1.73.1.1)
    2005-05-31 ZipDll.dll (1.73.2.0)
    2005-12-23 Includes\Cookies.sbi (*)
    2005-12-23 Includes\Dialer.sbi (*)
    2005-12-23 Includes\Hijackers.sbi (*)
    2005-12-23 Includes\Keyloggers.sbi (*)
    2005-12-23 Includes\Malware.sbi (*)
    2005-12-23 Includes\PUPS.sbi (*)
    2005-12-23 Includes\Revision.sbi (*)
    2005-12-23 Includes\Security.sbi (*)
    2005-12-23 Includes\Spybots.sbi (*)
    2005-02-17 Includes\Tracks.uti
    2005-12-23 Includes\Trojans.sbi (*)

    I removed the coolwwwsearch several times, but it keeps coming back.
    The Command Service i cant get rid of. Not even manually or safe mode.


    Hijackthis:
    ----------
    Logfile of HijackThis v1.99.1
    Scan saved at 14:44:43, on 28/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\system32\paytime.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\paytime.exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\WobinD\Bureaublad\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [Snelkoppeling naar eigenschappenvenster voor High Definition Audio] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
    O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    The R0-R1 are also deleted several times, but keep coming back. Teatimer keeps showing messages. (i told to blacklist those entrys)

  2. #2
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default

    Kaspersky:
    ----------
    -------------------------------------------------------------------------------
    KASPERSKY ON-LINE SCANNER REPORT
    Wednesday, December 28, 2005 15:04:18
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky On-line Scanner version: 5.0.67.0
    Kaspersky Anti-Virus database last update: 28/12/2005
    Kaspersky Anti-Virus database records: 167975
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - Folders:
    C:\

    Scan Statistics:
    Total number of scanned objects: 37191
    Number of viruses found: 19
    Number of infected objects: 78
    Number of suspicious objects: 0
    Duration of the scan process: 1458 sec

