Trojans keep coming back

Hello. A couple of days ago, I just got a bunch of trojans on my computer. How? I have no idea. I've already tried scanning with AVG Anti-Spyware 7.5, Prevx 2.0, Ad-Aware, and Spybot, but it comes back a couple of minutes after I delete them. Some of the trojan names that I know of are AVPSrv.exe, cmdbcs.dll, mdpps.exe, and WinForm.exe.

I think 1 of them is creating trojans in my system32 folder because AVG Anti-Spyware and Prevx 2.0 blocks these files right after they are created. They also keep coming back after I've tried to delete them. (ex. "K11844711734.exe" and "K11844711734.DAT ")

Can I get some help on how to permanently get rid of all these without having to reformat my computer? :[

Logfile of HijackThis v1.99.1
Scan saved at 10:56:02 PM, on 7/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Prevx2\PXAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Song\LOCALS~1\Temp\Rar$EX49.672\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 172.0.0.1 localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVPSrv] C:\WINDOWS\AVPSrv.exe
O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe
O4 - HKLM\..\Run: [MsIMMs32] C:\WINDOWS\MsIMMs32.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\mscomm.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mscomm.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: DiamondCS ProcessGuard Service v3.405 (DCSPGSRV) - Unknown owner - C:\Program Files\ProcessGuard\dcsuserprot.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx2\PXAgent.exe" -f (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

 

Hi Helenster
Welcome to Windowsbbs

This worm\trojan steals information, typically account names and passwords, related to certain online games. I would suggest you change all passwords using a Non-infected computer (Not this one)

Please follow these instructions in the order given.

Please move Hijackthis to a permanent directory on your hard drive, say C:\HJT "“ A temporary folder is not a suitable location for backups made by HJT when entries are fixed.
To do this click on start, click my computer, double click your C drive, make a new folder name it HJT. Now go and right click on Hijackthis click copy, go back to the folder you made, right click and click paste.

Now download this.

Download ComboFix from Here or [color= "Red"]Here[/color] to your Desktop.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Please post the combofix log and a new HJT log.

Thanks
Geri

 

I tried to use ComboFix, but I keep getting this:
http://img175.imageshack.us/img175/4322/errorhc7.png

Here's my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:27:29 AM, on 7/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\windows\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\windows\system32\svchost.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\System32\alg.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 172.0.0.1 localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVPSrv] C:\windows\AVPSrv.exe
O4 - HKLM\..\Run: [mppds] C:\windows\mppds.exe
O4 - HKLM\..\Run: [MsIMMs32] C:\windows\MsIMMs32.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\windows\system32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\mscomm.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mscomm.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: DiamondCS ProcessGuard Service v3.405 (DCSPGSRV) - Unknown owner - C:\Program Files\ProcessGuard\dcsuserprot.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx2\PXAgent.exe" -f (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

 

Hi
I'm tring to get info on that error.

I'll get back to you as soon as I find something out.

Geri

 

Thanks! I'll be waiting for your reply!

 

Hi
It may have been a bad download, I'm still waiting on the maker to address it.

I downloaded it and ran it with no problems.

In the mean time, please delete the one you downloaded and download it again.
Then try to run it. let me know.

Thanks
Geri

 

I tried the download from both sites, but I keep getting the same error over and over again.

 

I finally got ComboFix to work, but using Safe Mode.

Here's the log:

"Song" - 2007-07-16 17:11:16 - ComboFix 07-07-14.6 - Service Pack 2 NTFS [SAFE MODE]


((((((((((((((((((((((((( Files Created from 2007-06-17 to 2007-07-17 )))))))))))))))))))))))))))))))


