Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Newbie with some problems

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Newbie with some problems

Unread postby Crazylink » July 2nd, 2007, 11:09 pm

I was referred here by someone on another forum, they said that you guys would be more helpful.

Recently(yesterday) Avast intercepted a trojan on my computer. I think it installed some viruses and spyware. Can you check these logs and tell me what I should do?

Here's my Hijack This log
Logfile of HijackThis v1.99.1
Scan saved at 19:54, on 2007-07-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
C:Program FilesAlwil SoftwareAvast4ashServ.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:Program FilesSymantecLiveUpdateALUSchedulerSvc.exe
C:WINDOWSsystem32cquvlooe.exe
C:WINDOWSrunservice.exe
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSSystem32svchost.exe
C:ComboFixcatchme.cfexe
C:Program FilesAlwil SoftwareAvast4ashMaiSv.exe
C:WINDOWSsystem32taskmgr.exe
C:Program FilesAlwil SoftwareAvast4ashWebSv.exe
C:WINDOWSSOUNDMAN.EXE
C:Program FilesAheadInCDInCD.exe
C:WINDOWSsystem32rundll32.exe
C:PROGRA~1ALWILS~1Avast4ashDisp.exe
C:Program FilesQuickTimeqttask.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesHewlett-PackardDigital Imagingbinhpotdd01.exe
C:Program FilesHewlett-PackardDigital Imagingbinhpohmr08.exe
C:Program FilesiPodbiniPodService.exe
C:Program FilesRoad RunnerMedicRRMedic.exe
C:WINDOWSSystem32svchost.exe
C:PROGRA~1BROADJ~1CORREC~1CCD.exe
C:Program FilesHewlett-PackardDigital Imagingbinhpoevm08.exe
C:WINDOWSSystem32HPZipm12.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Documents and SettingsUserDesktophijackthisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://rr.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM..Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..Run: [nwiz] nwiz.exe /install
O4 - HKLM..Run: [InCD] C:Program FilesAheadInCDInCD.exe
O4 - HKLM..Run: [avast!] C:PROGRA~1ALWILS~1Avast4ashDisp.exe
O4 - HKLM..Run: [TkBellExe] "C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [iTunesHelper] "C:Program FilesiTunesiTunesHelper.exe"
O4 - HKLM..Run: [NI.UWAS7_0001_N91M2703] "C:Program FilespoolsvWinAntiSpyware2007FreeInstall.exe" -nag
O4 - HKCU..Run: [MsnMsgr] "C:Program FilesMSN MessengerMsnMsgr.Exe" /background
O4 - Startup: Medic.lnk = C:Program FilesRoad RunnerMedicRRMedic.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:Program FilesAIMaim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:Documents and SettingsCaylaStart MenuProgramsIMVURun IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:PROGRA~1MSNMES~1MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:PROGRA~1MSNMES~1MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:WINDOWSSYSTEM32igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:WINDOWSSYSTEM32WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:Program FilesSymantecLiveUpdateALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:Program FilesAlwil SoftwareAvast4ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:Program FilesAlwil SoftwareAvast4ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:Program FilesAlwil SoftwareAvast4ashWebSv.exe" /service (file missing)
O23 - Service: DomainService - - C:WINDOWSsystem32cquvlooe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:WINDOWSrunservice.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:PROGRA~1SymantecLIVEUP~1LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:WINDOWSSystem32HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSecurity CenterSymWSC.exe


And this is my Combofix log
2003-04-14 12:58 24064 --a------ C:QooboxQuarantineCWINDOWSsystem32msxml3a.dll.vir
2007-07-01 16:08 38400 --a------ C:QooboxQuarantineCWINDOWSsvhost.exe.vir
2007-07-01 16:09 26171 --a------ C:QooboxQuarantineCWINDOWSsystem32xxyaxxv.dll.vir
2007-07-01 16:14 124436 --a------ C:QooboxQuarantineCWINDOWSsystem32rxmpqnyu.dll.vir
2007-07-01 16:14 1854829 --a------ C:QooboxQuarantineCWINDOWSsystem32cdeeg.bak1.vir
2007-07-01 16:14 263220 --a------ C:QooboxQuarantineCWINDOWSsystem32geedc.dll.vir
2007-07-01 16:15 999567 --a------ C:QooboxQuarantineCWINDOWSsystem32uynqpmxr.ini.vir
2007-07-01 16:17 62516 --a------ C:QooboxQuarantineCWINDOWSsystem32emjhycdo.dll.vir
2007-07-02 18:50 124436 --a------ C:QooboxQuarantineCWINDOWSsystem32rlagsyod.dll.vir
2007-07-02 19:25 62516 --a------ C:QooboxQuarantineCWINDOWSsystem32xjsbtini.dll.vir
2007-07-02 19:25 999626 --a------ C:QooboxQuarantineCWINDOWSsystem32doysgalr.ini.vir
2007-07-02 19:31 1862691 --a------ C:QooboxQuarantineCWINDOWSsystem32cdeeg.ini.vir


Folder PATH listing
Volume serial number is 9C99-24B3
C:QOOBOX
---Quarantine
+---Registry_backups
---C
---WINDOWS
| svhost.exe.vir
|
---system32
msxml3a.dll.vir
emjhycdo.dll.vir
rxmpqnyu.dll.vir
rlagsyod.dll.vir
xjsbtini.dll.vir
cdeeg.ini.vir
cdeeg.bak1.vir
uynqpmxr.ini.vir
doysgalr.ini.vir
xxyaxxv.dll.vir
geedc.dll.vir
Crazylink
Active Member
 
Posts: 2
Joined: July 2nd, 2007, 10:55 pm
Location: North Carolina
Advertisement
Register to Remove

Unread postby Crazylink » July 3rd, 2007, 4:03 am

Someone told me the logs were missing backslashes, so here's a new set. Sorry.


Logfile of HijackThis v1.99.1
Scan saved at 03:58, on 2007-07-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\ComboFix\catchme.cfexe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Road Runner\Medic\RRMedic.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\cquvlooe.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Medic.lnk = C:\Program Files\Road Runner\Medic\RRMedic.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Cayla\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DomainService - - C:\WINDOWS\system32\cquvlooe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Combofix
2003-04-14 12:58 24064 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\msxml3a.dll.vir
2007-07-01 16:08 38400 --a------ C:\Qoobox\Quarantine\C\WINDOWS\svhost.exe.vir
2007-07-01 16:09 26171 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\xxyaxxv.dll.vir
2007-07-01 16:14 124436 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\rxmpqnyu.dll.vir
2007-07-01 16:14 1854829 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\cdeeg.bak1.vir
2007-07-01 16:14 263220 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\geedc.dll.vir
2007-07-01 16:15 999567 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\uynqpmxr.ini.vir
2007-07-01 16:17 62516 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\emjhycdo.dll.vir
2007-07-02 18:50 124436 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\rlagsyod.dll.vir
2007-07-02 19:25 62516 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\xjsbtini.dll.vir
2007-07-02 19:25 999626 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\doysgalr.ini.vir
2007-07-02 19:31 1862691 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\cdeeg.ini.vir


Folder PATH listing
Volume serial number is 9C99-24B3
C:\QOOBOX
\---Quarantine
+---Registry_backups
\---C
\---WINDOWS
| svhost.exe.vir
|
\---system32
msxml3a.dll.vir
emjhycdo.dll.vir
rxmpqnyu.dll.vir
rlagsyod.dll.vir
xjsbtini.dll.vir
cdeeg.ini.vir
cdeeg.bak1.vir
uynqpmxr.ini.vir
doysgalr.ini.vir
xxyaxxv.dll.vir
geedc.dll.vir
Crazylink
Active Member
 
Posts: 2
Joined: July 2nd, 2007, 10:55 pm
Location: North Carolina

Unread postby 'KotaGuy » July 4th, 2007, 9:59 am

As you are being helped by sUBs here... I am locking and archiving this Topic. In the future please try to post to only one forum for help as you may otherwise take up the time of multiple helpers where only one is needed.

Thanks.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 292 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware