Malware Removal - Help

**evilfantasy** · #16 09-04-2008, 04:36 PM

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.

Click Start , then Run
Type notepad.exe in the Run Box.

2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

File::
C:\sqmnoopt13.sqm
C:\sqmdata13.sqm
C:\sqmnoopt12.sqm
C:\sqmdata12.sqm
C:\WINDOWS\SYSTEM32\plkphytq.dll
C:\sqmnoopt11.sqm
C:\sqmdata11.sqm
C:\WINDOWS\SYSTEM32\xfoxaimj.ini
C:\Program Files\Trend Micro
C:\WINDOWS\SYSTEM32\atbiglum.dll
C:\sqmnoopt10.sqm
C:\sqmdata10.sqm
C:\WINDOWS\SYSTEM32\bslllwjg.ini
C:\WINDOWS\SYSTEM32\vqavawye.dll
C:\sqmnoopt09.sqm
C:\sqmdata09.sqm
C:\sqmnoopt08.sqm
C:\sqmdata08.sqm
C:\sqmnoopt07.sqm
C:\sqmdata07.sqm
C:\sqmnoopt06.sqm
C:\sqmdata06.sqm
C:\sqmnoopt05.sqm
C:\sqmdata05.sqm
C:\sqmnoopt04.sqm
C:\sqmdata04.sqm
C:\sqmnoopt03.sqm
C:\sqmdata03.sqm
C:\sqmnoopt02.sqm
C:\sqmdata02.sqm
C:\sqmnoopt01.sqm
C:\sqmdata01.sqm
C:\sqmnoopt00.sqm
C:\sqmdata00.sqm
C:\WINDOWS\SYSTEM32\xhmwnbol.ini
C:\WINDOWS\SYSTEM32\jeplkjvb.ini
C:\WINDOWS\SYSTEM32\cnopjlan.ini

Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJDSihG]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze

----------

Next post
Combofix log

**VNani** · #17 09-04-2008, 05:17 PM

Here is the log...

ComboFix 08-04-08.7 - Sandra 2008-04-09 11:55:50.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.253 [GMT -5:00]
Running from: C:\Documents and Settings\Sandra\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sandra\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\Trend Micro
C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmdata09.sqm
C:\sqmdata10.sqm
C:\sqmdata11.sqm
C:\sqmdata12.sqm
C:\sqmdata13.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\sqmnoopt10.sqm
C:\sqmnoopt11.sqm
C:\sqmnoopt12.sqm
C:\sqmnoopt13.sqm
C:\WINDOWS\SYSTEM32\atbiglum.dll
C:\WINDOWS\SYSTEM32\bslllwjg.ini
C:\WINDOWS\SYSTEM32\cnopjlan.ini
C:\WINDOWS\SYSTEM32\jeplkjvb.ini
C:\WINDOWS\SYSTEM32\plkphytq.dll
C:\WINDOWS\SYSTEM32\vqavawye.dll
C:\WINDOWS\SYSTEM32\xfoxaimj.ini
C:\WINDOWS\SYSTEM32\xhmwnbol.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmdata09.sqm
C:\sqmdata10.sqm
C:\sqmdata11.sqm
C:\sqmdata12.sqm
C:\sqmdata13.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\sqmnoopt10.sqm
C:\sqmnoopt11.sqm
C:\sqmnoopt12.sqm
C:\sqmnoopt13.sqm
C:\WINDOWS\SYSTEM32\atbiglum.dll
C:\WINDOWS\SYSTEM32\bslllwjg.ini
C:\WINDOWS\SYSTEM32\cnopjlan.ini
C:\WINDOWS\SYSTEM32\jeplkjvb.ini
C:\WINDOWS\SYSTEM32\plkphytq.dll
C:\WINDOWS\SYSTEM32\vqavawye.dll
C:\WINDOWS\SYSTEM32\xfoxaimj.ini
C:\WINDOWS\SYSTEM32\xhmwnbol.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-08 18:33 . 2008-04-08 18:33 <DIR> d-------- C:\Program Files\CleanUp!
2008-04-08 13:02 . 2008-04-08 13:02 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-08 11:16 . 2008-04-08 11:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-08 10:49 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-04-07 16:31 . 2008-04-07 16:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-07 16:31 . 2008-04-07 16:31 <DIR> d-------- C:\Documents and Settings\Sandra\Application Data\Malwarebytes
2008-04-07 16:31 . 2008-04-07 16:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-07 13:58 . 2008-04-07 13:58 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-07 13:58 . 2008-04-07 13:58 <DIR> d-------- C:\Documents and Settings\Sandra\Application Data\SUPERAntiSpyware.com
2008-04-07 13:58 . 2008-04-07 13:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-07 13:57 . 2008-04-07 13:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-07 13:45 . 2008-04-07 13:45 <DIR> d-------- C:\Program Files\CCleaner
2008-04-05 18:39 . 2008-04-05 18:38 39,424 -r-hs---- C:\WINDOWS\msn.com
2008-03-30 15:10 . 2008-03-30 15:10 <DIR> d-------- C:\Program Files\Audacity
2008-03-27 19:50 . 2008-03-27 19:50 <DIR> d-------- C:\Program Files\Axogon
2008-03-13 16:10 . 2008-03-13 16:10 127,034 -r------- C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2008-03-13 16:05 . 2008-03-13 16:10 <DIR> d-------- C:\Program Files\Logitech
2008-03-13 16:05 . 2008-03-13 16:15 <DIR> d-------- C:\Program Files\Common Files\LogiShrd
2008-03-13 16:05 . 2008-03-13 16:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-13 16:05 . 2008-03-13 16:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logishrd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-04-09 15:57 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-08 16:03 --------- d-----w C:\Program Files\Java
2008-04-08 01:57 --------- d-----w C:\Program Files\Microsoft Home Publishing 2000
2008-04-07 18:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-06 21:11 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2008-04-06 21:10 0 ----a-w C:\WINDOWS\system32\drivers\logiflt.iad
2008-04-03 21:21 --------- d-----w C:\Program Files\Norton Internet Security
2008-03-28 00:52 --------- d-----w C:\Program Files\GIMP-2.0
2008-03-28 00:47 --------- d-----w C:\Program Files\NCH Swift Sound
2008-03-28 00:43 --------- d-----w C:\Program Files\DebugMode
2008-03-28 00:42 --------- d-----w C:\Program Files\Opera
2008-03-23 18:34 --------- d-----w C:\Program Files\QuickTime
2008-03-13 21:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-08 19:13 --------- d-----w C:\Program Files\EA GAMES
2008-03-08 00:27 --------- d-----w C:\Program Files\Common Files\EasyInfo
2008-03-07 23:17 --------- d-----w C:\Program Files\AnimatorDVSimple+
2008-03-07 15:56 --------- d-----w C:\Program Files\Real
2008-03-03 02:01 --------- d-----w C:\Program Files\MonkeyJam
2008-03-02 03:36 160,561 ----a-w C:\WINDOWS\Sqirlz Water Reflections Uninstaller.exe
2008-03-02 03:36 --------- d-----w C:\Program Files\Sqirlz Water Reflections
2008-03-01 22:54 --------- d-----w C:\Program Files\Sonic Foundry
2008-02-21 23:38 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-21 21:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Individual Software
2008-02-19 19:07 --------- d-----w C:\Program Files\Vstplugins
2008-02-19 19:02 --------- d-----w C:\Program Files\Sony
2008-02-16 01:53 --------- d-----w C:\Program Files\Common Files\xing shared
2008-02-16 01:53 --------- d-----w C:\Program Files\Common Files\Real
2008-02-15 21:20 --------- d-----w C:\Program Files\Paint.NET
2008-02-15 18:05 --------- d-----w C:\Program Files\Screaming Bee
2008-02-14 21:30 --------- d-----w C:\Documents and Settings\Sandra\Application Data\Screaming Bee
2008-02-14 21:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Screaming Bee
2008-02-14 21:28 --------- d-----w C:\Program Files\Common Files\Screaming Bee
2008-02-11 21:55 209 ---ha-w C:\Documents and Settings\Dustin\hpothb07.dat
2008-02-11 20:13 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-02-11 20:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-09 23:01 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-26 00:45 28,672 ----a-w C:\Documents and Settings\Sandra\N_Menu.dll
2007-05-26 00:45 26,624 ----a-w C:\Documents and Settings\Sandra\silent_dos.dll
2007-05-26 00:45 1,334,784 ----a-w C:\Documents and Settings\Sandra\convert.exe
2007-03-20 15:21 23,446 ----a-w C:\Documents and Settings\Sandra\zguicfg.dat
2006-02-22 16:44 0 ---ha-w C:\Documents and Settings\Sandra\hpothb07.dat
2006-02-22 16:43 179 ---ha-w C:\Documents and Settings\All Users\Application Data\hpothb07.dat
2006-02-22 16:43 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2005-10-10 16:11 792,064 ----a-w C:\Program Files\pivot.exe
2004-07-20 16:13 5,693 ----a-w C:\Program Files\ReadMe.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-07-27 15:46 68856]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 14:32 700416]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-15 20:52 185896]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-04-03 18:23 100056]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 04:19 69632]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\I SUSPM.exe" [2004-07-27 16:50 221184]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12 221184]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86 \3\hpztsb10.exe" [2004-03-04 10:46 172032]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-08 16:36 49512]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37 2178832]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-23 13:34 385024]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe [2008-03-13 16:10:41 66864]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJDSihG]
ljJDSihG.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.scg726"= scg726.acm
"msacm.alf2cd"= alf2cd.acm
"msacm.ac3acm"= AC3ACM.acm
"vidc.dvsd"= mcdvd_32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessen ger.exe"=

S3 LTower;LEGO USB Tower Driver;C:\WINDOWS\system32\Drivers\LTower.sys [2001-04-25 17:44]
S3 MAC607;MAC607 Filter;C:\WINDOWS\system32\DRIVERS\MAC607.sys []
S3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio. sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-05 14:00:10 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Sandra.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
"2008-04-09 17:10:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
"2008-04-09 17:07:38 C:\WINDOWS\Tasks\User_Feed_Synchronization-{3D8C1BF4-7179-47C5-AD3C-DD7421DD4009}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
************************************************** ************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 12:01:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVW32.EXE
C:\Program Files\Messenger\msmsgs.exe
.
************************************************** ************************
.
Completion time: 2008-04-09 12:12:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-09 17:12:38
ComboFix2.txt 2008-04-09 15:52:40
Pre-Run: 33,985,548,288 bytes free
Post-Run: 33,968,664,576 bytes free
.
2008-03-12 22:04:26 --- E O F ---

**evilfantasy** · #18 09-04-2008, 05:48 PM

That didn't get everything.

Download RegASSASSIN.exe to the desktop.

Open RegAssassin and copy the Registry Key in the Code box below.

Code:

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJDSihG

Now paste it in RegAssassins window and click Delete.

----------

Now post a new Hijackthis log please.

How is everything now?

**VNani** · #19 09-04-2008, 06:52 PM

things seem to be working fine. do I just post the current hijackthis log that is on the desktop, or do I need to do another scan first?

**evilfantasy** · #20 09-04-2008, 07:04 PM

Need a fresh scan please.

**VNani** · #21 09-04-2008, 07:08 PM

here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:04:49 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/frontiersidebar.jsp?p=CI
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
R3 - URLSearchHook: (no name) - {38E77F06-89FC-44f5-B3AB-11DDEB791947} - C:\Program Files\FrontierSH\SrchHelp\frSrcAs.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {38E77F01-89FC-44f5-B3AB-11DDEB791947} - C:\Program Files\FrontierSH\SrchHelp\frSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: FrontierBA BHO - {A93A3CC1-BA23-4d0d-9440-6A0148362B7E} - C:\Program Files\FrontierBA\BrowserAssistant\fbabar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\s wg.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Frontier Browser Assistant - {A93A3CC9-BA23-4d0d-9440-6A0148362B7E} - C:\Program Files\FrontierBA\BrowserAssistant\fbabar.dll
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.en-tel.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120134982093
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 13345 bytes

**evilfantasy** · #22 09-04-2008, 07:12 PM

Looks good. Just one entry to fix.

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/frontiersidebar.jsp?p=CI

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

---------

Run CleanUp!

---------

I'm sure you can see this: WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! This is common and you can install the recovery console if you choose by following the directions HERE

----------

Time to do some cleanup and secure the work you have done.

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:

Delete:
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:\Deckard folder, if present
- The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop. (unless you already have it)

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

When finished exit out of OTMoveIt2

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

Go to Start > Programs > Accessories > System Tools and click System Restore
Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Next go to Start > Run and type Cleanmgr
Click OK
Click the More Options Tab.
Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

Use the Secunia Software Inspector to check for out of date software.
Out of date software has security vulnerabilities that malware can exploit.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

Check out Keeping Yourself safe On The Web for tips and free tools to keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Let me know if anything else comes up.

**VNani** · #23 10-04-2008, 12:21 AM

Ok looks good.... I want to download the new msn but the link you gave me shows MSN Web Messager and Windows Live Messager... which one should I download?

**evilfantasy** · #24 10-04-2008, 12:29 AM

Windows Live Messager is the new version of MSN Messenger.

If you prefer MSN Messenger then the last safe version can be downloaded HERE

Glad everything is OK now. If anything else comes up just let us know. Safe surfing........

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Help with a malware/virus winspywareprotect	badproduce	Virus, Spyware & Security	8	12-06-2008 08:28 PM
Malware Removal Guide - Please Read Before Posting	evilfantasy	Virus, Spyware & Security	6	04-03-2008 05:35 PM
malware log	antbann	Virus, Spyware & Security	4	01-03-2008 08:31 PM
Following malware removal instructions, have some questions.	jcastell	Virus, Spyware & Security	17	20-02-2008 12:18 AM
How can I remove vicious malware?	waynestep	Virus, Spyware & Security	28	28-08-2007 10:26 PM