2007-07-16 17:07 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-07-16 17:07 1,520,952 --a------ C:\WINDOWS\WRSetup.dll
2007-07-16 16:34 0 --a------ C:\WINDOWS\system32\sfsync02.dll
2007-07-16 16:30 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-07-16 16:29 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-07-16 16:29 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-07-16 16:29 160,056 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-07-16 16:29 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-07-16 16:28 <DIR> d-------- C:\Program Files\Webroot
2007-07-16 16:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-07-16 16:05 188,526 --a------ C:\WINDOWS\system32\k118462694612.exe
2007-07-16 16:04 9,688 --a------ C:\WINDOWS\system32\k118462694310.exe
2007-07-16 16:04 8,072 --a------ C:\WINDOWS\system32\k118462694411.exe
2007-07-16 16:04 6,382 --a------ C:\WINDOWS\system32\k118462694310.DAT
2007-07-16 16:03 9,812 --a------ C:\WINDOWS\system32\k11846269386.exe
2007-07-16 16:03 6,502 --a------ C:\WINDOWS\system32\k11846269386.DAT
2007-07-16 16:03 32,256 --a------ C:\WINDOWS\system32\k11846269418.exe
2007-07-16 16:03 27,648 --a------ C:\WINDOWS\system32\k11846269375.exe
2007-07-16 16:02 6,915 --a------ C:\WINDOWS\system32\k11846269364.DAT
2007-07-16 16:02 11,344 --a------ C:\WINDOWS\system32\k11846269353.exe
2007-07-16 16:02 10,228 --a------ C:\WINDOWS\system32\k11846269364.exe
2007-07-16 15:06 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-16 15:05 188,526 --a------ C:\WINDOWS\system32\k118462333112.exe
2007-07-16 15:04 9,688 --a------ C:\WINDOWS\system32\k118462332810.exe
2007-07-16 15:04 8,072 --a------ C:\WINDOWS\system32\k118462333011.exe
2007-07-16 15:04 6,382 --a------ C:\WINDOWS\system32\k118462332810.DAT
2007-07-16 15:03 9,812 --a------ C:\WINDOWS\system32\k11846233236.exe
2007-07-16 15:03 6,502 --a------ C:\WINDOWS\system32\k11846233236.DAT
2007-07-16 15:03 32,256 --a------ C:\WINDOWS\system32\k11846233268.exe
2007-07-16 15:03 27,648 --a------ C:\WINDOWS\system32\k11846233225.exe
2007-07-16 15:02 6,915 --a------ C:\WINDOWS\system32\k11846233214.DAT
2007-07-16 15:02 11,344 --a------ C:\WINDOWS\system32\k11846233203.exe
2007-07-16 15:02 10,228 --a------ C:\WINDOWS\system32\k11846233214.exe
2007-07-15 23:14 19,968 --a------ C:\WINDOWS\system32\fggskr.dll
2007-07-15 17:07 19,968 --a------ C:\WINDOWS\system32\pmxdkb.dll
2007-07-15 13:01 <DIR> d-------- C:\DOCUME~1\Song\APPLIC~1\Webroot
2007-07-15 10:52 <DIR> d-------- C:\HJT
2007-07-15 03:50 19,968 --a------ C:\WINDOWS\system32\tkyetn.dll
2007-07-15 00:50 19,968 --a------ C:\WINDOWS\system32\xnuqjc.dll
2007-07-14 22:49 19,968 --a------ C:\WINDOWS\system32\onucrt.dll
2007-07-14 19:36 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-14 15:23 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-07-14 15:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-07-14 11:21 6,144 --a------ C:\WINDOWS\system32\mssock.sys
2007-07-14 11:21 20,682 --a------ C:\WINDOWS\system32\mscomm.dll
2007-07-14 11:04 22,016 --a------ C:\WINDOWS\system32\ahkqob.dll
2007-07-12 22:11 26,112 --a------ C:\WINDOWS\system32\nircmd.exe
2007-07-12 20:10 <DIR> d-------- C:\Program Files\Prevx2
2007-07-12 20:10 <DIR> d-------- C:\DOCUME~1\Song\APPLIC~1\Prevx
2007-07-12 20:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
2007-07-12 20:09 77,312 --a------ C:\WINDOWS\ua2.dll
