1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Command Virus Help

Discussion in 'Virus & Other Malware Removal' started by Computer_Man, Feb 14, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Computer_Man

    Computer_Man Thread Starter

    Joined:
    Feb 14, 2007
    Messages:
    6
    Hello, my computer has caught the "Command Service" virus and I do not know how to get rid of it. Can anyone please properly advise and help me on how to get rid of it.

    Thank You.
     
  2. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Welcome to TSG :)

    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log



    =============================



    Please download Combofix: http://download.bleepingcomputer.com/sUBs/combofix.exe
    and save to the desktop.

    1. Double click on combo.exe & follow the prompts.
    2. When finished, it will produce a logfile located at C:\ComboFix.txt.
    3. Post the contents of that log in your next reply with a new hijackthis log.

    Note:
    Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang
     
  3. Computer_Man

    Computer_Man Thread Starter

    Joined:
    Feb 14, 2007
    Messages:
    6
    Thank you for your help. I have done the procedures which were specified and here are the "Hijackthis" results and the "SDFix" results.



    First the SDFix results



    SDFix: Version 1.65

    Run by: Sasa - 14/02/2007 @ 23:38:17.04

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:

    Name:
    COM+ Messages

    Path:
    "C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272

    COM+ Messages Deleted

    Restoring Windows Registry Entries
    Restoring Default Hosts File


    Rebooting...

    Normal Mode:
    Checking Files:

    Below files will be copied to Backups folder then removed:

    C:\DOCUME~1\Sasa\LOCALS~1\Temp\win21.tmp.exe - Deleted
    C:\DOCUME~1\Sasa\LOCALS~1\Temp\win27.tmp.exe - Deleted
    C:\DOCUME~1\Sasa\LOCALS~1\Temp\win2D.tmp.exe - Deleted
    C:\DOCUME~1\Sasa\LOCALS~1\Temp\win30.tmp.exe - Deleted
    C:\DOCUME~1\Sasa\LOCALS~1\Temp\win32.tmp.exe - Deleted
    C:\WINDOWS\svchost.exe - Deleted
    C:\WINDOWS\system32\svchosts.exe - Deleted
    C:\WINDOWS\system32\unsvchosts.lzma - Deleted
    C:\WINDOWS\Temp\win*.tmp - Deleted



    ADS Check:

    C:\WINDOWS\system32
    No streams found.

    Final Check:


    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare\\BearShare.exe:*:Enabled:BearShare"
    "C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"
    "C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
    "C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
    "C:\\DOCUME~1\\Sasa\\LOCALS~1\\Temp\\win23.tmp.exe"="C:\\DOCUME~1\\Sasa\\LOCALS~1\\Temp\\win23.tmp.exe:*:Enabled:win23.tmp"


    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
    "C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"


    Remaining Files:
    ---------------

    Backups Folder: - C:\SDFix\backups\backups.zip


    Checking For Files with Hidden Attributes :

    C:\WINDOWS\system32\ddaba.dll
    C:\WINDOWS\system32\jkkjhii.dll
    C:\WINDOWS\U2FzYQ\asappsrv.dll
    C:\Program Files\Common Files\svchost.exe
    C:\WINDOWS\U2FzYQ\command.exe
    C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
    C:\Documents and Settings\Sasa\Application Data\Microsoft\Templates\~WRL0003.tmp
    C:\Documents and Settings\Sasa\Application Data\Microsoft\Templates\~WRL0991.tmp
    C:\Documents and Settings\Sasa\Application Data\Microsoft\Templates\~WRL2468.tmp
    C:\Documents and Settings\Sasa\Application Data\Microsoft\Word\~WRL0795.tmp
    C:\Documents and Settings\Sasa\Application Data\Microsoft\Word\~WRL2857.tmp
    C:\Documents and Settings\Sasa\Application Data\Microsoft\Word\~WRL2929.tmp
    C:\Documents and Settings\Sasa\My Documents\~WRL2220.tmp
    C:\Documents and Settings\Sasa\Local Settings\Temp\Temporary Directory 1 for Adobe Photoshop Elements 2.0.zip\SETUP.INI

    Finished
    ______________________________________________________________________

