Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Should Be Ok But Just In Case


  • Please log in to reply
17 replies to this topic

#1 nicktk1

nicktk1

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:PA
  • Local time:02:08 AM

Posted 29 September 2007 - 11:01 AM

i just got rid of a few infections just wanna make sure its compleatly gone
Hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:36 PM, on 9/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\Explorer.exe
E:\WINDOWS\system32\RunDll32.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
E:\Program Files\Java\jre1.6.0\bin\jusched.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\DAEMON Tools\daemon.exe
E:\Program Files\OpenOffice.org 2.2\program\soffice.exe
E:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Java\jre1.6.0\bin\jucheck.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
E:\PROGRA~1\Mozilla Firefox\firefox.exe
E:\Documents and Settings\nick\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=Explorer.exe C:\PROGRA~1\PARENT~1\ParentalFilter.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: iebho Class - {296AE49F-E195-4835-895C-91788B938DF8} - E:\WINDOWS\ieiebho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: MSVPS System - {ECBD04D1-1133-4480-8A8C-BC9FDD54D6C1} - E:\WINDOWS\div32.dll
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [amd_dc_opt] E:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKCU\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Startup: OpenOffice.org 2.2.lnk = E:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - E:\Documents and Settings\nick\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: mssql - {6950500F-1220-4C79-B94F-B48D2EEAAFBB} - E:\WINDOWS\mssql.dll
O21 - SSODL: syscore - {7F6260E3-E8BA-44E6-8D87-AAE1F16E345C} - E:\WINDOWS\syscore.dll
O21 - SSODL: HWAqbliZanDCAZf - {ABCDEF13-0167-45B9-0AEE-43969F7CFA5B} - E:\WINDOWS\system32\xhaht.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4649 bytes


ohh trendy lol
I hear you calling setting fire to my soul. is this the voice we die for?
we die for life!!!!!
-Demon hunter

BC AdBot (Login to Remove)

 


m

#2 nicktk1

nicktk1
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:PA
  • Local time:02:08 AM

Posted 29 September 2007 - 11:03 AM

oh no, not good, my computer is saying i have to format Mr.c drive TT_TT HELP!!!!!!!!!!!\
ok, tested out partiton on c drive, got a quick blue screen and than reset....so thats no good
running everything almost done with spybot and stinger as well as trend micro will post new hjt log soon, please i need help!!!!
btw symptoms include (but are not limited to) at start up ie opesn up as my desktop (close it aftewords) pop ups (ie is effected) slow computer and its a trojan dropper: Win32.TrojanDownloader.NewMedia
and my favorite strkes again, smithfraud-c
even more good news
im infected with win23.small.ddx too

Edited by nicktk1, 29 September 2007 - 09:53 PM.

I hear you calling setting fire to my soul. is this the voice we die for?
we die for life!!!!!
-Demon hunter

#3 nicktk1

nicktk1
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:PA
  • Local time:02:08 AM

Posted 30 September 2007 - 05:08 PM

Alls good now, fixed up minus the drive... i dont get whats wrong with it

Edited by nicktk1, 30 September 2007 - 05:08 PM.

I hear you calling setting fire to my soul. is this the voice we die for?
we die for life!!!!!
-Demon hunter

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:08 AM

Posted 03 October 2007 - 01:32 PM

You may want to post another HijackThis log to be safe.

#5 nicktk1

nicktk1
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:PA
  • Local time:02:08 AM

Posted 04 October 2007 - 01:52 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:58 AM, on 10/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.exe
E:\WINDOWS\system32\RunDll32.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
E:\Program Files\DAEMON Tools\daemon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\OpenOffice.org 2.2\program\soffice.exe
E:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Azureus\Azureus.exe
E:\Program Files\iTunes\iTunes.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\PROGRA~1\Mozilla Firefox\firefox.exe
E:\Documents and Settings\nick\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=Explorer.exe C:\PROGRA~1\PARENT~1\ParentalFilter.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: iebho Class - {296AE49F-E195-4835-895C-91788B938DF8} - E:\WINDOWS\ieiebho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: MSVPS System - {ECBD04D1-1133-4480-8A8C-BC9FDD54D6C1} - E:\WINDOWS\div32.dll (file missing)
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [amd_dc_opt] E:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 2.2.lnk = E:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - E:\Documents and Settings\nick\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: HWAqbliZanDCAZf - {ABCDEF13-0167-45B9-0AEE-43969F7CFA5B} - E:\WINDOWS\system32\xhaht.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe

--
End of file - 5161 bytes
HJT log
I hear you calling setting fire to my soul. is this the voice we die for?
we die for life!!!!!
-Demon hunter

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:08 AM

Posted 04 October 2007 - 02:17 PM

Please download SmitfraudFix
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

#7 nicktk1

nicktk1
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:PA
  • Local time:02:08 AM

Posted 10 October 2007 - 07:14 PM

SmitFraudFix v2.240

Scan done at 20:13:45.89, Wed 10/10/2007
Run from E:\Documents and Settings\nick\Local Settings\Temp\Rar$DR01.813\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\SharpE\SharpBar.exe
E:\SharpE\SharpDesk.exe
E:\SharpE\SharpTray.exe
E:\SharpE\SharpTask.exe
E:\SharpE\SharpVWM.exe
e:\sharpe\sharpmenu.exe
e:\program files\java\jre1.6.0\bin\jusched.exe
e:\program files\itunes\ituneshelper.exe
e:\program files\daemon tools\daemon.exe
e:\program files\spybot - search & destroy\teatimer.exe
e:\program files\openoffice.org 2.2\program\soffice.exe
e:\program files\openoffice.org 2.2\program\soffice.BIN
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\WINDOWS\Explorer.exe
E:\WINDOWS\system32\cmd.exe

hosts

hosts file corrupted !

127.0.0.1 legal-at-spybot.info
127.0.0.1 www.legal-at-spybot.info

E:\


E:\WINDOWS


E:\WINDOWS\system


E:\WINDOWS\Web


E:\WINDOWS\system32


E:\Documents and Settings\nick


E:\Documents and Settings\nick\Application Data


Start Menu


E:\DOCUME~1\nick\FAVORI~1


Desktop


E:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: SiS 900-Based PCI Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7715DCC3-2811-4C58-9771-9FFD8874D7DA}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7715DCC3-2811-4C58-9771-9FFD8874D7DA}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7715DCC3-2811-4C58-9771-9FFD8874D7DA}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


Scanning for wininet.dll infection


End
i am currently running sharpE shell instead of windows explorer

Edited by nicktk1, 10 October 2007 - 07:15 PM.

I hear you calling setting fire to my soul. is this the voice we die for?
we die for life!!!!!
-Demon hunter

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:08 AM

Posted 11 October 2007 - 10:30 AM

Ok, let's use SDFix to get rid of the div32.dll entry. We could easily fix it on our own, but I would rather see if SDfix finds any leftover orphan malware files.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Download SDFix and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.

Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log.


#9 nicktk1

nicktk1
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:PA
  • Local time:02:08 AM

Posted 13 October 2007 - 03:50 PM

SDFix didnt work....just freezes up i dont know why. any other way i could remove this
I hear you calling setting fire to my soul. is this the voice we die for?
we die for life!!!!!
-Demon hunter

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:08 AM

Posted 14 October 2007 - 07:07 PM

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

O2 - BHO: MSVPS System - {ECBD04D1-1133-4480-8A8C-BC9FDD54D6C1} - E:\WINDOWS\div32.dll (file missing)

Reboot your computerand post a new log.

Also delete these files if they exist:

C:\WINDOWS\mssql.dll
C:\WINDOWS\syscore.dll

#11 nicktk1

nicktk1
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:PA
  • Local time:02:08 AM

Posted 14 October 2007 - 07:53 PM

all clear it looks like
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:53 PM, on 10/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\spoolsv.exe
E:\SharpE\SharpCore.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\SharpE\SharpBar.exe
E:\SharpE\SharpDesk.exe
E:\SharpE\SharpTray.exe
E:\SharpE\SharpTask.exe
E:\SharpE\SharpVWM.exe
E:\SharpE\SharpMenu.exe
e:\program files\java\jre1.6.0\bin\jusched.exe
e:\program files\itunes\ituneshelper.exe
e:\program files\daemon tools\daemon.exe
e:\program files\spybot - search & destroy\teatimer.exe
e:\program files\openoffice.org 2.2\program\soffice.exe
e:\program files\openoffice.org 2.2\program\soffice.BIN
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\WINDOWS\Explorer.exe
E:\WINDOWS\system32\svchost.exe
E:\Documents and Settings\nick\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: iebho Class - {296AE49F-E195-4835-895C-91788B938DF8} - E:\WINDOWS\ieiebho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "e:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 2.2.lnk = E:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - E:\Documents and Settings\nick\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: HWAqbliZanDCAZf - {ABCDEF13-0167-45B9-0AEE-43969F7CFA5B} - E:\WINDOWS\system32\xhaht.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe

--
End of file - 4658 bytes
I hear you calling setting fire to my soul. is this the voice we die for?
we die for life!!!!!
-Demon hunter

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:08 AM

Posted 15 October 2007 - 10:00 AM

Sorry, I missed this entry.

O21 - SSODL: HWAqbliZanDCAZf - {ABCDEF13-0167-45B9-0AEE-43969F7CFA5B} - E:\WINDOWS\system32\xhaht.dll

I want to take a look at this file.

Go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop:

E:\WINDOWS\system32\xhaht.dll

Finally click on the Send File button.

#13 nicktk1

nicktk1
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:PA
  • Local time:02:08 AM

Posted 15 October 2007 - 06:58 PM

ok ^_^ sent
I hear you calling setting fire to my soul. is this the voice we die for?
we die for life!!!!!
-Demon hunter

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:08 AM

Posted 16 October 2007 - 09:32 AM

It did not go through. Please try again. Can you see the file when you search for it?

#15 nicktk1

nicktk1
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Location:PA
  • Local time:02:08 AM

Posted 16 October 2007 - 08:26 PM

yeah, it just wont go through
I hear you calling setting fire to my soul. is this the voice we die for?
we die for life!!!!!
-Demon hunter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users