2007-07-12 17:19 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-10 19:27 <DIR> d--h----- C:\WINDOWS\PIF
2007-07-09 22:36 109,440 --a------ C:\WINDOWS\system32\drivers\KbdCap.sys
2007-07-09 21:48 11,880 --a------ C:\WINDOWS\system32\A4206978.DLL
2007-07-09 15:08 <DIR> d-------- C:\Program Files\TriglowPictures
2007-07-04 08:04 <DIR> d-------- C:\Program Files\iTunes
2007-07-04 08:04 <DIR> d-------- C:\Program Files\iPod
2007-07-04 08:03 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-04 08:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-06-29 17:27 <DIR> d-------- C:\DOCUME~1\Song\APPLIC~1\Sudeki
2007-06-29 14:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-24 19:25 5,767,168 --a------ C:\DOCUME~1\Song\ntuser.dat
2007-06-17 00:22 <DIR> d-------- C:\DOCUME~1\Song\APPLIC~1\Skype
2007-06-17 00:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-17 00:00:49 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-13 00:19:18 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-07-10 04:44:22 -------- d-----w C:\Program Files\Norton AntiVirus
2007-07-09 22:08:11 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-25 05:18:38 -------- d-----w C:\Program Files\AIM
2007-06-18 03:36:22 -------- d-----w C:\DOCUME~1\Song\APPLIC~1\Apple Computer
2007-06-14 02:37:22 -------- d-----w C:\DOCUME~1\Song\APPLIC~1\DivX
2007-06-13 20:01:45 -------- d-----w C:\DOCUME~1\Song\APPLIC~1\BitTorrent
2007-06-12 17:04:05 -------- d-----w C:\Program Files\BitTorrent
2007-06-12 03:55:01 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-09 22:32:41 -------- d-----w C:\Program Files\DivX
2007-06-08 16:43:08 -------- d-----w C:\Program Files\Winamp
2007-06-04 22:18:48 9,344 ----a-w C:\windows\system32\drivers\NSDriver.sys
2007-06-04 22:17:02 8,320 ----a-w C:\windows\system32\drivers\AWRTRD.sys
2007-06-04 22:14:56 6,272 ----a-w C:\windows\system32\drivers\AWRTPD.sys
2007-05-31 07:02:22 -------- d-----w C:\Program Files\QuickTime
2007-05-31 07:00:00 -------- d-----w C:\Program Files\Apple Software Update
2007-05-31 06:45:07 524,288 ----a-w C:\windows\system32\DivXsm.exe
2007-05-31 06:44:55 823,296 ----a-w C:\windows\system32\divx_xx07.dll
2007-05-31 06:44:54 823,296 ----a-w C:\windows\system32\divx_xx0c.dll
2007-05-31 06:44:54 802,816 ----a-w C:\windows\system32\divx_xx11.dll
2007-05-31 06:44:54 740,442 ----a-w C:\windows\system32\DivX.dll
2007-05-09 18:53:54 1,224,704 ----a-r C:\windows\system32\clubbox.exe
2007-05-06 08:07:55 61,440 ----a-w C:\windows\system32\nod.dll
2007-04-23 00:15:29 3,596,288 ----a-w C:\windows\system32\qt-dx331.dll
2007-04-23 00:15:24 129,784 ------w C:\windows\system32\pxafs.dll
2007-04-23 00:15:24 118,520 -c----w C:\windows\system32\pxinsi64.exe
2007-04-23 00:15:24 116,472 -c----w C:\windows\system32\pxcpyi64.exe
2007-04-23 00:15:18 200,704 ----a-w C:\windows\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\windows\system32\libdivx.dll
2007-04-23 00:02:34 73,728 ----a-w C:\windows\system32\dpl100.dll
2007-04-23 00:02:34 196,608 ----a-w C:\windows\system32\dtu100.dll
2007-04-23 00:02:33 53,248 ----a-w C:\windows\system32\dpuGUI10.dll
2007-04-23 00:02:31 593,920 -c--a-w C:\windows\system32\dpuGUI11.dll
2007-04-23 00:02:31 57,344 ----a-w C:\windows\system32\dpv11.dll
2007-04-23 00:02:31 344,064 ----a-w C:\windows\system32\dpus11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\windows\system32\dpu11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\windows\system32\dpu10.dll