    And now the Hijackthis results

    Logfile of HijackThis v1.99.1
    Scan saved at 12:24:11 AM, on 15/02/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\U2FzYQ\command.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchosts.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
    C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\BearShare\BearShare.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\WINDOWS\system32\v6.exe
    C:\Program Files\Common Files\{54F199AB-0A27-1033-0216-041025200002}\Update.exe
    C:\WINDOWS\system32\nfomon\nfomon.exe
    C:\Program Files\Ipwindows\ipwins.exe
    C:\WINDOWS\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\DOCUME~1\Sasa\APPLIC~1\ICROSO~1.NET\winword.exe
    C:\WINDOWS\MDG\MDGnotify.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\PeDevice\PeDev.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\??crosoft.NET\?ttrib.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Hijackthis\HijackThis.exe
    C:\Program Files\Windows Live Toolbar\msn_sl.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Protection Bar - {bf1ced2c-4b3f-4079-a330-864eda5a4cff} - C:\Program Files\QualityCodec\iesplugin.dll (file missing)
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
    O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
    O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvgok.dll,startup
    O4 - HKLM\..\Run: [{54F199AB-0A27-1033-0216-041025200002}] "C:\Program Files\Common Files\{54F199AB-0A27-1033-0216-041025200002}\Update.exe" mc-110-12-0000272
    O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\mdqkeuwq.dll",setvm
    O4 - HKLM\..\Run: [{54F199AB-0A27-1033-0216-041025200001}] "C:\Program Files\Common Files\{54F199AB-0A27-1033-0216-041025200001}\Update.exe" mc-110-12-0000272
    O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe
    O4 - HKLM\..\Run: [{54F199AB-0A28-1033-0216-041025200001}] "C:\Program Files\Common Files\{54F199AB-0A28-1033-0216-041025200001}\Update.exe" mc-110-12-0000272
    O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Trsc] "C:\DOCUME~1\Sasa\APPLIC~1\ICROSO~1.NET\winword.exe" -vt yazb
    O4 - HKCU\..\Run: [Hgt] "C:\Program Files\??crosoft.NET\?ttrib.exe" 99001162
    O4 - Startup: palmOne Registration.lnk = C:\RECYCLER\NPROTECT\00274431.rbf
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Shortcut to MDGnotify.lnk = C:\WINDOWS\MDG\MDGnotify.exe
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?8f4729b32f8947fb91531f85400c715b
    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?8f4729b32f8947fb91531f85400c715b
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O14 - IERESET.INF: START_PAGE_URL=http://www.mdg.ca
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
    O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zan...ba6430c1126b:c7b5b99ea10699d1bded837318b5aa3c
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U2FzYQ\command.exe
    O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    _______________________________________________________________________

    I look forward your reply. Thank you once again.
     
  4. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Please download
    VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files,
      click YES
    • Once you click yes, your desktop will go blank as it starts removing
      Vundo.
    • When completed, it will prompt that it will shutdown your computer,
      click OK.
    • Turn your computer back on.
    • Please post the contents of C:\vundofix.txt

    Note: It is possible that VundoFix encountered a file it could not
    remove.
    In this case, VundoFix will run on reboot, simply follow the above
    instructions starting from "Click the Scan for

    Vundo
    button." when VundoFix appears at reboot.
     
  5. Computer_Man

    Computer_Man Thread Starter

    Joined:
    Feb 14, 2007
    Messages:
    6
    I have finished the procedure of running VundoFix successfully. Here are my results. Also my computer did not shut down, it rebooted. But the VundoFix program did not begin again so I think everything is alright.


    VundoFix V6.3.6

    Checking Java version...

    Scan started at 10:24:09 AM 15/02/2007

    Listing files found while scanning....

    C:\Documents and settings\Sasa\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
    C:\Documents and settings\Sasa\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
    C:\WINDOWS\system32\abadd.bak1
    C:\WINDOWS\system32\abadd.bak2
    C:\WINDOWS\system32\abadd.ini
    C:\WINDOWS\system32\ddaba.dll
    C:\WINDOWS\system32\jkkjhii.dll
    C:\WINDOWS\system32\mdqkeuwq.dll
    C:\WINDOWS\system32\mheynusx.dll
    C:\WINDOWS\system32\opxfnppk.exe
    C:\WINDOWS\system32\qwuekqdm.ini
    C:\WINDOWS\system32\ssqqqnn.dll

    Beginning removal...

    Attempting to delete C:\Documents and settings\Sasa\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
    C:\Documents and settings\Sasa\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt Has been deleted!

