Sign in to follow this  
itsmeveve

dcads/spa_start Removal Help Needed

Recommended Posts

ComboFix 08-01-03.4 - MOM 2008-01-05 12:50:48.4 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.467 [GMT -5:00]

Running from: C:\Documents and Settings\MOM\Desktop\ComboFix.exe

.

 

((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))

.

 

2008-01-03 15:53 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-01 01:57 . 2008-01-01 01:57 9 --a------ C:\WINDOWS\system32\1428841f

2007-12-31 04:29 . 2007-12-31 04:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2007-12-30 19:50 . 2007-12-31 02:41 <DIR> d-------- C:\Program Files\TrojanHunter 4.0

2007-12-30 15:09 . 2007-12-30 15:09 <DIR> d-------- C:\Documents and Settings\MOM\Application Data\Lavasoft

2007-12-30 15:07 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys

2007-12-30 15:07 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys

2007-12-30 14:51 . 2003-08-23 09:34 <DIR> d-------- C:\Documents and Settings\MOM\WINDOWS

2007-12-30 14:51 . 2003-08-28 22:16 <DIR> d-------- C:\Documents and Settings\MOM\Application Data\Symantec

2007-12-30 14:51 . 2003-08-23 09:12 <DIR> d-------- C:\Documents and Settings\MOM\Application Data\Sonic

2007-12-30 14:51 . 2003-08-23 22:26 <DIR> d-------- C:\Documents and Settings\MOM\Application Data\SampleView

2007-12-30 14:51 . 2003-08-28 22:19 <DIR> d-------- C:\Documents and Settings\MOM\Application Data\interMute

2007-12-30 13:33 . 2007-12-30 14:22 178 --a------ C:\WINDOWS\system\hpsysdrv .DAT

2007-12-29 09:08 . 2007-12-29 09:08 1,358,156 --a------ C:\WINDOWS\system32\silc.dat

2007-12-28 17:31 . 2007-12-28 17:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Viewpoint

2007-12-28 16:46 . 2003-05-07 13:01 8,464 --a------ C:\WINDOWS\system32\sporder.dll

2007-12-26 11:32 . 2007-12-26 13:03 <DIR> d-------- C:\Documents and Settings\chance.CONNIE\Application Data\Roxio

2007-12-24 15:09 . 2007-12-24 15:09 <DIR> d-------- C:\Program Files\Common Files\Napster Shared

2007-12-24 15:08 . 2008-01-05 12:31 <DIR> d-------- C:\Program Files\Napster

2007-12-24 15:08 . 2007-12-24 15:08 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield

2007-12-24 15:08 . 2007-12-24 15:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Napster

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-05 17:31 --------- d-----w C:\Program Files\Trojan Remover

2008-01-05 17:31 --------- d-----w C:\Program Files\QuickTime

2008-01-05 17:31 --------- d-----w C:\Program Files\Norton AntiVirus

2008-01-05 17:31 --------- d-----w C:\Program Files\Microsoft AntiSpyware

2008-01-05 17:31 --------- d-----w C:\Program Files\iTunes

2008-01-05 17:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-01-01 06:57 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe

2007-12-31 09:30 --------- d-----w C:\Program Files\Lavasoft

2007-12-31 09:30 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft

2007-12-31 09:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-12-31 00:24 --------- d-----w C:\Program Files\TrueAssistant

2007-12-30 19:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire

2007-12-29 14:29 --------- d-----w C:\Program Files\Warcraft II BNE

2007-12-29 03:04 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-12-27 23:32 28,352 -c--a-w C:\WINDOWS\system32\drivers\MxlW2k.sys

2007-12-27 22:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\Roxio

2007-12-24 20:09 --------- d-----w C:\Program Files\Common Files\Roxio Shared

2007-11-26 05:22 --------- d-----w C:\Program Files\Hewlett-Packard

2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll

2007-10-17 17:23 10,752 ----a-w C:\WINDOWS\system32\WhoisCL.exe

2005-07-31 16:18 2,492 ----a-w C:\Documents and Settings\Owner\Application Data\ViewerApp.dat

2005-07-25 20:12 284 ----a-w C:\Documents and Settings\chance.CONNIE\Application Data\ViewerApp.dat

2004-12-30 04:14 868 -c--a-w C:\Program Files\INSTALL.LOG

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-05-26 16:03 160832]

"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .exe" [ ]

 

C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\

AutoTBar.exe [2003-06-18 21:19:08]

mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 09:11:14]

 

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\

AutoTBar.exe [2007-12-30 14:05:47]

mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 09:11:14]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]

C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 05:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk

backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk

backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk

backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^AutoTBar.exe]

path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\AutoTBar.exe

backup=C:\WINDOWS\pss\AutoTBar.exeStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk

backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^RegFreeze.lnk]

path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\RegFreeze.lnk

backup=C:\WINDOWS\pss\RegFreeze.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]

path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk

backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TrueAssistant.lnk]

path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\TrueAssistant.lnk

backup=C:\WINDOWS\pss\TrueAssistant.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A Verizon App]

C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]

C:\hp\bin\AUTOTKIT.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]

c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]

c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

2007-12-30 14:01 115816 --a------ C:\Program Files\Common Files\Symantec Shared\ccApp.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

C:\WINDOWS\system32\hkcmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]

C:\WINDOWS\System32\hphmon05.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]

c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]

c:\windows\system\hpsysdrv.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

C:\WINDOWS\system32\igfxtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

C:\Program Files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]

C:\HP\KBD\KBD.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]

C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]

C:\Program Files\Napster\napster.exe /systray

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]

rundll32.exe nview.dll,nViewLoadHook

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

nwiz.exe /installquiet /keeploaded /nodetect

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]

2007-12-30 14:03 26248 --a------ C:\Program Files\Norton AntiVirus\osCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]

C:\WINDOWS\system32\ps2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]

c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

C:\Program Files\QuickTime\qttask .exe -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]

C:\Program Files\Real\RealOne Player\realplay.exe /RunUPGToolCommandReBoot

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]

C:\WINDOWS\SMINST\RECGUARD.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]

C:\Program Files\Trojan Remover\Trjscan.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]

C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFaxAppPortStarter]

wfxsnt40.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .EXE -quiet

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]

C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe -preload

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"omniserv"=2 (0x2)

"iPodService"=3 (0x3)

"Automatic LiveUpdate Scheduler"=2 (0x2)

 

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 22:31]

 

.

Contents of the 'Scheduled Tasks' folder

"2005-01-10 19:56:00 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"

- C:\Program Files\Easy Internet signup\HPSdpApp.exe

"2004-10-20 19:18:49 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1090250881.job"

- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I

"2008-01-05 01:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job"

- C:\PROGRA~1\NORTON~2\Navw32.exeh/TASK:

"2008-01-04 20:58:00 C:\WINDOWS\Tasks\WebReg 20040502155831.job"

- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe[/TaskName 20040502155831 /N

"2008-01-05 02:03:00 C:\WINDOWS\Tasks\WebReg 20041024210327.job"

- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe[/TaskName 20041024210327 /N

"2008-01-04 19:03:00 C:\WINDOWS\Tasks\WebReg 20041027140322.job"

- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe[/TaskName 20041027140322 /N

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-05 12:59:37

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

PROCESS: C:\WINDOWS\system32\winlogon.exe

-> C:\Program Files\Softex\OmniPass\opxpgina.dll

.

Completion time: 2008-01-05 13:01:11

ComboFix-quarantined-files.txt 2008-01-05 18:01:00

ComboFix2.txt 2008-01-05 10:09:14

ComboFix3.txt 2008-01-04 16:46:55

ComboFix4.txt 2008-01-03 22:12:28

.

2007-12-30 21:32:20 --- E O F ---

Share this post


Link to post
Share on other sites

Hi,

 

Navigate to and delete next file:

 

C:\WINDOWS\system32\1428841f

 

* Go to start > run and copy and paste next command in the field:

 

ComboFix /u

 

Make sure there's a space between Combofix and /

Then hit enter.

 

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

 

Then post the results from the online scanner in your next reply.

Share this post


Link to post
Share on other sites

The infected computer is onlne now and is scanning on "ESET" seems it is going to take a while and thats ok, ill post back whenever it gets done. I wonder if you are allowed to suggest some way to keep kids out of trouble online as far as not being able to download things that could be dangerous to be on the computer, so it is a long time before we run into this kind of trouble again.

Also before I contacted you I ran SpyBot and found a keylogger on the computer that I let SpyBot remove. SpyBot information on it said that it had to be installed manualy, so that means that it wasnt put there by spyware? Is that correct?

Share this post


Link to post
Share on other sites

# version=4

# OnlineScanner.ocx=1.0.0.56

# OnlineScannerDLLA.dll=1, 0, 0, 51

# OnlineScannerDLLW.dll=1, 0, 0, 51

# OnlineScannerUninstaller.exe=1, 0, 0, 49

# vers_standard_module=2766 (20080104)

# vers_arch_module=1.060 (20071228)

# vers_adv_heur_module=1.064 (20070717)

# EOSSerial=8b4928ed44a4804ca4775c2260a8d3c7

# end=finished

# remove_checked=true

# unwanted_checked=true

# utc_time=2008-01-05 10:06:15

# local_time=2008-01-05 05:06:15 (-0500, Eastern Standard Time)

# country="United States"

# osver=5.1.2600 NT Service Pack 2

# scanned=719584

# found=12

# scan_time=13691

C:\Documents and Settings\Owner\Shared\[Full] black and white 2 with Bonus.zip Win32/Adware.TrafficSol application (deleted) 00000000000000000000000000000000

C:\Documents and Settings\Owner\Shared\[Full] black and white 2 with Bonus.zip »ZIP »setup.exe Win32/Adware.TrafficSol application (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000

C:\Documents and Settings\Owner\Shared\[Full] black and white 2 with Bonus.zip »ZIP »setup.exe »NSIS »bann.exe Win32/Adware.TrafficSol application (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000

C:\Documents and Settings\Owner\Shared\[Full] black and white 2 with Bonus.zip »ZIP »setup.exe »NSIS »bann.exe »NSIS »gzmrotate.dll Win32/Adware.TrafficSol application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000

C:\QooBox\Quarantine\catchme2008-01-03_170411.81.zip Win32/Adware.Virtumonde application (deleted) 00000000000000000000000000000000

C:\QooBox\Quarantine\catchme2008-01-03_170411.81.zip »ZIP »awtrrrp.dll Win32/Adware.Virtumonde application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000

C:\QooBox\Quarantine\C\WINDOWS\mrofinu1000106.exe.tmp.vir a variant of Win32/TrojanDownloader.Agent.BLS trojan (unable to clean - deleted) 00000000000000000000000000000000

C:\QooBox\Quarantine\C\WINDOWS\Fonts\a.zip.vir probably a variant of Win32/TrojanDropper.VB.NAI trojan (deleted) 00000000000000000000000000000000

C:\QooBox\Quarantine\C\WINDOWS\Fonts\a.zip.vir »ZIP »Setup.exe probably a variant of Win32/TrojanDropper.VB.NAI trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000

C:\QooBox\Quarantine\C\WINDOWS\Fonts\svchost.exe.vir probably a variant of Win32/TrojanDropper.VB.NAI trojan (unable to clean - deleted) 00000000000000000000000000000000

C:\QooBox\Quarantine\C\WINDOWS\system32\rlvknlg.exe.vir probably a variant of Win32/Genetik trojan (unable to clean - deleted) 00000000000000000000000000000000

C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\mirc.ini IRC/Zapchast trojan (unable to clean - deleted) 00000000000000000000000000000000

Share this post


Link to post
Share on other sites

Hi,

 

I see Eset could deal with the leftovers properly.

 

Also before I contacted you I ran SpyBot and found a keylogger on the computer that I let SpyBot remove. SpyBot information on it said that it had to be installed manualy, so that means that it wasnt put there by spyware? Is that correct?
Yes, but we already deleted that one in one of my first instructions (the CFScript you made).

That's why I also told you that it was important you changed all your passwords afterwards because they are known.

 

I asked you to fix these entries in HijackThis previously:

 

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

 

Since we have restored the infected files, we need to restore these entries again.

