Solved

Norton 360 V2 kills internet browsing after all updates are downloaded and applied

Posted on 2008-10-22
12
851 Views
Last Modified: 2013-12-09
User stated that after Norton 360 V2 did an automatic update, they could not access any website with IE. The user stated that if machine was in safe mode, they could access the internet. I was able to remove 360 with the Norton program cleaner software. I reinstalled Norton 360 V2 and restarted machine. I was able to access websites with IE. Note the windows firewall was turned off. I then had Norton update it's files. Upon restart after all files were downloaded and installed, I was NOT able to access any websites. Thus I was able to recreate the user's problem.

Note XP Pro SP2 is installed on this computer

Thoughts?
thanks
0
Comment
Question by:stprovost
  • 7
  • 5
12 Comments
 
LVL 23

Expert Comment

by:phototropic
Comment Utility
"...The user stated that if machine was in safe mode, they could access the internet..."

This implies that the pc is behind a router.  Have you configured the Norton firewall to allow network traffic?  Try adding the ip address of the router to Norton's trusted zone.  It definitely sounds like a firewall issue.



0
 

Author Comment

by:stprovost
Comment Utility
Yes, the pc is behing a router. I have stated that the pc can access the internet in safe mode (hence norton 360 is not running).
The other frustrating thing is I can't bring up norton 360's control panel to change settings. I click on the icon to do this and nothing appears. I check the tasks running and it shows more than one instance of norton running!
I am able to run a cmd window to use ping succesfully.
I have search norton's website and this issue is not listed.
It appears that when norton's live update ran, a file was corrupted and norton 360 can' t run properly, thus preventing the backgroup http process to allow access to web pages.
I have ran the norton support option and it whines that it can't access the internet!

any ideas?
thanks
stephen
0
 
LVL 23

Expert Comment

by:phototropic
Comment Utility
If a Norton update appears to cause this problem, it must be specific to the particular software configuration of this pc - otherwise thousands of Norton users would be complaining long and loud.

"...I can't bring up norton 360's control panel to change settings. I click on the icon to do this and nothing appears..." Was the control panel accessible after the re-install, but then became inaccessible after the Norton update?   Some malware will attempt to disable av software.  Could you post a Hijactthis scan log to check this out:

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Download the installer. Click on "Do a system scan and save a logfile". Post the scan log here via the "attach code snippet" box below.

If a firewall is not configurable, then it is not much use.  If there is no malware present, and uninstalling/re-installing Norton does not help, you may be obliged to consider replacing Norton with an alternative av.
0
 

Author Comment

by:stprovost
Comment Utility
phototropic-I have ran the hijack tool per your request. log is attached
stephen
Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:50:22 PM, on 10/26/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal
 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEserv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lexmark 4300 Series\lxcemon.exe

C:\Program Files\Lexmark 4300 Series\ezprint.exe

C:\WINDOWS\system32\lxcecoms.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\SoftwareDistribution\Download\491a2c8e1582f5cdd01f8b3da4b8ef7d\update\update.exe

F:\hijackthis\HiJackThis.exe
 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.94.74.68:8080

F2 - REG:system.ini: UserInit=userinit.exe,

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {29CACC3D-0F13-4F55-B082-98B2005AE692} - c:\windows\system32\fchafch.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O2 - BHO: (no name) - {D3EB692B-749C-47C0-8371-3772760C05FD} - c:\windows\system32\hwoovvpv.dll

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll

O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"

O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"

O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u

O4 - HKLM\..\Run: [ccApp] -

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Aim6]  (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190748415906

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O20 - Winlogon Notify: qkgtkync - C:\WINDOWS\SYSTEM32\fchafch.dll

O20 - Winlogon Notify: tt - C:\WINDOWS\

O21 - SSODL: xElSxKlDRYi - {1C3B121C-B691-B8B6-3701-12F857B38BE0} - C:\WINDOWS\system32\lqps.dll (file missing)

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LXCECustomerConnect - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\LXCEserv.exe

O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

O23 - Service: Wireless Connection Configuration (wificonf) - Unknown owner - C:\WINDOWS\mscarrt32.exe (file missing)

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
 

--

End of file - 8539 bytes

Open in new window

0
 
LVL 23

Expert Comment

by:phototropic
Comment Utility
There is some infection showing in the HJT log.  It appears that you are running HJT from a removable drive:

F:\hijackthis\HiJackThis.exe

You should install HJT to the root directory in order for it to function properly.  