    Attempting to delete C:\Documents and settings\Sasa\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
    C:\Documents and settings\Sasa\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt Has been deleted!

    Attempting to delete C:\WINDOWS\system32\abadd.bak1
    C:\WINDOWS\system32\abadd.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\abadd.bak2
    C:\WINDOWS\system32\abadd.bak2 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\abadd.ini
    C:\WINDOWS\system32\abadd.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ddaba.dll
    C:\WINDOWS\system32\ddaba.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\jkkjhii.dll
    C:\WINDOWS\system32\jkkjhii.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\mdqkeuwq.dll
    C:\WINDOWS\system32\mdqkeuwq.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\mheynusx.dll
    C:\WINDOWS\system32\mheynusx.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\opxfnppk.exe
    C:\WINDOWS\system32\opxfnppk.exe Has been deleted!

    Attempting to delete C:\WINDOWS\system32\qwuekqdm.ini
    C:\WINDOWS\system32\qwuekqdm.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ssqqqnn.dll
    C:\WINDOWS\system32\ssqqqnn.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    ______________________________________________________________________

    What is the next step?


    Thank you very much I look forward to your reply.
     
  6. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Download cmdservice.zip and save to your Desktop.
    1. Extract delcmdservice folder to your Desktop. (Click here for information on how to do this if not sure).
    2. Open the delcmdservice folder and double-click on delreg.bat to launch the tool. A DOS-windows will open and rapidlly close--this is normal.
    3. When the tool has finished, please reboot your computer.


    =======================================


    According to the last log, IRC bot is still there. Please delete SDfix.exe from your Desktop. Re-download SDfix and run in safe mode again.

    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
     
  7. Computer_Man

    Computer_Man Thread Starter

    Joined:
    Feb 14, 2007
    Messages:
    6
    I have downloaded the cmdservice.zip program and have run it. I had also deleted SDFix and had downloaded a newer one as you had said. Here are the SDFix results.


    SDFix: Version 1.65

    Run by: Sasa - 15/02/2007 @ 12:01:30.67

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:

    Name:
    COM+ Messages

    Path:
    "C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272

    COM+ Messages Deleted

    Restoring Windows Registry Entries
    Restoring Default Hosts File


    Rebooting...

    Normal Mode:
    Checking Files:

    Below files will be copied to Backups folder then removed:

    C:\WINDOWS\Temp\win9D.tmp.exe - Deleted
    C:\WINDOWS\Temp\winA3.tmp.exe - Deleted
    C:\WINDOWS\Temp\winAB.tmp.exe - Deleted
    C:\WINDOWS\Temp\winAD.tmp.exe - Deleted
    C:\WINDOWS\Temp\winAF.tmp.exe - Deleted
    C:\WINDOWS\svchost.exe - Deleted
    C:\WINDOWS\system32\svchosts.exe - Deleted
    C:\WINDOWS\system32\unsvchosts.lzma - Deleted
    C:\WINDOWS\Temp\removalfile.bat - Deleted
    C:\WINDOWS\Temp\win*.tmp - Deleted



    ADS Check:

    C:\WINDOWS\system32
    No streams found.

    Final Check:


    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare\\BearShare.exe:*:Enabled:BearShare"
    "C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"
    "C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
    "C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
    "C:\\DOCUME~1\\Sasa\\LOCALS~1\\Temp\\win23.tmp.exe"="C:\\DOCUME~1\\Sasa\\LOCALS~1\\Temp\\win23.tmp.exe:*:Enabled:win23.tmp"
    "C:\\WINDOWS\\TEMP\\win9F.tmp.exe"="C:\\WINDOWS\\TEMP\\win9F.tmp.exe:*:Enabled:win9F.tmp"


    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
    "C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"


    Remaining Files:
    ---------------

    Backups Folder: - C:\SDFix\backups\backups.zip


    Checking For Files with Hidden Attributes :

