?
Solved

Norton 360 V2 kills internet browsing after all updates are downloaded and applied

Posted on 2008-10-22
12
Medium Priority
?
872 Views
Last Modified: 2013-12-09
User stated that after Norton 360 V2 did an automatic update, they could not access any website with IE. The user stated that if machine was in safe mode, they could access the internet. I was able to remove 360 with the Norton program cleaner software. I reinstalled Norton 360 V2 and restarted machine. I was able to access websites with IE. Note the windows firewall was turned off. I then had Norton update it's files. Upon restart after all files were downloaded and installed, I was NOT able to access any websites. Thus I was able to recreate the user's problem.

Note XP Pro SP2 is installed on this computer

Thoughts?
thanks
0
Comment
Question by:stprovost
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
12 Comments
 
LVL 23

Expert Comment

by:phototropic
ID: 22783811
"...The user stated that if machine was in safe mode, they could access the internet..."

This implies that the pc is behind a router.  Have you configured the Norton firewall to allow network traffic?  Try adding the ip address of the router to Norton's trusted zone.  It definitely sounds like a firewall issue.



0
 

Author Comment

by:stprovost
ID: 22801551
Yes, the pc is behing a router. I have stated that the pc can access the internet in safe mode (hence norton 360 is not running).
The other frustrating thing is I can't bring up norton 360's control panel to change settings. I click on the icon to do this and nothing appears. I check the tasks running and it shows more than one instance of norton running!
I am able to run a cmd window to use ping succesfully.
I have search norton's website and this issue is not listed.
It appears that when norton's live update ran, a file was corrupted and norton 360 can' t run properly, thus preventing the backgroup http process to allow access to web pages.
I have ran the norton support option and it whines that it can't access the internet!

any ideas?
thanks
stephen
0
 
LVL 23

Expert Comment

by:phototropic
ID: 22806489
If a Norton update appears to cause this problem, it must be specific to the particular software configuration of this pc - otherwise thousands of Norton users would be complaining long and loud.

"...I can't bring up norton 360's control panel to change settings. I click on the icon to do this and nothing appears..." Was the control panel accessible after the re-install, but then became inaccessible after the Norton update?   Some malware will attempt to disable av software.  Could you post a Hijactthis scan log to check this out:

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Download the installer. Click on "Do a system scan and save a logfile". Post the scan log here via the "attach code snippet" box below.

If a firewall is not configurable, then it is not much use.  If there is no malware present, and uninstalling/re-installing Norton does not help, you may be obliged to consider replacing Norton with an alternative av.
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 

Author Comment

by:stprovost
ID: 22809144
phototropic-I have ran the hijack tool per your request. log is attached
stephen
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:50:22 PM, on 10/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\491a2c8e1582f5cdd01f8b3da4b8ef7d\update\update.exe
F:\hijackthis\HiJackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.94.74.68:8080
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {29CACC3D-0F13-4F55-B082-98B2005AE692} - c:\windows\system32\fchafch.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {D3EB692B-749C-47C0-8371-3772760C05FD} - c:\windows\system32\hwoovvpv.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Aim6]  (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190748415906
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: qkgtkync - C:\WINDOWS\SYSTEM32\fchafch.dll
O20 - Winlogon Notify: tt - C:\WINDOWS\
O21 - SSODL: xElSxKlDRYi - {1C3B121C-B691-B8B6-3701-12F857B38BE0} - C:\WINDOWS\system32\lqps.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LXCECustomerConnect - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\LXCEserv.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Wireless Connection Configuration (wificonf) - Unknown owner - C:\WINDOWS\mscarrt32.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
 
--
End of file - 8539 bytes

Open in new window

0
 
LVL 23

Expert Comment

by:phototropic
ID: 22810591
There is some infection showing in the HJT log.  It appears that you are running HJT from a removable drive:

F:\hijackthis\HiJackThis.exe

You should install HJT to the root directory in order for it to function properly.  