    Infected Object Name - Virus Name
    C:\!KillBox\ssldr32.dll Infected: Trojan-Proxy.Win32.Agent.hs
    C:\Documents and Settings\WobinD\Local Settings\Temporary Internet Files\Content.IE5\21LEVEHK\kl[1].txt Infected: Trojan-PSW.Win32.Agent.bu
    C:\Documents and Settings\WobinD\Local Settings\Temporary Internet Files\Content.IE5\21LEVEHK\paytime[1].txt Infected: Trojan.Win32.StartPage.agp
    C:\Documents and Settings\WobinD\Local Settings\Temporary Internet Files\Content.IE5\FU8FBPCD\ms1[1].txt Infected: Trojan-Downloader.Win32.Tiny.al
    C:\Documents and Settings\WobinD\Local Settings\Temporary Internet Files\Content.IE5\S75JAQ3X\hosts[1].txt Infected: Trojan.Win32.Qhost.el
    C:\Documents and Settings\WobinD\Local Settings\Temporary Internet Files\Content.IE5\TVJZ1LKE\mng[1].exe Infected: Trojan-Proxy.Win32.Agent.hs
    C:\Documents and Settings\WobinD\Local Settings\Temporary Internet Files\Content.IE5\TVJZ1LKE\tool2[1].txt Infected: not-virus:Hoax.Win32.Renos.aj
    C:\Documents and Settings\WobinD\Mijn documenten\Firefox_dl\TMPGEnc.Plus.2.524.63.181_CRKEXE-FFF.exe/run.exe Infected: Trojan-Downloader.Win32.Harnig.ax
    C:\Documents and Settings\WobinD\Mijn documenten\Firefox_dl\TMPGEnc.Plus.2.524.63.181_CRKEXE-FFF.exe Infected: Trojan-Downloader.Win32.Harnig.ax
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll Infected: Trojan-PSW.Win32.Agent.bu
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe Infected: Trojan-PSW.Win32.Agent.bu
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll Infected: Trojan-PSW.Win32.Agent.bu
    C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616
    C:\Program Files\Norton AntiVirus\Quarantine\09DB379F.exe Infected: Trojan-Dropper.Win32.Small.ahg
    C:\Program Files\Norton AntiVirus\Quarantine\09F50783.txt Infected: Packed.Win32.Klone.b
    C:\Program Files\Norton AntiVirus\Quarantine\12CF59C5.dll Infected: Trojan-Downloader.Win32.Small.bug
    C:\Program Files\Norton AntiVirus\Quarantine\27C831D4 Infected: Trojan-Dropper.Win32.Small.ahg
    C:\Program Files\Norton AntiVirus\Quarantine\29603212 Infected: Packed.Win32.Klone.b
    C:\Program Files\Norton AntiVirus\Quarantine\33192B60 Infected: Packed.Win32.Klone.b
    C:\Program Files\Norton AntiVirus\Quarantine\33DD0288 Infected: Trojan-Downloader.Win32.Adload.l
    C:\Program Files\Norton AntiVirus\Quarantine\33E02C85 Infected: Trojan-Dropper.Win32.Agent.aed
    C:\Program Files\Norton AntiVirus\Quarantine\393A789F Infected: Trojan.Win32.Pakes
    C:\Program Files\Norton AntiVirus\Quarantine\42A22A7F Infected: not-a-virus:Downloader.Win32.WinFixer.b
    C:\Program Files\Norton AntiVirus\Quarantine\45467AF4 Infected: Trojan-Dropper.Win32.Agent.aed
    C:\Program Files\Norton AntiVirus\Quarantine\4AEE017C Infected: Trojan-Downloader.Win32.Qoologic.at
    C:\Program Files\Norton AntiVirus\Quarantine\6D910A4A Infected: Trojan-Downloader.Win32.Adload.j
    C:\Program Files\Norton AntiVirus\Quarantine\73721AA0 Infected: not-a-virus:Downloader.Win32.WinFixer.b
    C:\Program Files\Norton AntiVirus\Quarantine\76736D1B Infected: Trojan-Downloader.Win32.Qoologic.at
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003067.exe Infected: Trojan-Downloader.Win32.Qoologic.at
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003078.exe Infected: Packed.Win32.Klone.b
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003079.exe Infected: not-virus:Hoax.Win32.Renos.aj
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003084.exe Infected: Trojan-Downloader.Win32.Tiny.al
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003085.dll Infected: Trojan-Downloader.Win32.Qoologic.at
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003086.exe Infected: Trojan-Downloader.Win32.Qoologic.at
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003087.cpl Infected: Trojan-Downloader.Win32.Qoologic.at
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003136.exe Infected: Trojan.Win32.Pakes
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003137.dll Infected: Trojan-Downloader.Win32.Qoologic.az
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003223.exe Infected: Trojan-Downloader.Win32.Qoologic.at
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003226.dll Infected: Trojan-Downloader.Win32.Small.bug
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003260.exe Infected: Trojan.Win32.Pakes
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003261.dll Infected: Trojan-Downloader.Win32.Qoologic.az
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003270.exe Infected: Trojan.Win32.Pakes
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003271.dll Infected: Trojan-Downloader.Win32.Qoologic.az
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003272.dll Infected: Trojan-Downloader.Win32.Qoologic.bd
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP39\A0003636.exe Infected: Trojan.Win32.Pakes
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP39\A0003637.dll Infected: Trojan-Downloader.Win32.Qoologic.az
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP39\A0003638.dll Infected: Trojan-Downloader.Win32.Qoologic.bd
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP39\A0003702.exe Infected: Trojan.Win32.Pakes
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP39\A0003703.dll Infected: Trojan-Downloader.Win32.Qoologic.az
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP39\A0003704.dll Infected: Trojan-Downloader.Win32.Qoologic.bd
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP40\A0003767.exe Infected: Trojan.Win32.Pakes
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP40\A0003768.dll Infected: Trojan-Downloader.Win32.Qoologic.az
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP40\A0003769.dll Infected: Trojan-Downloader.Win32.Qoologic.bd
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0003783.dll Infected: Trojan-Downloader.Win32.Qoologic.bd
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0003784.dll Infected: Trojan-Downloader.Win32.Qoologic.az
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0003785.exe Infected: Trojan.Win32.Pakes
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0004243.exe Infected: Trojan-Downloader.Win32.Qoologic.at
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0004274.dll Infected: Trojan-Downloader.Win32.Small.bug
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0004279.exe Infected: Trojan.Win32.Pakes
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0004280.dll Infected: Trojan-Downloader.Win32.Qoologic.az
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0004281.dll Infected: Trojan-Downloader.Win32.Qoologic.bd
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0004290.exe Infected: Trojan-Downloader.Win32.Adload.j
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0004291.exe Infected: Packed.Win32.Klone.b
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0004292.exe Infected: not-virus:Hoax.Win32.Renos.aj
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0004293.exe Infected: Trojan-PSW.Win32.Agent.bu
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0004295.exe Infected: Trojan-Downloader.Win32.Harnig.ax
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0004304.exe Infected: Trojan-Downloader.Win32.Adload.l
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP43\A0004441.exe Infected: Trojan.Win32.Pakes
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP43\A0004442.dll Infected: Trojan-Downloader.Win32.Qoologic.az
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP43\A0004444.dll Infected: Trojan-Downloader.Win32.Qoologic.bd
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP43\A0004451.exe Infected: Trojan-Dropper.Win32.Agent.aed
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP43\A0004455.dll Infected: Trojan-Proxy.Win32.Agent.hs
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP7\A0000802.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616
    C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP7\A0000802.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616
    C:\WINDOWS\system32\iiopupp.dll Infected: Trojan-Downloader.Win32.Qoologic.az
    C:\WINDOWS\system32\kkemk.dll Infected: Trojan-Downloader.Win32.Qoologic.bd
    C:\WINDOWS\system32\paytime.exe Infected: Trojan.Win32.StartPage.agp
    C:\WINDOWS\system32\ppiaoa.exe Infected: Trojan-Downloader.Win32.Qoologic.at

    Scan process completed.