    C:\WINDOWS\U2FzYQ\asappsrv.dll
    C:\Documents and Settings\Sasa\Application Data\?icrosoft.NET\winword.exe
    C:\Program Files\Common Files\svchost.exe
    C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
    C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
    C:\Program Files\??crosoft.NET\?ttrib.exe
    C:\WINDOWS\U2FzYQ\command.exe
    C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
    C:\Documents and Settings\Sasa\Application Data\Microsoft\Templates\~WRL0003.tmp
    C:\Documents and Settings\Sasa\Application Data\Microsoft\Templates\~WRL0991.tmp
    C:\Documents and Settings\Sasa\Application Data\Microsoft\Templates\~WRL2468.tmp
    C:\Documents and Settings\Sasa\Application Data\Microsoft\Word\~WRL0795.tmp
    C:\Documents and Settings\Sasa\Application Data\Microsoft\Word\~WRL2857.tmp
    C:\Documents and Settings\Sasa\Application Data\Microsoft\Word\~WRL2929.tmp
    C:\Documents and Settings\Sasa\My Documents\~WRL2220.tmp
    C:\Documents and Settings\Sasa\Local Settings\Temp\Temporary Directory 1 for Adobe Photoshop Elements 2.0.zip\SETUP.INI

    Finished

    _______________________________________________________________________

    Thank you for your help. I hope that we resolve this problem soon.

    Thank you once again.
     
  8. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Please printout my instructions because you will need to close your browser. Thanks.


    Computer_man, i have attached a file to download. Please download Computerman.zip and Extract/Unzip computerman.bat and computerman2.reg to your Desktop. Double-Click on computer.bat a DOS windows will appear and disappear (no worries that's normal), then Double-click on computer2.reg and Ok the prompts. Now proceed with the instructions below!!!!! Thanks.


    ============================================

    Go to Start > Control Panels > Add/Remove Programs and uninstall the following programs if listed:
    PuritySCAN By OIN, OIN, OuterInfo, or similar
    These too!!!
    IPWINS
    Delfin Media Viewer
    MediaBundle-Delfin Media Viewer

    Please Don't Reboot!!!!!!!!!!
    ============================================

    If you don't see anything in Add/Remove Programs then run the uninstaller.

    http://www.outerinfo.com/OiUninstaller.exe

    If asked Please don't reboot!!!!!!!!!!!!!
    ============================================

    Please download ATF Cleaner by Atribune.

    This program is for XP and Windows 2000 only


    • Save it to your desktop

      Double-click ATF-Cleaner.exe to run the program.

      Under Main choose: Select All

      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All

      Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All

      Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.

    For Technical Support, double-click the e-mail address located at the bottom of each menu.




    ===========================================

    1. Please download The Avenger by Swandog46 to your Desktop.
    • Click on Avenger.zip to open the file
    • Extract avenger.exe to your desktop

    2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    3. Now, start The Avenger program by clicking on its icon on your desktop.
    • Under "Script file to execute" choose "Input Script Manually".
    • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    • Click Done
    • Now click on the Green Light to begin execution of the script
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply


    ============================================

    Download SmitfraudFix (by S!Ri) to your Desktop.
    http://siri.urz.free.fr/Fix/SmitfraudFix.zip
    Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    [​IMG]
    Select option #1 - Search by typing 1 and press Enter
    [​IMG]
    This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm

    IMPORTANT: Do NOT run any other options until you are asked to do so!
     

    Attached Files:

  9. Computer_Man

    Computer_Man Thread Starter

    Joined:
    Feb 14, 2007
    Messages:
    6
    I have completed the tasks which I have been told to do. Thank you for your help here are the three results of the "HJT" log, the c:\avenger.txt log,as well as the rapport.txt log.

    First the "HJT" log.

    Logfile of HijackThis v1.99.1
    Scan saved at 12:24:18 AM, on 16/02/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
    C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\BearShare\BearShare.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\Program Files\Common Files\{54F199AB-0A27-1033-0216-041025200001}\Update.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\MDG\MDGnotify.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\PeDevice\PeDev.exe
    C:\WINDOWS\notepad.exe
    C:\Program Files\Hijackthis\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Protection Bar - {bf1ced2c-4b3f-4079-a330-864eda5a4cff} - C:\Program Files\QualityCodec\iesplugin.dll (file missing)
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
    O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    O4 - HKLM\..\Run: [syswin] C:\WINDOWS\TEMP\win4A.tmp.exe
    O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvgok.dll,startup
    O4 - HKLM\..\Run: [{54F199AB-0A27-1033-0216-041025200002}] "C:\Program Files\Common Files\{54F199AB-0A27-1033-0216-041025200002}\Update.exe" mc-110-12-0000272
    O4 - HKLM\..\Run: [{54F199AB-0A27-1033-0216-041025200001}] "C:\Program Files\Common Files\{54F199AB-0A27-1033-0216-041025200001}\Update.exe" mc-110-12-0000272
    O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe
    O4 - HKLM\..\Run: [{54F199AB-0A28-1033-0216-041025200001}] "C:\Program Files\Common Files\{54F199AB-0A28-1033-0216-041025200001}\Update.exe" mc-110-12-0000272
    O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\cvokpfpm.dll",setvm
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: palmOne Registration.lnk = C:\RECYCLER\NPROTECT\00274431.rbf
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Shortcut to MDGnotify.lnk = C:\WINDOWS\MDG\MDGnotify.exe
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?8f4729b32f8947fb91531f85400c715b
    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?8f4729b32f8947fb91531f85400c715b
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O14 - IERESET.INF: START_PAGE_URL=http://www.mdg.ca
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
    O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zan...ba6430c1126b:c7b5b99ea10699d1bded837318b5aa3c
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    _______________________________________________________________________