2007-04-23 00:01:47 12,288 ----a-w C:\windows\system32\DivXWMPExtType.dll
2007-04-23 00:01:46 124,472 ----a-w C:\windows\system32\DivXCodecUpdateChecker.exe
2007-04-17 05:47:36 33,624 ----a-w C:\windows\system32\wups.dll
2007-04-17 05:47:36 33,624 ----a-w C:\windows\system32\wups(2)(2).dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\windows\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\windows\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\windows\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\windows\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\windows\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\windows\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 -c--a-w C:\windows\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55EA1964-F5E4-4D6A-B9B2-125B37655FCB}]
2006-01-10 12:09 90112 --a------ C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2005-11-10 13:22 184423 --a------ C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B56A7D7D-6927-48C8-A975-17DF180C71AC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
2002-11-15 00:09 112248 --a------ C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CapFax "= "C:\Program Files\Classic PhoneTools\CapFax.EXE" [2001-12-10 17:34]
"AGRSMMSG "= "AGRSMMSG.exe" [2004-06-29 09:06 C:\WINDOWS\AGRSMMSG.exe]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 16:11]
"ccRegVfy "= "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 16:11]
"Symantec NetDriver Monitor "= "C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-09-25 09:59]
"AdaptecDirectCD "= "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-03-26 11:15]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"SoundMan "= "SOUNDMAN.EXE" [2004-09-16 05:39 C:\WINDOWS\SOUNDMAN.EXE]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14]
"PrevxOne "= "C:\Program Files\Prevx2\PXConsole.exe" [2007-07-10 07:42]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-07-14 19:38]
"SpySweeper "= "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-06-21 18:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter "= "RUNDLL32.exe" [2004-08-04 05:00 C:\WINDOWS\system32\rundll32.exe]
"MsnMsgr "= "C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-01-24 12:37]
"ctfmon.exe "= "C:\windows\system32\ctfmon.exe" [2004-08-04 05:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-07-14 19:37]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVPSrv]
C:\WINDOWS\AVPSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmdbcs]
C:\WINDOWS\cmdbcs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Autorun11]
C:\WINDOWS\system32\nwizwlwzs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Autorun7]
C:\WINDOWS\system32\nwizqjsj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mppds]
C:\WINDOWS\mppds.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsIMMs32]
C:\WINDOWS\MsIMMs32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TIMHost]
C:\WINDOWS\TIMHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinForm]
C:\WINDOWS\WinForm.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{714c7708-8ff6-11db-adc5-00115b9ea7a7}]
Auto\command- sxs.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{81716107-A10D-11cf-64CD-11115FE1CF41}
C:\windows\system32\nwizzhuxians.exe

