Virus, pop ups, slow speed

AudiPlayer · 02-27-2007, 04:04 AM

Hello,

Please help me, my computer was running good, then one day I started getting pop up after pop up even tho pop up blocker was on, my fire wall is on and everything, I did a virus scan nothing, then I installed a few things for spyware, adwar, ran them deleted them..

then i got a pop up here is what i wrote down:
Object Name: C:\windows\system32\qferojfq.dll
Virus Name: Trojan.Vundo
Action Taken: unable to repair this file.
--Action taken: Access to file was denied.
---Action taken: unable to repair this file
----Action taken: access to file was denied.

(every -- is every time it popped up, it popped up serveral times)

My computer is lagging, and is slow, I just want whatever is in my computr, out, please help me.

Here is a SmitfraudFix log:
SmitFraudFix v2.128

Scan done at 20:04:13.89, Mon 02/26/2007
Run from C:\Documents and Settings\Zach\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\svchosts.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Zach

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Zach\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Zach\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="about:Home"
"SubscribedURL"="about:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Again please help me, free programs for right now till i get more money thank you.

Verve · 02-27-2007, 04:22 AM

Usually the experts here will ask for a HijackThis! log, so you may want to go ahead and get that done to save time

Free of course.

AudiPlayer · 02-27-2007, 04:27 AM

Thank you, here it is :

Logfile of HijackThis v1.99.1
Scan saved at 8:27:35 PM, on 2/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\lsass.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\net1.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\XP Tools\xptools.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\XP Tools\xptools.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\{00463C07-0AE9-1033-0808-030308020001}\Update.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Zach\Local Settings\Temp\wz1784\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\oirfqpwn.dll
O2 - BHO: (no name) - {FF6BA890-9B83-48EC-9575-6D9DC88A3140} - C:\WINDOWS\system32\gebbyxu.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [VAIO Recovery] "C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [XP Tools] "C:\Program Files\XP Tools\xptools.exe" /min
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: gebbyxu - C:\WINDOWS\SYSTEM32\gebbyxu.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000229 (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Windows Registry Service - Unknown owner - C:\WINDOWS\lsass.exe

Again, thank you.

PC eye · 02-27-2007, 04:31 AM

For the svchosts.exe "bug" there are some free downloadable removal tools found at the Uniblue Process Library seen at http://www.liutilities.com/products/...rary/svchosts/ This is also a free online scanner there as well as at Trend Micro's House Call found at http://housecall.trendmicro.com/

Symantec despite the folly of their Norton softwares does offer a free removal tool for the variants of the Vundo trojan found at http://www.majorgeeks.com/download4430.html

For direct removal of the "qferojfq.dll" file discovered in the Windows\system32 folder simply boot the system up in safe mode for the manual removal when browsing directly to that sub folder. If you are still seeing problems later some additiional single purpose removers are available at Grisoft's own site. http://www.grisoft.com/doc/34/us/crp/0

Once you these items removed run a pair of free tools and defrag your hard drive if the defrag analyzer to see what percentage of fragmentation is seen. One of the best freewares for cleaning up the system registry works on all versions of Windows. http://www.majorgeeks.com/RegCleaner_d460.html

The other tool for cleaning up the hard drive and removing useless temp folders has a good nick name called "crap cleaner" otherwise known as CCleaner found at http://www.ccleaner.com/

PC eye · 02-27-2007, 04:52 AM

Quote:

Originally Posted by Starwarsman

Usually the experts here will ask for a HijackThis! log, so you may want to go ahead and get that done to save time

Free of course.

Actually the combination of tools used provide a little more insight into the problems being seen. Besides the following entries that need to be fixed with HT dumping Webroot's adbot infested program would also be advised. Spysweeper likes to place "bots" and report them for you to buy the retail version.

The log clearly shows a pair of entries for the "isass.exe" bug as well as a few minor items good to remove.