    Now the c:\avenger.txt log.

    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\kmdpxntu

    *******************

    Script file located at: \??\C:\WINDOWS\system32\bvqshhbs.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    File C:\WINDOWS\system32\svchosts.exe deleted successfully.
    File C:\WINDOWS\system32\drvgok.dll deleted successfully.
    File C:\WINDOWS\system32\v6.exe deleted successfully.


    File C:\WINDOWS\Temp\win9D.tmp.exe not found!
    Deletion of file C:\WINDOWS\Temp\win9D.tmp.exe failed!

    Could not process line:
    C:\WINDOWS\Temp\win9D.tmp.exe
    Status: 0xc0000034



    File C:\WINDOWS\Temp\winA3.tmp.exe not found!
    Deletion of file C:\WINDOWS\Temp\winA3.tmp.exe failed!

    Could not process line:
    C:\WINDOWS\Temp\winA3.tmp.exe
    Status: 0xc0000034



    File C:\WINDOWS\Temp\winAB.tmp.exe not found!
    Deletion of file C:\WINDOWS\Temp\winAB.tmp.exe failed!

    Could not process line:
    C:\WINDOWS\Temp\winAB.tmp.exe
    Status: 0xc0000034



    File C:\WINDOWS\Temp\winAD.tmp.exe not found!
    Deletion of file C:\WINDOWS\Temp\winAD.tmp.exe failed!

    Could not process line:
    C:\WINDOWS\Temp\winAD.tmp.exe
    Status: 0xc0000034



    File C:\WINDOWS\Temp\winAF.tmp.exe not found!
    Deletion of file C:\WINDOWS\Temp\winAF.tmp.exe failed!

    Could not process line:
    C:\WINDOWS\Temp\winAF.tmp.exe
    Status: 0xc0000034

    File C:\WINDOWS\svchost.exe deleted successfully.
    File C:\WINDOWS\system32\unsvchosts.lzma deleted successfully.
    File C:\WINDOWS\Temp\removalfile.bat deleted successfully.


    Could not open file C:\WINDOWS\Temp\win*.tmp for deletion
    Deletion of file C:\WINDOWS\Temp\win*.tmp failed!

    Could not process line:
    C:\WINDOWS\Temp\win*.tmp
    Status: 0xc0000033



    File C:\DOCUME~1\Sasa\LOCALS~1\Temp\win23.tmp.exe not found!
    Deletion of file C:\DOCUME~1\Sasa\LOCALS~1\Temp\win23.tmp.exe failed!

    Could not process line:
    C:\DOCUME~1\Sasa\LOCALS~1\Temp\win23.tmp.exe
    Status: 0xc0000034



    File C:\WINDOWS\TEMP\win9F.tmp.exe not found!
    Deletion of file C:\WINDOWS\TEMP\win9F.tmp.exe failed!

    Could not process line:
    C:\WINDOWS\TEMP\win9F.tmp.exe
    Status: 0xc0000034



    Could not open file C:\Documents and Settings\Sasa\Application Data\?icrosoft.NET\winword.exe for deletion
    Deletion of file C:\Documents and Settings\Sasa\Application Data\?icrosoft.NET\winword.exe failed!

    Could not process line:
    C:\Documents and Settings\Sasa\Application Data\?icrosoft.NET\winword.exe
    Status: 0xc0000033

    File C:\Program Files\Common Files\svchost.exe deleted successfully.