Please download Combofix to your desktop:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Close any open browsers.
Close/disable Norton 360 and any other anti malware programs so they do not interfere with the running of ComboFix. After Combofix is finished turn on/enable your anti virus again.
Double click on combofix.exe to run the programme and then follow the prompts.
When it has finished, a log will be produced.  Please post the content of this log ("C:\ComboFix.txt") along with a new HijackThis log into your next post, using the "attach code snippet" box below.


0
 

Author Comment

by:stprovost
Comment Utility
phototropic: again thanks for your help here. I have uninstalled norton 360 v2 with the symnatec removal tool, restarted the computer and ran the combofix and hijack (from the root drive C:)
attached is the two log reports
stephen
ComboFix 08-10-25.01 - roger hill 2008-10-27 19:46:42.1 - NTFSx86

Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.1674 [GMT -4:00]

Running from: C:\antivirus utilities\ComboFix.exe

Command switches used :: C:\antivirus utilities\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

 * Created a new restore point

.
 

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.
 

C:\Documents and Settings\All Users.\documents\settings

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

C:\Documents and Settings\anne hill\Application Data\rhcg20j0en4e

C:\Documents and Settings\anne hill\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML

C:\Documents and Settings\roger hill\Application Data\install.dat

C:\Documents and Settings\roger hill\Application Data\rhcg20j0en4e

C:\Program Files\dns

C:\Program Files\dns\affid.dat

C:\Program Files\dns\regexp.dat

C:\Program Files\dns\regexpDate.dat

C:\Program Files\dns\uid.dat

C:\Program Files\dns\urls.dat

C:\Program Files\dns\version.txt

C:\Program Files\SoftwareOnline

C:\WINDOWS\IE4 Error Log.txt

C:\WINDOWS\msvbs32.dll

C:\WINDOWS\system32\2.tmp

C:\WINDOWS\system32\3.tmp

C:\WINDOWS\system32\5.tmp

C:\WINDOWS\system32\6.tmp

C:\WINDOWS\system32\7.tmp

C:\WINDOWS\system32\A1

C:\WINDOWS\system32\advvpi32.dll

C:\WINDOWS\system32\B.tmp

C:\WINDOWS\system32\C.tmp

C:\WINDOWS\system32\D.tmp

C:\WINDOWS\system32\E.tmp

C:\WINDOWS\system32\F.tmp

C:\WINDOWS\system32\f11WtR

C:\WINDOWS\system32\H2

C:\WINDOWS\system32\MSINET.oca

C:\WINDOWS\system32\svcp.csv

C:\WINDOWS\system32\vx.tll

C:\WINDOWS\system32\winsub.xml

C:\WINDOWS\system32\zlbw.dll

C:\WINDOWS\system32\fchafch.dll . . . . failed to delete
 

----- BITS: Possible infected sites -----
 

hxxp://www.spiralfrog.com

.

(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
 

-------\Legacy_ASC355

-------\Legacy_SNFPLKNU

-------\Legacy_SVCPROC

-------\Legacy_SYSREST.SYS

-------\Legacy_WIFICONF

-------\Service_snfplknu

-------\Service_wificonf
 
 

(((((((((((((((((((((((((   Files Created from 2008-09-27 to 2008-10-27  )))))))))))))))))))))))))))))))

.
 

2008-10-27 18:59 . 2008-10-27 18:59	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\NortonInstaller

2008-10-27 18:57 . 2008-10-27 19:41	<DIR>	d--------	C:\antivirus utilities

2008-10-21 23:24 . 2008-10-22 00:00	<DIR>	d--------	C:\norton files

2008-10-11 00:02 . 2008-10-11 00:02	<DIR>	d--------	C:\Program Files\Viewpoint

2008-10-11 00:02 . 2008-10-11 00:02	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Viewpoint

2008-10-06 19:34 . 2008-10-06 19:34	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
 

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-27 23:09	---------	d-----w	C:\Documents and Settings\roger hill\Application Data\Symantec

2008-10-27 23:05	---------	d-----w	C:\Program Files\Common Files\Symantec Shared

2008-10-27 22:42	---------	d-----w	C:\Program Files\Lx_cats

2008-10-11 04:32	---------	d-----w	C:\Program Files\AIM6

2008-10-11 04:02	---------	d-----w	C:\Program Files\Common Files\AOL

2008-10-11 04:01	---------	d-----w	C:\Documents and Settings\All Users\Application Data\AOL

2008-10-11 03:46	---------	d-----w	C:\Documents and Settings\All Users\Application Data\AOL Downloads

2008-09-24 23:19	---------	d--h--w	C:\Program Files\InstallShield Installation Information

2008-09-24 23:19	---------	d-----w	C:\Program Files\epson

2008-09-24 01:48	---------	d-----w	C:\Program Files\Greetings Workshop

2008-09-24 01:43	---------	d-----w	C:\Program Files\Google

2008-09-23 03:02	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Visual Networks

2008-09-23 01:50	---------	d-----w	C:\Program Files\Yahoo!

2008-09-23 01:19	---------	d-----w	C:\Documents and Settings\katie hill\Application Data\Lavasoft

2008-08-28 10:04	333,056	----a-w	C:\WINDOWS\system32\drivers\srv.sys

2008-08-27 21:51	0	----a-w	C:\WINDOWS\system32\drivers\6f5055ed.sys

2007-08-30 13:52	13,416,432	----a-w	C:\Program Files\Google_Earth_BZXD.exe

2007-08-11 00:54	336	--sha-w	C:\WINDOWS\SYSTEM32\473633307.dat

2007-08-01 00:50	1,614	--sha-w	C:\WINDOWS\SYSTEM32\index.dat

.
 

------- Sigcheck -------
 

2008-04-13 20:12  14336  27c6d03bcdb8cfeb96b716f3d8be3e18	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe

2004-08-04 07:00  17408  0ae2bc52e4ec8d5778a971108bea049e	C:\WINDOWS\SYSTEM32\svchost.exe
 

2008-04-13 20:12  507904  ed0ef0a136dec83df69f04118870003e	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe

2008-08-28 12:11  506368  5e2d1fc323ba6da764576669411a8c54	C:\WINDOWS\SYSTEM32\winlogon.exe
 

2007-06-13 06:23  1035776  b3f496cd4e3fcf90d0d9276b12924aea	C:\WINDOWS\explorer.exe

2007-06-13 07:26  1033216  7712df0cdde3a5ac89843e61cd5b3658	C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe

2004-08-24 22:13  1032192  a0732187050030ae399b241436565e64	C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

2008-04-13 20:12  1033728  12896823fb95bfb3dc9b46bcaedc9923	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
 

2008-04-13 20:12  108544  0e776ed5f7cc9f94299e70461b7b8185	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe

2004-08-04 07:00  110592  4ff8c4d5438f40de79b6531b3b238dbd	C:\WINDOWS\SYSTEM32\services.exe
 

2008-04-13 20:12  13312  bf2466b3e18e970d8a976fb95fc1ca85	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe

2004-08-04 07:00  14848  f5775337f73310b286acc79116e4ae03	C:\WINDOWS\SYSTEM32\lsass.exe
 

2005-06-10 20:17  57856  ad3d9d191aea7b5445fe1d82ffbb4788	C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe

2004-08-04 07:00  57856  7435b108b935e42ea92ca94f59c8e717	C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe

2008-04-13 20:12  57856  d8e14a61acc1d4a6cd0d38aebac7fa3b	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe

2005-06-10 19:53  58880  b13467e8b0a4660c868daa84aa0e3e19	C:\WINDOWS\SYSTEM32\spoolsv.exe

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4
 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29CACC3D-0F13-4F55-B082-98B2005AE692}]

2008-10-27 19:53	105472	--a------	c:\windows\system32\fchafch.dll
 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D3EB692B-749C-47C0-8371-3772760C05FD}]

2008-10-03 15:37	121088	--a------	c:\windows\system32\hwoovvpv.dll
 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]

"lxcemon.exe"="C:\Program Files\Lexmark 4300 Series\lxcemon.exe" [2005-08-02 192512]

"EzPrint"="C:\Program Files\Lexmark 4300 Series\ezprint.exe" [2005-07-26 94208]

"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 299008]

"LXCECATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2005-07-20 73728]

"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-09 155648]

"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
 

C:\Documents and Settings\katie hill\Start Menu\Programs\Startup\

Greetings Workshop Reminders.lnk - C:\Program Files\Greetings Workshop\GWREMIND.EXE [1997-09-04 50688]
 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2004-11-09 36953]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.SP54"= SP5X_32.DLL

"VIDC.SP55"= SP5X_32.DLL

"VIDC.SP56"= SP5X_32.DLL

"VIDC.SP57"= SP5X_32.DLL

"VIDC.SP58"= SP5X_32.DLL
 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"FirewallOverride"=dword:00000001
 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001
 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001
 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=
 

R0 vbhudwaz;Microsoft RPC API Helper;C:\WINDOWS\system32\drivers\vbhudwaz.sys [2004-08-04 23424]

R2 LXCECustomerConnect;LXCECustomerConnect;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\LXCEserv.exe [2005-07-20 57344]

R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

S1 6f5055ed;6f5055ed;C:\WINDOWS\system32\drivers\6f5055ed.sys [2008-08-27 0]

S2 Ca536av;DV 4500(Video);C:\WINDOWS\system32\Drivers\Ca536av.sys [ ]

S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;C:\WINDOWS\system32\DRIVERS\m4301A.sys [2004-05-13 83552]

S3 USBCamera;DV 4500(Still);C:\WINDOWS\system32\Drivers\Bulk536.sys [ ]

S4 Terasc;Terasc;C:\WINDOWS\system32\drivers\voldbhk5.sys [ ]

.

- - - - ORPHANS REMOVED - - - -
 

HKCU-Run-Aim6 - (no file)

HKU-Default-Run-Aim6 - (no file)

SSODL-xElSxKlDRYi-{1C3B121C-B691-B8B6-3701-12F857B38BE0} - C:\WINDOWS\system32\lqps.dll

Notify-= - (no file)

Notify-tt - (no file)
 
 

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

R1 -: HKCU-Internet Settings,ProxyServer = 168.94.74.68:8080

R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
 

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab

C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

.
 

**************************************************************************
 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-27 19:54:07

Windows 5.1.2600 Service Pack 2 NTFS
 

scanning hidden processes ... 
 

scanning hidden autostart entries ...
 

scanning hidden files ... 
 

scan completed successfully

hidden files: 0
 

**************************************************************************
 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]

"ImagePath"="-"
 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]

"ImagePath"="-"

.

--------------------- DLLs Loaded Under Running Processes ---------------------
 

PROCESS: C:\WINDOWS\explorer.exe

-> ?:\WINDOWS\System32\CSCDLL.dll

.

------------------------ Other Running Processes ------------------------

.

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\lxceserv.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\SYSTEM32\lxcecoms.exe

.

**************************************************************************

.

Completion time: 2008-10-27 20:00:40 - machine was rebooted

ComboFix-quarantined-files.txt  2008-10-28 00:00:35
 

Pre-Run: 52,389,335,040 bytes free

Post-Run: 52,883,742,720 bytes free
 

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
 

219	--- E O F ---	2008-10-26 22:50:30
 
 

HIJACK THIS LOG

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:07:56 PM, on 10/27/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal
 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEserv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Lexmark 4300 Series\ezprint.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\WINDOWS\system32\lxcecoms.exe

C:\WINDOWS\explorer.exe

C:\HiJackThis.exe
 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.94.74.68:8080

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {29CACC3D-0F13-4F55-B082-98B2005AE692} - c:\windows\system32\fchafch.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O2 - BHO: (no name) - {D3EB692B-749C-47C0-8371-3772760C05FD} - c:\windows\system32\hwoovvpv.dll

O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"

O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"

O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190748415906

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LXCECustomerConnect - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\LXCEserv.exe

O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
 

--

End of file - 5996 bytes

Open in new window

0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 23

Expert Comment

by:phototropic
Comment Utility
There is still some infection present.

Please copy/paste the following into notepad
------------------------------------------------------------------------
File::
C:\WINDOWS\system32\fchafch.dll
C:\WINDOWS\system32\hwoovvpv.dll
------------------------------------------------------------------------

Save it as CFScript.txt to your desktop.
Drag the CFScript.txt into ComboFix.exe.
Combofix will restart.
When it is finished, please post the combofix log and a fresh Hijackthis scan log.
0
 

Author Comment

by:stprovost
Comment Utility
photoropic-I have ran the combofix script and have attached the results logs per your request.
combo results

ComboFix 08-10-25.01 - roger hill 2008-10-28 19:25:07.2 - NTFSx86

Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.1686 [GMT -4:00]

Running from: C:\antivirus utilities\ComboFix.exe

Command switches used :: F:\antivirus utilities\AnnHills computer\CFScript.txt

 * Created a new restore point
 

FILE ::

C:\WINDOWS\system32\fchafch.dll

C:\WINDOWS\system32\hwoovvpv.dll

.
 

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.
 

C:\WINDOWS\system32\fchafch.dll . . . . failed to delete

C:\WINDOWS\system32\hwoovvpv.dll . . . . failed to delete
 

.

(((((((((((((((((((((((((   Files Created from 2008-09-28 to 2008-10-28  )))))))))))))))))))))))))))))))

.
 

2008-10-27 20:07 . 2008-10-27 20:07	<DIR>	d--------	C:\Program Files\Trend Micro

2008-10-27 20:07 . 2008-10-26 18:40	401,720	--a------	C:\HiJackThis.exe

2008-10-27 18:59 . 2008-10-27 18:59	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\NortonInstaller

2008-10-27 18:57 . 2008-10-27 20:05	<DIR>	d--------	C:\antivirus utilities

2008-10-21 23:24 . 2008-10-22 00:00	<DIR>	d--------	C:\norton files

2008-10-11 00:02 . 2008-10-11 00:02	<DIR>	d--------	C:\Program Files\Viewpoint

2008-10-11 00:02 . 2008-10-11 00:02	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Viewpoint

2008-10-06 19:34 . 2008-10-06 19:34	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
 

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-27 23:09	---------	d-----w	C:\Documents and Settings\roger hill\Application Data\Symantec

2008-10-27 23:05	---------	d-----w	C:\Program Files\Common Files\Symantec Shared

2008-10-27 22:42	---------	d-----w	C:\Program Files\Lx_cats

2008-10-11 04:32	---------	d-----w	C:\Program Files\AIM6

2008-10-11 04:02	---------	d-----w	C:\Program Files\Common Files\AOL

2008-10-11 04:01	---------	d-----w	C:\Documents and Settings\All Users\Application Data\AOL

2008-10-11 03:46	---------	d-----w	C:\Documents and Settings\All Users\Application Data\AOL Downloads

2008-09-24 23:19	---------	d--h--w	C:\Program Files\InstallShield Installation Information

2008-09-24 23:19	---------	d-----w	C:\Program Files\epson

2008-09-24 01:48	---------	d-----w	C:\Program Files\Greetings Workshop

2008-09-24 01:43	---------	d-----w	C:\Program Files\Google

2008-09-23 03:02	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Visual Networks

2008-09-23 01:50	---------	d-----w	C:\Program Files\Yahoo!

2008-09-23 01:19	---------	d-----w	C:\Documents and Settings\katie hill\Application Data\Lavasoft

2008-08-28 10:04	333,056	----a-w	C:\WINDOWS\system32\drivers\srv.sys

2007-08-30 13:52	13,416,432	----a-w	C:\Program Files\Google_Earth_BZXD.exe

2007-08-11 00:54	336	--sha-w	C:\WINDOWS\SYSTEM32\473633307.dat

2007-08-01 00:50	1,614	--sha-w	C:\WINDOWS\SYSTEM32\index.dat

.
 

------- Sigcheck -------
 

2008-04-13 20:12  14336  27c6d03bcdb8cfeb96b716f3d8be3e18	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe

2004-08-04 07:00  17408  0ae2bc52e4ec8d5778a971108bea049e	C:\WINDOWS\SYSTEM32\svchost.exe
 

2008-04-13 20:12  507904  ed0ef0a136dec83df69f04118870003e	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe

2008-08-28 12:11  506368  5e2d1fc323ba6da764576669411a8c54	C:\WINDOWS\SYSTEM32\winlogon.exe
 

2007-06-13 06:23  1035776  b3f496cd4e3fcf90d0d9276b12924aea	C:\WINDOWS\explorer.exe

2007-06-13 07:26  1033216  7712df0cdde3a5ac89843e61cd5b3658	C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe

2004-08-24 22:13  1032192  a0732187050030ae399b241436565e64	C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

2008-04-13 20:12  1033728  12896823fb95bfb3dc9b46bcaedc9923	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
 

2008-04-13 20:12  108544  0e776ed5f7cc9f94299e70461b7b8185	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe

2004-08-04 07:00  110592  4ff8c4d5438f40de79b6531b3b238dbd	C:\WINDOWS\SYSTEM32\services.exe
 

2008-04-13 20:12  13312  bf2466b3e18e970d8a976fb95fc1ca85	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe

2004-08-04 07:00  14848  f5775337f73310b286acc79116e4ae03	C:\WINDOWS\SYSTEM32\lsass.exe
 

2005-06-10 20:17  57856  ad3d9d191aea7b5445fe1d82ffbb4788	C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe

2004-08-04 07:00  57856  7435b108b935e42ea92ca94f59c8e717	C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe

2008-04-13 20:12  57856  d8e14a61acc1d4a6cd0d38aebac7fa3b	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe

2005-06-10 19:53  58880  b13467e8b0a4660c868daa84aa0e3e19	C:\WINDOWS\SYSTEM32\spoolsv.exe

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4
 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29CACC3D-0F13-4F55-B082-98B2005AE692}]

2008-10-27 19:53	105472	--a------	c:\windows\system32\fchafch.dll
 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D3EB692B-749C-47C0-8371-3772760C05FD}]

2008-10-03 15:37	121088	--a------	c:\windows\system32\hwoovvpv.dll
 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]

"lxcemon.exe"="C:\Program Files\Lexmark 4300 Series\lxcemon.exe" [2005-08-02 192512]

"EzPrint"="C:\Program Files\Lexmark 4300 Series\ezprint.exe" [2005-07-26 94208]

"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 299008]

"LXCECATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2005-07-20 73728]

"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-09 155648]

"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
 

C:\Documents and Settings\katie hill\Start Menu\Programs\Startup\

Greetings Workshop Reminders.lnk - C:\Program Files\Greetings Workshop\GWREMIND.EXE [1997-09-04 50688]
 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2004-11-09 36953]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.SP54"= SP5X_32.DLL

"VIDC.SP55"= SP5X_32.DLL

"VIDC.SP56"= SP5X_32.DLL

"VIDC.SP57"= SP5X_32.DLL

"VIDC.SP58"= SP5X_32.DLL
 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"FirewallOverride"=dword:00000001
 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001
 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001
 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=
 

R0 vbhudwaz;Microsoft RPC API Helper;C:\WINDOWS\system32\drivers\vbhudwaz.sys [2004-08-04 23424]

R2 LXCECustomerConnect;LXCECustomerConnect;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\LXCEserv.exe [2005-07-20 57344]

R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

S1 6f5055ed;6f5055ed;C:\WINDOWS\system32\drivers\6f5055ed.sys [2008-08-27 0]

S2 Ca536av;DV 4500(Video);C:\WINDOWS\system32\Drivers\Ca536av.sys [ ]

S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;C:\WINDOWS\system32\DRIVERS\m4301A.sys [2004-05-13 83552]

S3 USBCamera;DV 4500(Still);C:\WINDOWS\system32\Drivers\Bulk536.sys [ ]

S4 Terasc;Terasc;C:\WINDOWS\system32\drivers\voldbhk5.sys [ ]

.

- - - - ORPHANS REMOVED - - - -
 

Notify-= - (no file)
 
 
 

**************************************************************************
 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-28 19:30:38

Windows 5.1.2600 Service Pack 2 NTFS
 

scanning hidden processes ... 
 

scanning hidden autostart entries ...
 

scanning hidden files ... 
 

scan completed successfully

hidden files: 0
 

**************************************************************************
 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]

"ImagePath"="-"
 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]

"ImagePath"="-"

.

------------------------ Other Running Processes ------------------------

.

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\lxceserv.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\SYSTEM32\lxcecoms.exe

.

**************************************************************************

.

Completion time: 2008-10-28 19:37:15 - machine was rebooted

ComboFix-quarantined-files.txt  2008-10-28 23:37:10

ComboFix2.txt  2008-10-28 00:00:41
 

Pre-Run: 52,916,441,088 bytes free

Post-Run: 52,934,340,608 bytes free
 

154	--- E O F ---	2008-10-26 22:50:30
 

hijack this log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:59:28 PM, on 10/28/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal
 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEserv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Lexmark 4300 Series\lxcemon.exe

C:\Program Files\Lexmark 4300 Series\ezprint.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\WINDOWS\system32\lxcecoms.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\HiJackThis.exe
 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.94.74.68:8080

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {29CACC3D-0F13-4F55-B082-98B2005AE692} - c:\windows\system32\fchafch.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O2 - BHO: (no name) - {D3EB692B-749C-47C0-8371-3772760C05FD} - c:\windows\system32\hwoovvpv.dll

O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"

O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"

O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190748415906

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LXCECustomerConnect - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\LXCEserv.exe

O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
 

--

End of file - 6124 bytes

Open in new window

0
 
LVL 23

Accepted Solution

by:
phototropic earned 500 total points
Comment Utility
Infection still showing.

Please download SDFix to your desktop:

http://www.bleepingcomputer.com/files/sdfix.php

Double click the icon; it will install to a folder in your root directory.
Reboot into safe mode.
Start - Run - C:\SDFix\RunThis.bat
Follow the prompts. Please post the log here.
Tutorial here:
http://www.bleepingcomputer.com/forums/topic131299.html


Could you also please download Malwarebytes' Antimalware:

http://www.malwarebytes.org/mbam.php

Make sure it is fully updated, then run it in safe mode.
Please post the log here.



 
0
 
LVL 23

Expert Comment

by:phototropic
Comment Utility
I have just reviewed your last Combofix log.
Please copy/paste the following into notepad
------------------------------------------------------------------------
File::
C:\WINDOWS\system32\fchafch.dll
C:\WINDOWS\system32\hwoovvpv.dll

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29CACC3D-0F13-4F55-B082-98B2005AE692}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D3EB692B-749C-47C0-8371-3772760C05FD}]
------------------------------------------------------------------------

Save it as CFScript.txt to your desktop.
Drag the CFScript.txt into ComboFix.exe.
Combofix will restart.
When it is finished, please post the combofix log and a fresh Hijackthis scan log.

Thanks.
0
 

Author Closing Comment

by:stprovost
Comment Utility
phototropic:I have used the four utilities you have suggested with success!!!
I now have a four program solution to nail this stupid malware stuff!!
again thanks for all your assistance.
stephen
0
 
LVL 23

Expert Comment

by:phototropic
Comment Utility
You're welcome.

Thanks for the points and grade...
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now