Please download Combofix to your desktop:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Close any open browsers.
Close/disable Norton 360 and any other anti malware programs so they do not interfere with the running of ComboFix. After Combofix is finished turn on/enable your anti virus again.
Double click on combofix.exe to run the programme and then follow the prompts.
When it has finished, a log will be produced.  Please post the content of this log ("C:\ComboFix.txt") along with a new HijackThis log into your next post, using the "attach code snippet" box below.


0
 

Author Comment

by:stprovost
ID: 22818057
phototropic: again thanks for your help here. I have uninstalled norton 360 v2 with the symnatec removal tool, restarted the computer and ran the combofix and hijack (from the root drive C:)
attached is the two log reports
stephen
ComboFix 08-10-25.01 - roger hill 2008-10-27 19:46:42.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.1674 [GMT -4:00]
Running from: C:\antivirus utilities\ComboFix.exe
Command switches used :: C:\antivirus utilities\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
 * Created a new restore point
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\anne hill\Application Data\rhcg20j0en4e
C:\Documents and Settings\anne hill\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\roger hill\Application Data\install.dat
C:\Documents and Settings\roger hill\Application Data\rhcg20j0en4e
C:\Program Files\dns
C:\Program Files\dns\affid.dat
C:\Program Files\dns\regexp.dat
C:\Program Files\dns\regexpDate.dat
C:\Program Files\dns\uid.dat
C:\Program Files\dns\urls.dat
C:\Program Files\dns\version.txt
C:\Program Files\SoftwareOnline
C:\WINDOWS\IE4 Error Log.txt
C:\WINDOWS\msvbs32.dll
C:\WINDOWS\system32\2.tmp
C:\WINDOWS\system32\3.tmp
C:\WINDOWS\system32\5.tmp
C:\WINDOWS\system32\6.tmp
C:\WINDOWS\system32\7.tmp
C:\WINDOWS\system32\A1
C:\WINDOWS\system32\advvpi32.dll
C:\WINDOWS\system32\B.tmp
C:\WINDOWS\system32\C.tmp
C:\WINDOWS\system32\D.tmp
C:\WINDOWS\system32\E.tmp
C:\WINDOWS\system32\F.tmp
C:\WINDOWS\system32\f11WtR
C:\WINDOWS\system32\H2
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\zlbw.dll
C:\WINDOWS\system32\fchafch.dll . . . . failed to delete
 
----- BITS: Possible infected sites -----
 
hxxp://www.spiralfrog.com
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
-------\Legacy_ASC355
-------\Legacy_SNFPLKNU
-------\Legacy_SVCPROC
-------\Legacy_SYSREST.SYS
-------\Legacy_WIFICONF
-------\Service_snfplknu
-------\Service_wificonf
 
 
(((((((((((((((((((((((((   Files Created from 2008-09-27 to 2008-10-27  )))))))))))))))))))))))))))))))
.
 
2008-10-27 18:59 . 2008-10-27 18:59	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\NortonInstaller
2008-10-27 18:57 . 2008-10-27 19:41	<DIR>	d--------	C:\antivirus utilities
2008-10-21 23:24 . 2008-10-22 00:00	<DIR>	d--------	C:\norton files
2008-10-11 00:02 . 2008-10-11 00:02	<DIR>	d--------	C:\Program Files\Viewpoint
2008-10-11 00:02 . 2008-10-11 00:02	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-10-06 19:34 . 2008-10-06 19:34	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-27 23:09	---------	d-----w	C:\Documents and Settings\roger hill\Application Data\Symantec
2008-10-27 23:05	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-10-27 22:42	---------	d-----w	C:\Program Files\Lx_cats
2008-10-11 04:32	---------	d-----w	C:\Program Files\AIM6
2008-10-11 04:02	---------	d-----w	C:\Program Files\Common Files\AOL
2008-10-11 04:01	---------	d-----w	C:\Documents and Settings\All Users\Application Data\AOL
2008-10-11 03:46	---------	d-----w	C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-09-24 23:19	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-09-24 23:19	---------	d-----w	C:\Program Files\epson
2008-09-24 01:48	---------	d-----w	C:\Program Files\Greetings Workshop
2008-09-24 01:43	---------	d-----w	C:\Program Files\Google
2008-09-23 03:02	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Visual Networks
2008-09-23 01:50	---------	d-----w	C:\Program Files\Yahoo!
2008-09-23 01:19	---------	d-----w	C:\Documents and Settings\katie hill\Application Data\Lavasoft
2008-08-28 10:04	333,056	----a-w	C:\WINDOWS\system32\drivers\srv.sys
2008-08-27 21:51	0	----a-w	C:\WINDOWS\system32\drivers\6f5055ed.sys
2007-08-30 13:52	13,416,432	----a-w	C:\Program Files\Google_Earth_BZXD.exe
2007-08-11 00:54	336	--sha-w	C:\WINDOWS\SYSTEM32\473633307.dat
2007-08-01 00:50	1,614	--sha-w	C:\WINDOWS\SYSTEM32\index.dat
.
 
------- Sigcheck -------
 
2008-04-13 20:12  14336  27c6d03bcdb8cfeb96b716f3d8be3e18	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
2004-08-04 07:00  17408  0ae2bc52e4ec8d5778a971108bea049e	C:\WINDOWS\SYSTEM32\svchost.exe
 
2008-04-13 20:12  507904  ed0ef0a136dec83df69f04118870003e	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2008-08-28 12:11  506368  5e2d1fc323ba6da764576669411a8c54	C:\WINDOWS\SYSTEM32\winlogon.exe
 
2007-06-13 06:23  1035776  b3f496cd4e3fcf90d0d9276b12924aea	C:\WINDOWS\explorer.exe
2007-06-13 07:26  1033216  7712df0cdde3a5ac89843e61cd5b3658	C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-24 22:13  1032192  a0732187050030ae399b241436565e64	C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2008-04-13 20:12  1033728  12896823fb95bfb3dc9b46bcaedc9923	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
 
2008-04-13 20:12  108544  0e776ed5f7cc9f94299e70461b7b8185	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe
2004-08-04 07:00  110592  4ff8c4d5438f40de79b6531b3b238dbd	C:\WINDOWS\SYSTEM32\services.exe
 
2008-04-13 20:12  13312  bf2466b3e18e970d8a976fb95fc1ca85	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe
2004-08-04 07:00  14848  f5775337f73310b286acc79116e4ae03	C:\WINDOWS\SYSTEM32\lsass.exe
 
2005-06-10 20:17  57856  ad3d9d191aea7b5445fe1d82ffbb4788	C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 07:00  57856  7435b108b935e42ea92ca94f59c8e717	C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2008-04-13 20:12  57856  d8e14a61acc1d4a6cd0d38aebac7fa3b	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe
2005-06-10 19:53  58880  b13467e8b0a4660c868daa84aa0e3e19	C:\WINDOWS\SYSTEM32\spoolsv.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29CACC3D-0F13-4F55-B082-98B2005AE692}]
2008-10-27 19:53	105472	--a------	c:\windows\system32\fchafch.dll
 
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D3EB692B-749C-47C0-8371-3772760C05FD}]
2008-10-03 15:37	121088	--a------	c:\windows\system32\hwoovvpv.dll
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
"lxcemon.exe"="C:\Program Files\Lexmark 4300 Series\lxcemon.exe" [2005-08-02 192512]
"EzPrint"="C:\Program Files\Lexmark 4300 Series\ezprint.exe" [2005-07-26 94208]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 299008]
"LXCECATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2005-07-20 73728]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-09 155648]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
 
C:\Documents and Settings\katie hill\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk - C:\Program Files\Greetings Workshop\GWREMIND.EXE [1997-09-04 50688]
 
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2004-11-09 36953]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
 
R0 vbhudwaz;Microsoft RPC API Helper;C:\WINDOWS\system32\drivers\vbhudwaz.sys [2004-08-04 23424]
R2 LXCECustomerConnect;LXCECustomerConnect;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\LXCEserv.exe [2005-07-20 57344]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S1 6f5055ed;6f5055ed;C:\WINDOWS\system32\drivers\6f5055ed.sys [2008-08-27 0]
S2 Ca536av;DV 4500(Video);C:\WINDOWS\system32\Drivers\Ca536av.sys [ ]
S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;C:\WINDOWS\system32\DRIVERS\m4301A.sys [2004-05-13 83552]
S3 USBCamera;DV 4500(Still);C:\WINDOWS\system32\Drivers\Bulk536.sys [ ]
S4 Terasc;Terasc;C:\WINDOWS\system32\drivers\voldbhk5.sys [ ]
.
- - - - ORPHANS REMOVED - - - -
 
HKCU-Run-Aim6 - (no file)
HKU-Default-Run-Aim6 - (no file)
SSODL-xElSxKlDRYi-{1C3B121C-B691-B8B6-3701-12F857B38BE0} - C:\WINDOWS\system32\lqps.dll
Notify-= - (no file)
Notify-tt - (no file)
 
 
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-Internet Settings,ProxyServer = 168.94.74.68:8080
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
 
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
 
**************************************************************************
 
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-27 19:54:07
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully
hidden files: 0
 
**************************************************************************
 
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]
"ImagePath"="-"
 
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]
"ImagePath"="-"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
 
PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\System32\CSCDLL.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\lxceserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\lxcecoms.exe
.
**************************************************************************
.
Completion time: 2008-10-27 20:00:40 - machine was rebooted
ComboFix-quarantined-files.txt  2008-10-28 00:00:35
 
Pre-Run: 52,389,335,040 bytes free
Post-Run: 52,883,742,720 bytes free
 
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
 
219	--- E O F ---	2008-10-26 22:50:30
 
 
HIJACK THIS LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:56 PM, on 10/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\WINDOWS\explorer.exe
C:\HiJackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.94.74.68:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {29CACC3D-0F13-4F55-B082-98B2005AE692} - c:\windows\system32\fchafch.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {D3EB692B-749C-47C0-8371-3772760C05FD} - c:\windows\system32\hwoovvpv.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190748415906
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LXCECustomerConnect - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\LXCEserv.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
 
--
End of file - 5996 bytes

Open in new window

0
 
LVL 23

Expert Comment

by:phototropic
ID: 22818236
There is still some infection present.

Please copy/paste the following into notepad
------------------------------------------------------------------------
File::
C:\WINDOWS\system32\fchafch.dll
C:\WINDOWS\system32\hwoovvpv.dll
------------------------------------------------------------------------

Save it as CFScript.txt to your desktop.
Drag the CFScript.txt into ComboFix.exe.
Combofix will restart.
When it is finished, please post the combofix log and a fresh Hijackthis scan log.
0
 

Author Comment

by:stprovost
ID: 22827509
photoropic-I have ran the combofix script and have attached the results logs per your request.
combo results
ComboFix 08-10-25.01 - roger hill 2008-10-28 19:25:07.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.1686 [GMT -4:00]
Running from: C:\antivirus utilities\ComboFix.exe
Command switches used :: F:\antivirus utilities\AnnHills computer\CFScript.txt
 * Created a new restore point
 
FILE ::
C:\WINDOWS\system32\fchafch.dll
C:\WINDOWS\system32\hwoovvpv.dll
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
C:\WINDOWS\system32\fchafch.dll . . . . failed to delete
C:\WINDOWS\system32\hwoovvpv.dll . . . . failed to delete
 
.
(((((((((((((((((((((((((   Files Created from 2008-09-28 to 2008-10-28  )))))))))))))))))))))))))))))))
.
 
2008-10-27 20:07 . 2008-10-27 20:07	<DIR>	d--------	C:\Program Files\Trend Micro
2008-10-27 20:07 . 2008-10-26 18:40	401,720	--a------	C:\HiJackThis.exe
2008-10-27 18:59 . 2008-10-27 18:59	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\NortonInstaller
2008-10-27 18:57 . 2008-10-27 20:05	<DIR>	d--------	C:\antivirus utilities
2008-10-21 23:24 . 2008-10-22 00:00	<DIR>	d--------	C:\norton files
2008-10-11 00:02 . 2008-10-11 00:02	<DIR>	d--------	C:\Program Files\Viewpoint
2008-10-11 00:02 . 2008-10-11 00:02	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-10-06 19:34 . 2008-10-06 19:34	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-27 23:09	---------	d-----w	C:\Documents and Settings\roger hill\Application Data\Symantec
2008-10-27 23:05	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-10-27 22:42	---------	d-----w	C:\Program Files\Lx_cats
2008-10-11 04:32	---------	d-----w	C:\Program Files\AIM6
2008-10-11 04:02	---------	d-----w	C:\Program Files\Common Files\AOL
2008-10-11 04:01	---------	d-----w	C:\Documents and Settings\All Users\Application Data\AOL
2008-10-11 03:46	---------	d-----w	C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-09-24 23:19	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-09-24 23:19	---------	d-----w	C:\Program Files\epson
2008-09-24 01:48	---------	d-----w	C:\Program Files\Greetings Workshop
2008-09-24 01:43	---------	d-----w	C:\Program Files\Google
2008-09-23 03:02	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Visual Networks
2008-09-23 01:50	---------	d-----w	C:\Program Files\Yahoo!
2008-09-23 01:19	---------	d-----w	C:\Documents and Settings\katie hill\Application Data\Lavasoft
2008-08-28 10:04	333,056	----a-w	C:\WINDOWS\system32\drivers\srv.sys
2007-08-30 13:52	13,416,432	----a-w	C:\Program Files\Google_Earth_BZXD.exe
2007-08-11 00:54	336	--sha-w	C:\WINDOWS\SYSTEM32\473633307.dat
2007-08-01 00:50	1,614	--sha-w	C:\WINDOWS\SYSTEM32\index.dat
.
 
------- Sigcheck -------
 
2008-04-13 20:12  14336  27c6d03bcdb8cfeb96b716f3d8be3e18	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
2004-08-04 07:00  17408  0ae2bc52e4ec8d5778a971108bea049e	C:\WINDOWS\SYSTEM32\svchost.exe
 
2008-04-13 20:12  507904  ed0ef0a136dec83df69f04118870003e	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2008-08-28 12:11  506368  5e2d1fc323ba6da764576669411a8c54	C:\WINDOWS\SYSTEM32\winlogon.exe
 
2007-06-13 06:23  1035776  b3f496cd4e3fcf90d0d9276b12924aea	C:\WINDOWS\explorer.exe
2007-06-13 07:26  1033216  7712df0cdde3a5ac89843e61cd5b3658	C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-24 22:13  1032192  a0732187050030ae399b241436565e64	C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2008-04-13 20:12  1033728  12896823fb95bfb3dc9b46bcaedc9923	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
 
2008-04-13 20:12  108544  0e776ed5f7cc9f94299e70461b7b8185	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe
2004-08-04 07:00  110592  4ff8c4d5438f40de79b6531b3b238dbd	C:\WINDOWS\SYSTEM32\services.exe
 
2008-04-13 20:12  13312  bf2466b3e18e970d8a976fb95fc1ca85	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe
2004-08-04 07:00  14848  f5775337f73310b286acc79116e4ae03	C:\WINDOWS\SYSTEM32\lsass.exe
 
2005-06-10 20:17  57856  ad3d9d191aea7b5445fe1d82ffbb4788	C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 07:00  57856  7435b108b935e42ea92ca94f59c8e717	C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2008-04-13 20:12  57856  d8e14a61acc1d4a6cd0d38aebac7fa3b	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe
2005-06-10 19:53  58880  b13467e8b0a4660c868daa84aa0e3e19	C:\WINDOWS\SYSTEM32\spoolsv.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29CACC3D-0F13-4F55-B082-98B2005AE692}]
2008-10-27 19:53	105472	--a------	c:\windows\system32\fchafch.dll
 
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D3EB692B-749C-47C0-8371-3772760C05FD}]
2008-10-03 15:37	121088	--a------	c:\windows\system32\hwoovvpv.dll
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
"lxcemon.exe"="C:\Program Files\Lexmark 4300 Series\lxcemon.exe" [2005-08-02 192512]
"EzPrint"="C:\Program Files\Lexmark 4300 Series\ezprint.exe" [2005-07-26 94208]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 299008]
"LXCECATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2005-07-20 73728]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-09 155648]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
 
C:\Documents and Settings\katie hill\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk - C:\Program Files\Greetings Workshop\GWREMIND.EXE [1997-09-04 50688]
 
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2004-11-09 36953]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
 
R0 vbhudwaz;Microsoft RPC API Helper;C:\WINDOWS\system32\drivers\vbhudwaz.sys [2004-08-04 23424]
R2 LXCECustomerConnect;LXCECustomerConnect;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\LXCEserv.exe [2005-07-20 57344]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S1 6f5055ed;6f5055ed;C:\WINDOWS\system32\drivers\6f5055ed.sys [2008-08-27 0]
S2 Ca536av;DV 4500(Video);C:\WINDOWS\system32\Drivers\Ca536av.sys [ ]
S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;C:\WINDOWS\system32\DRIVERS\m4301A.sys [2004-05-13 83552]
S3 USBCamera;DV 4500(Still);C:\WINDOWS\system32\Drivers\Bulk536.sys [ ]
S4 Terasc;Terasc;C:\WINDOWS\system32\drivers\voldbhk5.sys [ ]
.
- - - - ORPHANS REMOVED - - - -
 
Notify-= - (no file)
 
 
 
**************************************************************************
 
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-28 19:30:38
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully
hidden files: 0
 
**************************************************************************
 
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]
"ImagePath"="-"
 
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]
"ImagePath"="-"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\lxceserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\lxcecoms.exe
.
**************************************************************************
.
Completion time: 2008-10-28 19:37:15 - machine was rebooted
ComboFix-quarantined-files.txt  2008-10-28 23:37:10
ComboFix2.txt  2008-10-28 00:00:41
 
Pre-Run: 52,916,441,088 bytes free
Post-Run: 52,934,340,608 bytes free
 
154	--- E O F ---	2008-10-26 22:50:30
 
hijack this log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:59:28 PM, on 10/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\HiJackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.94.74.68:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {29CACC3D-0F13-4F55-B082-98B2005AE692} - c:\windows\system32\fchafch.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {D3EB692B-749C-47C0-8371-3772760C05FD} - c:\windows\system32\hwoovvpv.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190748415906
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LXCECustomerConnect - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\LXCEserv.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
 
--
End of file - 6124 bytes

Open in new window

0
 
LVL 23

Accepted Solution

by:
phototropic earned 2000 total points
ID: 22828919
Infection still showing.

Please download SDFix to your desktop:

http://www.bleepingcomputer.com/files/sdfix.php

Double click the icon; it will install to a folder in your root directory.
Reboot into safe mode.
Start - Run - C:\SDFix\RunThis.bat
Follow the prompts. Please post the log here.
Tutorial here:
http://www.bleepingcomputer.com/forums/topic131299.html


Could you also please download Malwarebytes' Antimalware:

http://www.malwarebytes.org/mbam.php

Make sure it is fully updated, then run it in safe mode.
Please post the log here.



 
0
 
LVL 23

Expert Comment

by:phototropic
ID: 22829043
I have just reviewed your last Combofix log.
Please copy/paste the following into notepad
------------------------------------------------------------------------
File::
C:\WINDOWS\system32\fchafch.dll
C:\WINDOWS\system32\hwoovvpv.dll

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29CACC3D-0F13-4F55-B082-98B2005AE692}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D3EB692B-749C-47C0-8371-3772760C05FD}]
------------------------------------------------------------------------

Save it as CFScript.txt to your desktop.
Drag the CFScript.txt into ComboFix.exe.
Combofix will restart.
When it is finished, please post the combofix log and a fresh Hijackthis scan log.

Thanks.
0
 

Author Closing Comment

by:stprovost
ID: 31511694
phototropic:I have used the four utilities you have suggested with success!!!
I now have a four program solution to nail this stupid malware stuff!!
again thanks for all your assistance.
stephen
0
 
LVL 23

Expert Comment

by:phototropic
ID: 22843382
You're welcome.

Thanks for the points and grade...
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question