To do this, open HijackThis, click Misc Tools below > Backups on top and there you'll see all the entries you have fixed in HijackThis previously.

Select ONLY above entries and click "Restore".

In case your Antivirus won't work anyway - I suggest you reinstall Norton as it may be possible that some related components were damaged by malware anyway.

 

Then, * Go to start > run and copy and paste next command in the field:

 

ComboFix /u

 

Make sure there's a space between Combofix and /

Then hit enter.

 

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

 

I wonder if you are allowed to suggest some way to keep kids out of trouble online as far as not being able to download things that could be dangerous to be on the computer, so it is a long time before we run into this kind of trouble again.
I don't know how old your kids are - but as a first step, I would start with creating a single useraccount for them with restricted rights and passwordprotect your useraccount.

See here: http://www.microsoft.com/windowsxp/using/s...p/accounts.mspx or here: http://cybercoyote.org/security/not-admin.shtml

 

Also, I see P2P software installed here, for example LimeWire, Napster. P2P Software is ALWAYS a risk, because you can never be sure what you download. It doesn't mean that, if your Antivirus flags the file as clean, that is really clean. The Eset online scan already proved it:

 

C:\Documents and Settings\Owner\Shared\[Full] black and white 2 with Bonus.zip Win32/Adware.TrafficSol application (deleted)

 

This is a file that was downloaded via Limewire and is infected. Norton didn't flag/delete it previously. Now Eset did.

So if you don't want this to happen again, I suggest you uninstall the P2P Software. After all, downloading software from there is ALWAYS a risk. Get your software from the developers site, not via P2P.

 

But, the best prevention is still.... Explain your kids why it is so important that they should be careful. Explain them what they have caused (all passwords are known, A LOT of infections present etc..) and explain how to prevent this by reading this page: http://users.telenet.be/bluepatchy/miekiem...prevention.html

 

Then post a new HijackThislog in your next reply and Let me know in your next reply how things are now.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 10:46:05 AM, on 1/6/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Softex\OmniPass\OPXPApp.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=74005

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Share this post


Link to post
Share on other sites

I did the remove combo fix yesterday when you asked me to so it wouldnt run today since it couldnt find the file.

 

My daughter thought that she took lime wire out of the computer before she brought it to me to fix. I have seen bits and peices of it in here. I dont see it in add and remove programs.

We had plans to take Nortons out of this computer and run AVG free, after all the problems were gone. I switched to AVG from Nortons on my own computer about a year ago, and im very happy with it and it is not as much of a resource hog.

The computer is much much better now!

The kids cover all ages since there are five of them LOL

I want to thank you for your help with this problem, and for being so quick about it also. You are greatly appreciated. I have never tried a forum to fix a problem I can usualy figure it out, this one stumped me though. Thanks for making my first experience a good one.

Share this post


Link to post
Share on other sites

Hi,

 

Check and fix next unnecessary entry in HijackThis:

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

 

The rest looks OK again. :unsure:

 

Yes, you're right. I forgot that I already told you to uninstall/delete Combofix previously. :)

 

Yes, it's also a good idea to use AVG Antivirus now. Don't forget to uninstall Norton before you install another Antivirus, because more than 1 Antivirus installed may cause a lot of problems.

 

Since your kids cover all ages, for the oldest ones, I would teach them about safe surfing etc.. since I am sure it won't help much with giving them limited access. They will figure out anyway how to work around that :D

For the younger ones, it may be a good idea for an extra useraccount with limited access.

And in case you have kids who are very young (let's say 6 - 8 years old), I would suggest Glubble: http://www.glubble.com/

But for that you need Firefox as your Browser - and I recommend Firefox anyway to surf with, because it's more secure. (malware mainly targets Internet Explorer also).

 

And glad I could help.

 

Happy surfing again :)

Share this post


Link to post
Share on other sites

Thanks again,

Nortons is out .......... that was a nightmare in itself! But its gone now and AVG is working! I had forgot about fire fox and will install that before I return the computer to its owners. Oh and I checked out Glubble How cute :D

I will go do that last fix in HijackThis.

Share this post


Link to post
Share on other sites

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

 

If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.

 

Everyone else please begin a New Topic.

 

Thank you !

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this