  3. #3
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default

    **update**

    Kaspersky log
    -------------
    -------------------------------------------------------------------------------
    KASPERSKY ON-LINE SCANNER REPORT
    Wednesday, December 28, 2005 21:34:49
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky On-line Scanner version: 5.0.67.0
    Kaspersky Anti-Virus database last update: 28/12/2005
    Kaspersky Anti-Virus database records: 168079
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - Folders:
    C:\

    Scan Statistics:
    Total number of scanned objects: 28339
    Number of viruses found: 1
    Number of infected objects: 1
    Number of suspicious objects: 0
    Duration of the scan process: 849 sec

    Infected Object Name - Virus Name
    C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616

    Scan process completed.

  4. #4
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi Wobin, Welcome

    Disable SpybotSD TeaTimer, as it may hinder the removal of the infection.
    You can enable it after you're clean.
    To disable SpybotSD TeaTimer:
    Open Spybot and click on Mode and check Advanced Mode
    Check yes to next window.
    Click on Tools in bottom left hand corner.
    Click on System Startup icon.
    Uncheck Teatimer box.
    Dont turn it back on until we are completely finished.
    We dont want it to inter-fear with our fix's.

    Fallow the advice in this post and post the logs mentioned when finished.
    http://forums.spybot.info/showthread.php?t=1316

    when running Ewido while in safe mode do not open any folders or qoologic might reinfect/re-establish itself.

  5. #5
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default

    Hi LonnyRJones,
    thanks for the reply.

    Here's my 1st hijackthislog:

    Logfile of HijackThis v1.99.1
    Scan saved at 19:30:18, on 30/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Documents and Settings\WobinD\Bureaublad\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [Snelkoppeling naar eigenschappenvenster voor High Definition Audio] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    My smitRam log:
    ---------------
    smitRem © log file
    version 2.8

    by noahdfear

    Microsoft Windows XP [versie 5.1.2600]

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    checking for ShudderLTD key
    ShudderLTD key not present!

    checking for PSGuard.com key
    PSGuard.com key not present!

    checking for WinHound.com key
    WinHound.com key not present!

    spyaxe uninstaller NOT present
    Winhound uninstaller NOT present
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Existing Pre-run Files


    ~~~ Program Files ~~~



    ~~~ Shortcuts ~~~

    Install.dat

    ~~~ Favorites ~~~

    ~~~ system32 folder ~~~

    svcp.csv

    ~~~ Icons in System32 ~~~

    ~~~ Windows directory ~~~

    ~~~ Drive root ~~~

    ~~~ Miscellaneous Files/folders ~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
    Killing PID 820 'explorer.exe'
    Killing PID 820 'explorer.exe'

    Starting registry repairs

    Deleting files

    Remaining Post-run Files


    ~~~ Program Files ~~~

    ~~~ Shortcuts ~~~

    ~~~ Favorites ~~~

    ~~~ system32 folder ~~~

    ~~~ Icons in System32 ~~~

    ~~~ Windows directory ~~~

    ~~~ Drive root ~~~

    ~~~ Miscellaneous Files/folders ~~~

    ~~~ Wininet.dll ~~~

    CLEAN!

    The "Uncheck "Security Info" or anything similar if present." i don't have. But i deleted the 'secure32' file from my system32 file yesterday. (after a little of reading)

    The online pandascan doens't support the autocleaning function... Hower i came up with one 'Spyware detected'
    Panda_report:
    ------------
    Adware:adware/popupsandbannersNot desinfected C:\WINDOWS\teller2.chk


    Final Hijackthislog:
    -----------------
    Logfile of HijackThis v1.99.1
    Scan saved at 20:54:35, on 30/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\WobinD\Bureaublad\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

    Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

    Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [Snelkoppeling naar eigenschappenvenster voor High Definition Audio]

    HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common

    Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel -

    res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

    C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

    C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

    http://www.kaspersky.com/downloads/k...an_unicode.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

    http://acs.pandasoftware.com/actives...ree/asinst.cab
    O18 - Filter: text/html - (no CLSID) - (no file)
    O18 - Filter: text/plain - (no CLSID) - (no file)
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common

    Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program

    Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program

    Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido

    anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

    Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program

    Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

    C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

    C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program

    Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common

    Files\Symantec Shared\Security Center\SymWSC.exe

  6. #6
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default

    Since there isn't an 'edit' button...

    My spybot s&d seems to hang from time to time. Allways had done on my system. (formatted several times)
    It surely hangs while runned in safe mode.

    Forgot to mention this.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •