Computer Hope
Software => Computer viruses and spyware => Topic started by: adamD on February 20, 2008, 02:39:15 PM
-
When I log onto the internet, its fine for a while but soon everyhing goes away on my desk top. All my icons and the bottom task bar. However all the windows or programs that I was using stay but just kind of float there as if I downsized the window and instead of going into the task bar on the bottom just kind of sits on top of it even though its not there.This doesnt happen all the time. But a few times a little window poped up saying that "One or more files appear to be invalid. This is caused by corrupted installation. Please download and install limewire again" Then below that there is some report that its letting me copy. This may not have anything to do with it I am just guessing. Earlier I had downloaded a program on Limewire and this started to happen, yes I know I shouldn't just download random things on Limewire but this is kind of bothering me. I am just guessing that it is a virus, because I don't want to do another system restore. Any help would be great
-
Go to the link below and scroll down to the CCleaner and Hijackthis instructions. Run CCleaner and then post the HJT log back here.
http://www.computerhope.com/forum/index.php/topic,46313.0.html
-
Alright like I was saying before. After a bit everything on my desk top would disappear. Sometimes before it happens a window keeps appearing saying "One or more necessary files may be invalid Generally cause by a corruption during installation, and to download limewire again" When I close it off after a minute all the stuff would disappear. Now earlier it popped up and nothing happened but the window itself is pretty annoying and here is my HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:08 PM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\zHotkey.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\mrofinu1188.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\xInsIDE\xInsIDE.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\DOCUME~1\Owner\APPLIC~1\ASEMBL~1\logonui.exe
C:\WINDOWS\?icrosoft\j?vaw.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\limewire\limewire.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program
Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL
Toolbar\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program
Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP
Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft
Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [mljigdbbxu] Rundll32.exe "C:\WINDOWS\system32\ddayxwtu.dll",s
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe
61A847B5BBF72813339330466188719AB689201 522886B092CBD44BD8689220221DD3257
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [xInsIDE] C:\Program Files\xInsIDE\xInsIDE.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\JavaCore\JavaCore.exe
O4 - HKCU\..\Run: [Cpue] "C:\DOCUME~1\Owner\APPLIC~1\ASEMBL~1\logonui.exe" -vt yazb
O4 - HKCU\..\Run: [Grgkhox] C:\WINDOWS\?icrosoft\j?vaw.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL
Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program
Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} -
C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program
Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{26CE8971-8246-44B9-A5A4-FA10BC30D9C8}: NameServer =
209.90.160.220 216.254.141.13
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program
Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation -
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - Network
Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program
files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc -
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc -
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation -
C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation -
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New
Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton
AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\SPBBC\SPBBCSvc.exe
--
End of file - 8605 bytes
-
First, uninstall either McAfee AntiSpyware or the Symantec/Norton. Having two antivirus or firewalls is never suggested as it can cause system conflicts, slowdowns and crashes.
There is alot of malware on the PC
----------
Download SDFix.exe (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard).
- Finally add the contents of the Report.txt in your next post.
----------
Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)- Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
- Link #2 (http://subs.geekstogo.com/ComboFix.exe)
- Link #3 (http://www.forospyware.com/sUBs/Beta/ComboFix.exe)
Important! Combofix.exe MUST be saved to and ran from the Desktop.- Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
- Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
- Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
- If yours is not listed and you don't know how to disable it, please ask.
- Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
- Double click combofix.exe & follow the prompts.
- From the keyboard select 1 and press Enter[/COLOR]
- When finished, it will produce a log for you.
- Post that log in your next reply.
Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall
- If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
- Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.
----------
Next post add
SDFix log
Combofix log
-
KK guys so far so good. But now whats happening is that when I search something on google and go to an actual site the adress bar will screwe up and say a bunch of numbers and then us.maxifiles.com ?????
-
KK guys so far so good. But now whats happening is that when I search something on google and go to an actual site the adress bar will screwe up and say a bunch of numbers and then us.maxifiles.com ?????
Keep following the instructions and we'll get you fixed up...
It takes more than a few steps most times. Be patient and do what's required.
-
Won't let me download it, keeps saying that the connection to the server was reset
-
Download what?
Please try again, I fixed the links.
-
SDFix: Version 1.146
Run by Owner on Sun 02/24/2008 at 12:50 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\Program Files\JavaCore\JavaCore.exe - Deleted
C:\Program Files\JavaCore\UnInstall.exe - Deleted
C:\Program Files\Temporary\InsiDERIns.exe - Deleted
C:\Program Files\xInsIDE\xInsIDE.exe - Deleted
C:\Program Files\Common Files\Yazzle1560OinAdmin.exe - Deleted
C:\Program Files\Common Files\Yazzle1560OinUninstaller.exe - Deleted
C:\WINDOWS\b104.exe - Deleted
C:\WINDOWS\b128.exe - Deleted
C:\WINDOWS\b152.exe - Deleted
C:\WINDOWS\b153.exe - Deleted
C:\WINDOWS\mrofinu1188.exe - Deleted
C:\WINDOWS\Fonts\Setup.exe - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\Fonts\*.zip - 1 File(s) 113,343 bytes - Deleted
C:\WINDOWS\Fonts\'\*.zip - 8038 File(s) 911,059,072 bytes - Deleted
Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\JavaCore - Removed
Folder C:\Program Files\Temporary - Removed
Folder C:\Program Files\xInsIDE - Removed
Folder C:\WINDOWS\Fonts\' - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-02-24 13:16:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 9
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy
\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-
22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common
Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common
Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online
9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program
Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program
Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN
Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN
Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microso
ft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a
DLL as an App"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program
Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\ACSPMonitor\\ASMonitor.exe"="C:\\Program
Files\\ACSPMonitor\\ASMonitor.exe:*:Enabled:System"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"="C:\\Program
Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"="C:\\Program
Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"="C:\\Program
Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"="C:\\Program
Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program
Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy
\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-
22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common
Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common
Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online
9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN
Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN
Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search &
Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search &
Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search &
Destroy\TeaTimer.exe"
Mon 28 Jan 2008 230,400 ..SHR --- "C:\WINDOWS\?icrosoft\j?vaw.exe"
Mon 22 Oct 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 20 Feb 2008 68,608 ..SHR --- "C:\Documents and Settings\Owner\Application
Data\a?sembly\logonui.exe"
Tue 22 Jan 2008 0 A..H. ---
"C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT2.tmp"
Finished!
-
ComboFix 08-02-25.3 - Owner 2008-03-01 15:03:35.4 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Owner\Application Data\ASEMBL~1
C:\Documents and Settings\Owner\Application Data\ASEMBL~1\a?sembly\
C:\Documents and Settings\Owner\Application Data\ASEMBL~1\logonui.exe
C:\WINDOWS\system32\ijjlm.ini
C:\WINDOWS\system32\ijjlm.ini2
C:\WINDOWS\system32\mljji.dll
C:\WINDOWS\system32\nGpxx18
.
((((((((((((((((((((((((( Files Created from 2008-02-01 to 2008-03-01 )))))))))))))))))))))))))))))))
.
2008-02-24 19:45 . 2008-03-01 09:41 212 --a------ C:\WINDOWS\ssqnmmnm
2008-02-24 12:47 . 2008-02-24 12:47 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-24 12:41 . 2008-02-24 13:18 <DIR> d-------- C:\SDFix
2008-02-21 23:14 . 2008-02-21 23:15 369 --a------ C:\WINDOWS\wininit.ini
2008-02-21 21:51 . 2008-02-21 21:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-21 21:51 . 2008-02-21 23:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-20 22:24 . 2008-02-20 22:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-20 22:10 . 2008-02-20 22:10 <DIR> d-------- C:\Program Files\CCleaner
2008-02-20 22:06 . 2008-02-20 22:06 <DIR> d-------- C:\Program Files\Yahoo!
2008-02-19 18:20 . 2008-02-19 18:20 <DIR> d-------- C:\Program Files\WinZip Self-Extractor
2008-02-19 18:20 . 2008-02-19 18:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZipSE
2008-02-19 17:05 . 2008-02-19 17:05 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-02-19 17:03 . 2008-02-26 15:46 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AppDate
2008-02-19 17:03 . 2008-02-19 17:03 34,304 --a------ C:\WINDOWS\system32\ddayxwtu.dll
2008-02-19 17:03 . 2008-02-19 17:03 34,304 --a------ C:\WINDOWS\jkhfedab.dll
2008-02-19 17:03 . 2008-02-19 17:03 34,304 --a------ C:\Documents and Settings\Owner\Application Data\awtqqpmn.dll
2008-02-19 17:03 . 2008-03-01 16:04 342 --a------ C:\WINDOWS\system32\ssqnmmnm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-01 08:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-02-29 03:37 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-27 00:02 --------- d-----w C:\Program Files\uTorrent
2008-02-21 21:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-02-21 21:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-02-20 03:23 --------- d-----w C:\Program Files\LimeWire
2008-01-30 21:02 --------- d-----w C:\Program Files\piPOol
2008-01-30 20:11 --------- d-----w C:\Program Files\illiminable
2008-01-27 00:50 --------- d-----w C:\Program Files\NovaLogic
2008-01-27 00:46 --------- d-----w C:\Program Files\Mpath
2008-01-13 18:15 --------- d-----w C:\Program Files\NCH Swift Sound
2008-01-13 18:15 --------- d-----w C:\Documents and Settings\Owner\Application Data\NCH Swift Sound
2008-01-13 18:14 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSN6
2008-01-13 18:13 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-01-13 18:13 --------- d-----w C:\Program Files\Winamp
2007-12-05 22:53 73,728 ----a-w C:\WINDOWS\ALCFDRTM.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4862C7B6-5906-5FA9-511A-5F00B7CC8DC8}]
C:\WINDOWS\system32\lggetcsm.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9485F885-9C7C-4EF8-83F6-FE154E3873E9}]
2008-02-19 17:03 34304 --a------ C:\WINDOWS\jkhfedab.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"Cpue"="C:\DOCUME~1\Owner\APPLIC~1\ASEMBL~1\logonui.exe" [ ]
"Grgkhox"="C:\WINDOWS\?icrosoft\j?vaw.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 15:42 212992]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-08-13 16:17 58488]
"CHotkey"="zHotkey.exe" [2004-05-17 20:30 543232 C:\WINDOWS\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2003-09-19 11:09 36864 C:\WINDOWS\ShowWnd.exe]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 17:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-03-19 16:17 78960]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 21:42 32768]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 18:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 18:51 118784]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-10-18 16:05 135168]
"SoundMan"="SOUNDMAN.EXE" [2004-09-23 22:27 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-09-24 21:06 2559488 C:\WINDOWS\ALCWZRD.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 17:58 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 08:36 256576]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 17:22 35328]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 06:32 50688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
"mljigdbbxu"="C:\WINDOWS\system32\ddayxwtu.dll" [2008-02-19 17:03 34304]
"pmkhghijgd"="C:\WINDOWS\jkhfedab.dll" [2008-02-19 17:03 34304]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli C:\Documents and Settings\Owner\Application Data\awtqqpmn.dll C:\Documents and Settings\Owner\Application Data\awtqqpmn.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
.
Contents of the 'Scheduled Tasks' folder
"2008-02-24 19:32:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-01 02:00:10 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Owner.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 16:03:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Documents and Settings\Owner\Application Data\awtqqpmn.dll
PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\system32\ddayxwtu.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2008-03-01 16:06:36 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-03-01 21:06:32
.
2008-02-13 06:05:44 --- E O F ---
-
Now download The Avenger By Swandog46 (http://swandog46.geekstogo.com/avenger.zip), and save it to your Desktop.
- Extract avenger.exe from the Zip file and save it to your desktop
- Run avenger.exe by double-clicking on it.
- Check the Input script manually box.
- Click on the Magnifying Glass Icon which will open a new window titled View/edit script
- Copy everything in the Quote box below, and paste it in the box that opens:
Drivers to unload:
Folders to delete:
C:\WINDOWS\ssqnmmnm
C:\WINDOWS\system32\ssqnmmnm
Files to delete:
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\ddayxwtu.dll
C:\WINDOWS\jkhfedab.dll
C:\Documents and Settings\Owner\Application Data\awtqqpmn.dll
Registry values to delete:
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4862C7B6-5906-5FA9-511A-5F00B7CC8DC8}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9485F885-9C7C-4EF8-83F6-FE154E3873E9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\mljigdbbxu
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\pmkhghijgd
HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa
Note: the above instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system- Now click the 'Done' button.
- Click on the Green Light and OK the prompt.
- You will be prompted to restart, click OK at the prompt and your PC should reboot, if not, reboot it yourself.
- A log file from Avenger will be produced at C:\avenger.txt
The Avenger will automatically do the following:- It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger's actions.
- This log file will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
- Please attach the C:\avenger.txt in your next post.
.
----------
Go to My Computer->Tools->Folder Options->View tab:
- Under the Hidden files and folders heading:
- Select Show hidden files and folders.
- Uncheck Hide protected operating system files (recommended) option.
- Also, make sure there is no checkmark beside Hide file extensions for known file types.
- Click OK
.
Boot into safe mode and use Windows Explorer to delete:
j?vaw.exe found in:
C:\WINDOWS\system32\j?vaw.exe <--- be careful with this, the ? can be any number of characters. Also, java.exe and javaw.exe are valid files which you do not want to delete. They are very small (about 25 to 30 Kbytes). The bad file will probably be much larger (like 200 to 400 Kbytes).