C:\WINDOWS\lsass.exe

O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000229 (file missing)

O23 - Service: Windows Registry Service - Unknown owner - C:\WINDOWS\lsass.exe

While the above are the immediate concern,

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

AudiPlayer · 02-27-2007, 04:59 AM

Hello,
Thank you for your long reply

and great insight, please what do i do first?

PC eye · 02-27-2007, 06:54 AM

The registry items can be the first items right off. Once you have those removed the "bugs" won't autoload along with Windows. If none of the removal tools above see the trojans removed or quaranteened the next step would be to boot the system up in safe mode to remove them manually. There only the basic system files needed for Windows to load are running without other processes or programs.

As you can see Norton by Symantec didn't give you much protection from the problems you are currently having. I had an earlier version of Norton running here several years ago after McAfee then was found ??? useless! Trend Micro's PC-cillin was evaluated here and found worth the investment for a retail product once you see this mess cleaned up. It combines a personal firewall along with adware and spyware removers in addition to the antivirus protection.

AudiPlayer · 02-27-2007, 11:40 PM

Thank you for your time, im removing the stuff, ill let u know how it goes, thank you for your help

PC eye · 02-28-2007, 05:44 AM

If you simply downloaded a shareware of Webroot's Spyware Sweeper simply use the uninstaller to see that removed. There are several other freeware tools that will actually do a better job. But if you get stuck on something don't hesitate to ask for help.

AudiPlayer · 02-28-2007, 10:55 PM

I deleted the virus, and it came back? any reasons why im doing the safe mood delete try right now.

02-27-2007, 04:04 AM	#1 (permalink)
AudiPlayer Bronze Member Join Date: Dec 2006 Posts: 94	Virus, pop ups, slow speed Hello, Please help me, my computer was running good, then one day I started getting pop up after pop up even tho pop up blocker was on, my fire wall is on and everything, I did a virus scan nothing, then I installed a few things for spyware, adwar, ran them deleted them.. then i got a pop up here is what i wrote down: Object Name: C:\windows\system32\qferojfq.dll Virus Name: Trojan.Vundo Action Taken: unable to repair this file. --Action taken: Access to file was denied. ---Action taken: unable to repair this file ----Action taken: access to file was denied. (every -- is every time it popped up, it popped up serveral times) My computer is lagging, and is slow, I just want whatever is in my computr, out, please help me. Here is a SmitfraudFix log: SmitFraudFix v2.128 Scan done at 20:04:13.89, Mon 02/26/2007 Run from C:\Documents and Settings\Zach\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 C:\WINDOWS\system32\svchosts.exe FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Zach »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Zach\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Zach\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="about:Home" "SubscribedURL"="about:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32 »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End Again please help me, free programs for right now till i get more money thank you.

02-27-2007, 04:22 AM	#2 (permalink)
Verve Diamond Member Join Date: Sep 2005 Location: Tampa Bay, Florida Age: 18 Posts: 2,470	Usually the experts here will ask for a HijackThis! log, so you may want to go ahead and get that done to save time Free of course. __________________ Formerly Starwarsman HP A6120 Core2Duo e4400 @ 2.0 GHz 2GB DDR2 Ram 300GB SATA HDD Vista Home Premium

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
problems with pop ups	charger1966	Computer Security	10	12-31-2005 03:14 AM
Horrible Virus and Other Programs! PLEASE HELP!	julien5362	Computer Security	5	10-13-2005 10:22 AM
slow wireless	jopache1	Computer Networking and Servers	14	06-19-2005 10:41 PM
7Ghz barrier and Fibre Optics.	tomprice43	CPUs and Overclocking	58	02-17-2005 08:18 AM
slow cd-rom speed in winxp?	ajsie	General Computer Chat	1	07-16-2004 05:42 AM

02-27-2007, 04:27 AM	#3 (permalink)
AudiPlayer Bronze Member Join Date: Dec 2006 Posts: 94	Thank you, here it is : Logfile of HijackThis v1.99.1 Scan saved at 8:27:35 PM, on 2/26/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton Internet Security\NISUM.EXE C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\lsass.exe C:\Program Files\Norton Internet Security\ccPxySvc.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\net.exe C:\WINDOWS\system32\net1.exe C:\WINDOWS\System32\ezSP_Px.exe C:\program files\support.com\client\bin\tgcmd.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\XP Tools\xptools.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\XP Tools\xptools.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Common Files\{00463C07-0AE9-1033-0808-030308020001}\Update.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\WINDOWS\explorer.exe C:\WINDOWS\explorer.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Zach\Local Settings\Temp\wz1784\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\oirfqpwn.dll O2 - BHO: (no name) - {FF6BA890-9B83-48EC-9575-6D9DC88A3140} - C:\WINDOWS\system32\gebbyxu.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [VAIO Recovery] "C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [XP Tools] "C:\Program Files\XP Tools\xptools.exe" /min O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: gebbyxu - C:\WINDOWS\SYSTEM32\gebbyxu.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000229 (file missing) O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe O23 - Service: Windows Registry Service - Unknown owner - C:\WINDOWS\lsass.exe Again, thank you.

02-27-2007, 04:31 AM	#4 (permalink)
PC eye Diamond Member Join Date: Apr 2006 Location: Inside a pc Posts: 18,922	For the svchosts.exe "bug" there are some free downloadable removal tools found at the Uniblue Process Library seen at http://www.liutilities.com/products/...rary/svchosts/ This is also a free online scanner there as well as at Trend Micro's House Call found at http://housecall.trendmicro.com/ Symantec despite the folly of their Norton softwares does offer a free removal tool for the variants of the Vundo trojan found at http://www.majorgeeks.com/download4430.html For direct removal of the "qferojfq.dll" file discovered in the Windows\system32 folder simply boot the system up in safe mode for the manual removal when browsing directly to that sub folder. If you are still seeing problems later some additiional single purpose removers are available at Grisoft's own site. http://www.grisoft.com/doc/34/us/crp/0 Once you these items removed run a pair of free tools and defrag your hard drive if the defrag analyzer to see what percentage of fragmentation is seen. One of the best freewares for cleaning up the system registry works on all versions of Windows. http://www.majorgeeks.com/RegCleaner_d460.html The other tool for cleaning up the hard drive and removing useless temp folders has a good nick name called "crap cleaner" otherwise known as CCleaner found at http://www.ccleaner.com/

02-27-2007, 04:59 AM	#6 (permalink)
AudiPlayer Bronze Member Join Date: Dec 2006 Posts: 94	Hello, Thank you for your long reply and great insight, please what do i do first?

02-27-2007, 06:54 AM	#7 (permalink)
PC eye Diamond Member Join Date: Apr 2006 Location: Inside a pc Posts: 18,922	The registry items can be the first items right off. Once you have those removed the "bugs" won't autoload along with Windows. If none of the removal tools above see the trojans removed or quaranteened the next step would be to boot the system up in safe mode to remove them manually. There only the basic system files needed for Windows to load are running without other processes or programs. As you can see Norton by Symantec didn't give you much protection from the problems you are currently having. I had an earlier version of Norton running here several years ago after McAfee then was found ??? useless! Trend Micro's PC-cillin was evaluated here and found worth the investment for a retail product once you see this mess cleaned up. It combines a personal firewall along with adware and spyware removers in addition to the antivirus protection.

02-27-2007, 11:40 PM	#8 (permalink)
AudiPlayer Bronze Member Join Date: Dec 2006 Posts: 94	Thank you for your time, im removing the stuff, ill let u know how it goes, thank you for your help

02-28-2007, 05:44 AM	#9 (permalink)
PC eye Diamond Member Join Date: Apr 2006 Location: Inside a pc Posts: 18,922	If you simply downloaded a shareware of Webroot's Spyware Sweeper simply use the uninstaller to see that removed. There are several other freeware tools that will actually do a better job. But if you get stuck on something don't hesitate to ask for help.

02-28-2007, 10:55 PM	#10 (permalink)
AudiPlayer Bronze Member Join Date: Dec 2006 Posts: 94	I deleted the virus, and it came back? any reasons why im doing the safe mood delete try right now.