Contents of the 'Scheduled Tasks' folder
2007-07-15 21:07:04 C:\windows\tasks\AppleSoftwareUpdate.job
2007-06-16 03:02:43 C:\windows\tasks\Norton AntiVirus - Scan my computer.job
2007-07-17 00:07:00 C:\windows\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-16 17:13:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-16 17:14:08
C:\ComboFix-quarantined-files.txt ... 2007-07-16 17:14

--- E O F ---

 

Hi Helenster

Sorry this took so long, still trying to get an answer on your error message.

Well I was hoping that we wouldn't have to run combofix in safe mode, it's not quite as effective. and we will have to do this manually.

But it showed quite a bit. There are a few files we need to have scanned, because I can find no info on.

So here is what we need to do. Each one of these needs to be scanned.

C:\WINDOWS\system32\k118462694612.exe
C:\WINDOWS\system32\fggskr.dll
C:\WINDOWS\system32\pmxdkb.dll
C:\WINDOWS\system32\tkyetn.dll
C:\WINDOWS\system32\xnuqjc.dll
C:\WINDOWS\system32\onucrt.dll
C:\WINDOWS\system32\ahkqob.dll

Please scan each one here and post the results.

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan "box on the top of the page:
  
  • C:\WINDOWS\system32\k118462694612.exe
• Click on the submit button
  
• Please post the results in your next reply.

Thanks
Geri

 

Here are the results:

File: k118462694612.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: aff81d2aa66fc69152c48d4f39544ec4
Packers detected:
UPACK
Bit9 reports: High threat detected (more info)
Scanner results
Scan taken on 17 Jul 2007 06:09:20 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Drop.Small.axi
ArcaVir
Found Trojan.Dropper.Small.Axi
Avast
Found nothing
AVG Antivirus
Found BackDoor.Agent.GOH
BitDefender
Found Trojan.Dropper.Small.AXI
ClamAV
Found nothing
Dr.Web
Found Trojan.Sniff
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan-Dropper.Win32.Small.axi
Fortinet
Found W32/Small.AXI!tr
Kaspersky Anti-Virus
Found Trojan-Dropper.Win32.Small.axi
NOD32
Found Win32/TrojanDropper.Delf.NEG
Norman Virus Control
Found W32/Suspicious_U.gen
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found Mal/Packer
VirusBuster
Found Packed/Upack
VBA32
Found Trojan-Dropper.Win32.Small.axi

---

File: fggskr.dll
Status:
INFECTED/MALWARE
MD5: da2875066cb2e798cf242152058debed
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 17 Jul 2007 06:13:22 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/PSW.Agent.20480
ArcaVir
Found nothing
Avast
Found Win32:Onlinegames-ACD
AVG Antivirus
Found nothing
BitDefender
Found Generic.Malware.gPWS.C01368F9
ClamAV
Found Trojan.Spy-11019
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan-PSW.Win32.OnLineGames.abr
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Trojan-PSW.Win32.OnLineGames.abr
NOD32
Found a variant of Win32/PSW.OnLineGames.NBZ
Norman Virus Control
Found nothing
Panda Antivirus
Found Trj/Lineage.EOR
Rising Antivirus
Found nothing
Sophos Antivirus
Found Troj/OnLine-Gen
VirusBuster
Found Trojan.OnlineGames.Gen.24
VBA32
Found MalwareScope.Trojan-PSW.Game.12

---

File: pmxdkb.dll
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: da2875066cb2e798cf242152058debed
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 17 Jul 2007 06:15:07 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/PSW.Agent.20480
ArcaVir
Found nothing
Avast
Found Win32:Onlinegames-ACD
AVG Antivirus
Found nothing
BitDefender
Found Generic.Malware.gPWS.C01368F9
ClamAV
Found Trojan.Spy-11019
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan-PSW.Win32.OnLineGames.abr
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Trojan-PSW.Win32.OnLineGames.abr
NOD32
Found a variant of Win32/PSW.OnLineGames.NBZ
Norman Virus Control
Found nothing
Panda Antivirus
Found Trj/Lineage.EOR
Rising Antivirus
Found nothing
Sophos Antivirus
Found Troj/OnLine-Gen
VirusBuster
Found Trojan.OnlineGames.Gen.24
VBA32
Found MalwareScope.Trojan-PSW.Game.12

---

File: tkyetn.dll
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: da2875066cb2e798cf242152058debed
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 17 Jul 2007 06:19:47 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/PSW.Agent.20480
ArcaVir
Found nothing
Avast
Found Win32:Onlinegames-ACD
AVG Antivirus
Found nothing
BitDefender
Found Generic.Malware.gPWS.C01368F9
ClamAV
Found Trojan.Spy-11019
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan-PSW.Win32.OnLineGames.abr
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Trojan-PSW.Win32.OnLineGames.abr
NOD32
Found a variant of Win32/PSW.OnLineGames.NBZ
Norman Virus Control
Found nothing
Panda Antivirus
Found Trj/Lineage.EOR
Rising Antivirus
Found nothing
Sophos Antivirus
Found Troj/OnLine-Gen
VirusBuster
Found Trojan.OnlineGames.Gen.24
VBA32
Found MalwareScope.Trojan-PSW.Game.12

---

File: xnuqjc.dll
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: da2875066cb2e798cf242152058debed
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 17 Jul 2007 06:17:26 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/PSW.Agent.20480
ArcaVir
Found nothing
Avast
Found Win32:Onlinegames-ACD
AVG Antivirus
Found nothing
BitDefender
Found Generic.Malware.gPWS.C01368F9
ClamAV
Found Trojan.Spy-11019
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan-PSW.Win32.OnLineGames.abr
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Trojan-PSW.Win32.OnLineGames.abr
NOD32
Found a variant of Win32/PSW.OnLineGames.NBZ
Norman Virus Control
Found nothing
Panda Antivirus
Found Trj/Lineage.EOR
Rising Antivirus
Found nothing
Sophos Antivirus
Found Troj/OnLine-Gen
VirusBuster
Found Trojan.OnlineGames.Gen.24
VBA32
Found MalwareScope.Trojan-PSW.Game.12

---

File: onucrt.dll
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: da2875066cb2e798cf242152058debed
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 17 Jul 2007 06:21:37 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/PSW.Agent.20480
ArcaVir
Found nothing
Avast
Found Win32:Onlinegames-ACD
AVG Antivirus
Found nothing
BitDefender
Found Generic.Malware.gPWS.C01368F9
ClamAV
Found Trojan.Spy-11019
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan-PSW.Win32.OnLineGames.abr
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Trojan-PSW.Win32.OnLineGames.abr
NOD32
Found a variant of Win32/PSW.OnLineGames.NBZ
Norman Virus Control
Found nothing
Panda Antivirus
Found Trj/Lineage.EOR
Rising Antivirus
Found nothing
Sophos Antivirus
Found Troj/OnLine-Gen
VirusBuster
Found Trojan.OnlineGames.Gen.24
VBA32
Found MalwareScope.Trojan-PSW.Game.12

---

File: ahkqob.dll
Status:
INFECTED/MALWARE
MD5: 943feaa255baf5f85ced9d338cc5d715
Packers detected:
-
Bit9 reports: Not analyzed yet (more info)
Scanner results
Scan taken on 17 Jul 2007 06:23:05 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/PSW.Agent.20480
ArcaVir
Found Trojan.Psw.Onlinegames.Es
Avast
Found Win32:Onlinegames-ACD
AVG Antivirus
Found PSW.OnlineGames.AJZ
BitDefender
Found Generic.Onlinegames.2.B7779DC9
ClamAV
Found Trojan.Spy-3309
Dr.Web
Found Trojan.PWS.Gamania.2808
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan-PSW.Win32.OnLineGames.es
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Trojan-PSW.Win32.OnLineGames.es
NOD32
Found nothing
Norman Virus Control
Found OnlineGames.gen11
Panda Antivirus
Found Trj/Lineage.EOU
Rising Antivirus
Found nothing
Sophos Antivirus
Found Troj/OnLine-Gen
VirusBuster
Found Trojan.OnlineGames.Gen.24
VBA32
Found MalwareScope.Trojan-PSW.Game.12

 

Hi

EDIT Note:
Please see post below before Doing this step.

OK lets do this now.

Download and Run OTMoveIt
Download OTMoveIt by OldTimer to your Desktop.

• Double click OTMoveIt.exe to launch it.
• Copy/Paste the contents of the box below into the left hand pane of OTMoveIt.

• Click the Move It button.
• The list will be processed and the results will appear in the right hand pane.
• If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
• When finished click Exit to exit the programme.
• A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).

After that please try to Run ComboFix again in normal mode If it will run please run it and post the log.

Please Run HJT again and post the new log.

Thanks
Geri

 

Hi Helenster

Please Note edited post above.
I would like info on this before you run OTMoveIt.

It may need to be added to the list.

Submit to Jotti's please.

C:\WINDOWS\system32\mssock.sys

Thanks
Geri

 

Hi
Also, It seems you have a removable drive infection. Flash Drive, USB stick...

Please do not use these until we can clean it up.

Thanks
Geri

 

File: mssock.sys
Status:
INFECTED/MALWARE
MD5: 2c4cc9a7678bd01b4421be70a4cf78db
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 17 Jul 2007 17:56:03 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found Trojan.PWS.Gamania.2809
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Here's my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 10:59:59 AM, on 7/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\windows\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Prevx2\PXAgent.exe
C:\windows\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\cmd.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 172.0.0.1 localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CapFax] "C:\Program Files\Classic PhoneTools\CapFax.EXE "
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe "
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe "
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\windows\system32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - C:\windows\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: DiamondCS ProcessGuard Service v3.405 (DCSPGSRV) - Unknown owner - C:\Program Files\ProcessGuard\dcsuserprot.exe (file missing)
O23 - Service: E0722550 - Unknown owner - C:\windows\system32\15CA6C78.EXE (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx2\PXAgent.exe" -f (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


I'm still getting the same error on ComboFix.

 

Hi

OK

OK Please do this next.

Open OTMoveIt and add this, then click MoveIt.

C:\WINDOWS\system32\mssock.sys

Please disable SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.

To disable SpySweeper:

Open it click >Options over to the left then >Program Options >Uncheck "load at windows startup ".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield ".
Uncheck "automatically restore default without notification ".

We need to disable your Prevx protection as it can interfere with our fixes.

Right click on the Prevx icon on your system tray and choose Show Management Console.

On the Management Console click the Protection Level drop-down menu.

You will see three levels:

Maximum

Off

User Defined

To disable all protection set the level to Off. You will receive a prompt asking "You are about to change your security settings. Do you wish to continue?" Click Yes.

Click the X on the upper right hand corner to exit the Management console. Once we are done cleaning up, you can repeat the steps setting the level this time to Maximum in order to reenable protection.

Now do this.

Go to Start > Run and type Services.msc then hit Ok
Scroll down and find the below service:

E0722550

When you find it, double-click on it. In the next window that opens, under the General tab click the Stop button, then click the drop-down box to change the Startup Type to Disabled. Now hit Apply and then Ok.


Now Open HiJackThis, Click on Misc Tools section, then click on Delete an NT Service. A window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

E0722550


Click OK.

It should pull up information about the service, then ask if you want to reboot. Click NO.

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} -


Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

After that, Reboot.

Please post a New HJT Log into this Thread.

Thanks
Geri

 

Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:29:49 PM, on 7/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\windows\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\windows\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\HJT\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 172.0.0.1 localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CapFax] "C:\Program Files\Classic PhoneTools\CapFax.EXE "
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe "
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe "
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\windows\system32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - C:\windows\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: DiamondCS ProcessGuard Service v3.405 (DCSPGSRV) - Unknown owner - C:\Program Files\ProcessGuard\dcsuserprot.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx2\PXAgent.exe" -f (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

Hi

OK that's looking good.

Did you or a program you have add this to your Host file?
O1 - Hosts: 172.0.0.1 localhost

Ok I would like to run a on-line scan.
Please do this and post the results.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Thanks
Geri

 

I don't think I've done anything with my Host file.

I've been trying to scan with Panda ActiveScan, but the window keeps closing by itself. It has happened 4 times already.

 

Hi Helenster

OK lets try this one.

Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Thanks
Geri

 

Sorry it took awhile. I finally finished scanning!

I couldn't fit everything in a post, so I uploaded it.

Here's the report:
http://www.geocities.com/x0xhelen/scan.html