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.
Run CCleaner after deleting the file.
----------
Next post
Avenger log
NEW Hijackthis log
-
I think there may be something wrong with that first link, it takes me to one of those "this page cannot be displayed" sites
-
Fixed
-
When I open the avenger, all I really get is a big text box, a few buttons for loading scripts, an execute button and a few other things. Do I just copy the code into the text box and hit execute?
-
The Avenger has recently updated and I need to change my instructions. Once open paste everything in the Input script Here box and click Execute.
-
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Service Pack 2)
Sat Mar 08 18:28:02 2008
18:27:35: Error: Invalid syntax in command:
"HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4862C7B6-5906-5FA9-511A-5F00B7CC8DC8}"
Skipping line. (Registry value deletion mode)
18:27:43: Error: Invalid syntax in command:
"HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9485F885-9C7C-4EF8-83F6-FE154E3873E9}"
Skipping line. (Registry value deletion mode)
18:27:44: Error: Invalid syntax in command:
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\mljigdbbxu"
Skipping line. (Registry value deletion mode)
18:27:46: Error: Invalid syntax in command:
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\pmkhghijgd"
Skipping line. (Registry value deletion mode)
18:27:48: Error: Invalid syntax in command:
"HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa"
Skipping line. (Registry value deletion mode)
//////////////////////////////////////////
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
workin on the rest
-
Download OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).
- Save it to your desktop.
- Double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
C:\WINDOWS\ssqnmmnm
C:\WINDOWS\system32\ssqnmmnm
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\ddayxwtu.dll
C:\WINDOWS\jkhfedab.dll
C:\Documents and Settings\Owner\Application Data\awtqqpmn.dll
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4862C7B6-5906-5FA9-511A-5F00B7CC8DC8}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9485F885-9C7C-4EF8-83F6-FE154E3873E9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mljigdbbxu
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmkhghijgd
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
- Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window.
IMPORTANT -- Paste only into the bottom input panel (under the Yellow bar), The top panel will not help you.
Right-click and choose Paste.
- Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start>All Programs>Accessories>Notepad), click File>Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present. Copy and then paste the contents of that document in your next post.
-
Ok after I did the Avenger log, and made all the files visible, when I went into safe mode and into windows\system32 to go and delete j?ava.exe I couldn't find it. All I had was java.exe, javacpl.cpl, javaw.exe, and javaws.exe
-
Go to C:\_OTMoveIt\MovedFiles and post the moved files log please.
Also post a fresh Hijackthis log.
-
Sorry I'd hate to be a complete pain in the *censored* but can you fix that new link, sorry man
-
Fixed. You would think I should learn by now ???
-
[Custom Input]
< C:\WINDOWS\ssqnmmnm >
C:\WINDOWS\ssqnmmnm moved successfully.
< C:\WINDOWS\system32\ssqnmmnm >
C:\WINDOWS\system32\ssqnmmnm moved successfully.
< C:\WINDOWS\system32\vbzip10.dll >
File/Folder C:\WINDOWS\system32\vbzip10.dll not found.
< C:\WINDOWS\system32\ddayxwtu.dll >
File/Folder C:\WINDOWS\system32\ddayxwtu.dll not found.
< C:\WINDOWS\jkhfedab.dll >
File/Folder C:\WINDOWS\jkhfedab.dll not found.
< C:\Documents and Settings\Owner\Application Data\awtqqpmn.dll >
File/Folder C:\Documents and Settings\Owner\Application Data\awtqqpmn.dll not found.
< HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4862C7B6-5906-5FA9-511A-5F00B7CC8DC8} >
Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4862C7B6-5906-5FA9-511A-5F00B7CC8DC8}\\ not found.
< HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9485F885-9C7C-4EF8-83F6-FE154E3873E9} >
Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9485F885-9C7C-4EF8-83F6-FE154E3873E9}\\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mljigdbbxu >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mljigdbbxu\\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmkhghijgd >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmkhghijgd\\ not found.
< HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa >
Registry key HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\\ deleted successfully.
OTMoveIt2 v1.0.20 log created on 03102008_160105
-
ok now, I restarted my computer and everything starts up, gets to the desk top and a window comes up saying Isass.exe -system error, objective name not found. when I hit ok it just restarts and the same thing happens
-
Can you log on in safe mode?
Do you have an XP CD to boot from and do a repair install?