    File C:\Program Files\Common Files\Yazzle1162OinAdmin.exe not found!
    Deletion of file C:\Program Files\Common Files\Yazzle1162OinAdmin.exe failed!

    Could not process line:
    C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
    Status: 0xc0000034



    File C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe not found!
    Deletion of file C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe failed!

    Could not process line:
    C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
    Status: 0xc0000034

    Folder C:\WINDOWS\U2FzYQ deleted successfully.
    Folder C:\Program Files\Common Files\{54F199AB-0A27-1033-0216-041025200002} deleted successfully.
    Folder C:\Program Files\Ipwindows deleted successfully.
    Folder C:\WINDOWS\system32\nfomon deleted successfully.


    Folder C:\Program Files\QualityCodec not found!
    Deletion of folder C:\Program Files\QualityCodec failed!

    Could not process line:
    C:\Program Files\QualityCodec
    Status: 0xc0000034



    Folder C:\DOCUME~1\Sasa\APPLIC~1\ICROSO~1.NET not found!
    Deletion of folder C:\DOCUME~1\Sasa\APPLIC~1\ICROSO~1.NET failed!

    Could not process line:
    C:\DOCUME~1\Sasa\APPLIC~1\ICROSO~1.NET
    Status: 0xc0000034


    Completed script processing.

    *******************

    Finished! Terminate.

    ________________________________________________________________________

    Lastly the rapport.txt log.

    SmitFraudFix v2.142

    Scan done at 0:18:28.54, 16/02/2007
    Run from C:\Documents and Settings\Sasa\Desktop\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Sasa


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Sasa\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Sasa\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End

    _________________________________________________________________________

    Thank you for all of your help. I look forward to your reply.
     
  10. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    You will need to printout my instructions because you will not have internet access in Safe Mode!!!! Thanks


    Download KILLBOX, extract it to your desktop.

    Reboot your computer in "SAFE MODE" using the F8 method so Windows will start with minimal drivers and running processes. To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". See How to Boot in "SAFE MODE" tutorial if needed.

    ================================================

    Run HijackThis, and press "Do a System Scan Only".
    1. When the scan is complete place a check mark next to the following entries:

    O3 - Toolbar: Protection Bar - {bf1ced2c-4b3f-4079-a330-864eda5a4cff} - C:\Program Files\QualityCodec\iesplugin.dll (file missing)
    O4 - HKLM\..\Run: [syswin] C:\WINDOWS\TEMP\win4A.tmp.exe
    O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvgok.dll,startup
    O4 - HKLM\..\Run: [{54F199AB-0A27-1033-0216-041025200002}] "C:\Program Files\Common Files\{54F199AB-0A27-1033-0216-041025200002}\Update.exe" mc-110-12-0000272
    O4 - HKLM\..\Run: [{54F199AB-0A27-1033-0216-041025200001}] "C:\Program Files\Common Files\{54F199AB-0A27-1033-0216-041025200001}\Update.exe" mc-110-12-0000272
    O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe
    O4 - HKLM\..\Run: [{54F199AB-0A28-1033-0216-041025200001}] "C:\Program Files\Common Files\{54F199AB-0A28-1033-0216-041025200001}\Update.exe" mc-110-12-0000272
    O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\cvokpfpm.dll",setvm
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/.../installer.exe
    O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zang...8 37318b5aa3c

    2. After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked."


    ================================================
    1. Open killbox.exe.
    2. Click on Tools>Delete Temp Files
    3. A box will open with a list of all user profiles.
    4. Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.
      [*]Temporary Internet Files
      [*]Temp Files
      [*]XP Prefetch
    5. If you want to clean your cookies, history, and list of recent files run you may check those boxes as well.
    Then,,
    Check on the Button titled "Delete Selected Temp Files"
    Exit by clicking the Button titled "Exit(Save Settings)"
    Once back into the main killbox program.
    • Check the following boxes:
      Standard File Kill
    • Highlight each entrie (one at a time) in the quote box below and then Copy them.
    • Then, press Ctrl+V to paste the file in the space provided.
    • Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes.
    • A second message will ask to Reboot now? you will need to click No. We let SDfix reboot. Close Killbox.
    Note::Killbox will let you know if a file does not exist.

    ========================================

    Run SDFIX AGAIN. In your next reply, please post a fresh Hijackthis log and SDfix log. Thanks.
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/543950

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice