Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Something Xxwur.dll


  • This topic is locked This topic is locked
30 replies to this topic

#1 buttcrum

buttcrum

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 08 October 2007 - 01:45 AM

hi i dont know what it is but its probably a lot ive had problems before i am pretty sure xxwur.dll is bad and hijackthis cant delete it for some reason
ive used avg antispyware, spybot, adaware, sd fix rustbfix, combofix, smitsfraudfix, avgantirootkit, and vundofix but i am still infected.
i dont know what i am infected with anymore the only thing i know for sure is xxwur.dll is bad but i cant delete it and i keep getting pop ups all over the place
but i am using a new version of hijackthis i just downloaded and xxwur.dll isnt there but oh well
here is hijackthis log

Scan saved at 11:42:23 PM, on 10/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\antivirus stuff\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
D:\antivirus stuff\firewall\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
C:\Program Files\Sony\Giga Pocket\RM_SV.exe
D:\antivirus stuff\firewall\kpf4gui.exe
D:\antivirus stuff\firewall\kpf4gui.exe
C:\Program Files\Messenger\msmsgs.exe
D:\WinZip\WZQKPICK.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\DOCUME~1\THOAIT~1\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis.zip\HijackThis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\THOAI TANG\Application Data\Mozilla\Profiles\default\uc3xzh14.slt\prefs.js)
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\antivirus stuff\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\pqysnnim.dll",sitypnow
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\antivirus stuff\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-20 Startup: Z_Start.lnk = C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun7.exe (User 'NETWORK SERVICE')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: WinZip Quick Pick.lnk = D:\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\antivirus stuff\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - D:\antivirus stuff\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: Spyware Doctor Service (sdCoreService) - Unknown owner - D:\antivirus stuff\Spyware Doctor\swdsvc.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - D:\antivirus stuff\firewall\kpf4ss.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe

--
End of file - 7799 bytes


thanks for your help

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:37 AM

Posted 08 October 2007 - 11:45 AM

Hello there and welcome to Bleeping Computer's security forum. :thumbsup:

Go to the folder where Hijackthis is kept and rename the hijackthis application to "showme".
This can be done by right clicking on the program and clicking "rename".
Press enter, then open "showme.exe" by double clicking.
Post a new Hijackthis log from the newly named application.

#3 buttcrum

buttcrum
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 08 October 2007 - 02:41 PM

here is my new hijackthis log


Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\antivirus stuff\AVG Anti-Spyware 7.5\avgas.exe
D:\antivirus stuff\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
D:\WinZip\WZQKPICK.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
D:\antivirus stuff\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
D:\antivirus stuff\firewall\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
C:\Program Files\Sony\Giga Pocket\RM_SV.exe
D:\antivirus stuff\firewall\kpf4gui.exe
D:\antivirus stuff\firewall\kpf4gui.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\hijackthis\HiJackThis\showme.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\THOAI TANG\Application Data\Mozilla\Profiles\default\uc3xzh14.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\antivirus stuff\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {EC764D3A-5EC3-4E0D-A69D-09C74E36DCCD} - C:\WINDOWS\system32\xxwur.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\antivirus stuff\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\pqysnnim.dll",sitypnow
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\antivirus stuff\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-20 Startup: Z_Start.lnk = C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun7.exe (User 'NETWORK SERVICE')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: WinZip Quick Pick.lnk = D:\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\antivirus stuff\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - D:\antivirus stuff\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: Spyware Doctor Service (sdCoreService) - Unknown owner - D:\antivirus stuff\Spyware Doctor\swdsvc.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - D:\antivirus stuff\firewall\kpf4ss.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe

--
End of file - 7770 bytes

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:37 AM

Posted 08 October 2007 - 04:33 PM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: (no name) - {EC764D3A-5EC3-4E0D-A69D-09C74E36DCCD} - C:\WINDOWS\system32\xxwur.dll
O4 - S-1-5-20 Startup: Z_Start.lnk = C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun7.exe (User 'NETWORK SERVICE')
O4 - Global Startup: AutorunsDisabled
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° If prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the box --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

Reboot back into normal mode.

Download Combofix to your desktop. !! It is really important that combofix.exe is on your desktop, not somewhere else or not in a folder on your desktop.
Then go to start > run and copy and paste next command in the field:

"C:\Documents and Settings\Owner\Desktop\combofix.exe" /v xxwur

Hit enter. This should start the combofix.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished and after reboot, it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

#5 buttcrum

buttcrum
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 09 October 2007 - 12:43 AM

for the combofix part the location isnt
C:\Documents and Settings\Owner\Desktop\combofix.exe" /v xxwur it is
C:\Documents and Settings\Thoai Tang\Desktop\combofix.exe" /v xxwur
it took me so long to figure that out
heres the logs

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:26 PM, on 10/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\antivirus stuff\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
C:\Program Files\Sony\Giga Pocket\RM_SV.exe
D:\antivirus stuff\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
D:\WinZip\WZQKPICK.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\hijackthis\HiJackThis\showme.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\THOAI TANG\Application Data\Mozilla\Profiles\default\uc3xzh14.slt\prefs.js)
O2 - BHO: (no name) - {2B49C744-86BC-44AE-B513-D251DE5ED91A} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\antivirus stuff\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6B812AA1-DE4A-45DB-98BE-3FBDC2EBDF6B} - (no file)
O2 - BHO: (no name) - {79F0BF28-BD94-47B0-86E2-6983D62291E9} - (no file)
O2 - BHO: (no name) - {DEA43DD7-F897-4D15-AE92-58AEBE151F64} - C:\WINDOWS\system32\xxwur.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\antivirus stuff\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\antivirus stuff\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = D:\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O20 - Winlogon Notify: ddcyyyy - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\antivirus stuff\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - D:\antivirus stuff\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: Spyware Doctor Service (sdCoreService) - Unknown owner - D:\antivirus stuff\Spyware Doctor\swdsvc.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - D:\antivirus stuff\firewall\kpf4ss.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe

--
End of file - 7436 bytes





ComboFix 07-10-09.3 - THOAI TANG 2007-10-08 22:22:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.317 [GMT -7:00]
Running from: C:\Documents and Settings\THOAI TANG\Desktop\combofix.exe
Command switches used :: /v xxwur
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Desktop\searchus.exe
C:\Documents and Settings\LocalService\Desktop\searchus.exe
C:\Documents and Settings\LocalService\Desktop\searchus.exe
C:\Documents and Settings\NetworkService\Desktop\searchus.exe
C:\Documents and Settings\THOAI TANG\Application Data\macromedia\Flash Player\#SharedObjects\QTFSZ6PL\www.broadcaster.com
C:\Documents and Settings\THOAI TANG\Application Data\macromedia\Flash Player\#SharedObjects\QTFSZ6PL\www.broadcaster.com\played_list.sol
C:\Documents and Settings\THOAI TANG\Application Data\macromedia\Flash Player\#SharedObjects\QTFSZ6PL\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\THOAI TANG\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\THOAI TANG\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\THOAI TANG\Application Data\Microsoft\60787.dat
C:\Program Files\poolsv
C:\Program Files\svhost
C:\Program Files\svhost\wr-1-0000077.exe
C:\Program Files\WinAble
C:\Program Files\Windows Media Player\hokemoryc4444.dll
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\djcchsjv.exe
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\emfxveap.dll
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\lfd32.ini
C:\WINDOWS\system32\lmdpfbgu.dll
C:\WINDOWS\system32\pejsttbe.exe
C:\WINDOWS\system32\pxcdwxty.dll
C:\WINDOWS\system32\ruwxx.bak1
C:\WINDOWS\system32\ruwxx.bak1
C:\WINDOWS\system32\ruwxx.bak2
C:\WINDOWS\system32\ruwxx.bak2
C:\WINDOWS\system32\ruwxx.ini
C:\WINDOWS\system32\ruwxx.ini
C:\WINDOWS\system32\ruwxx.ini2
C:\WINDOWS\system32\ruwxx.ini2
C:\WINDOWS\system32\ruwxx.tmp
C:\WINDOWS\system32\ruwxx.tmp
C:\WINDOWS\system32\ugbfpdml.ini
C:\WINDOWS\system32\uhgadhpt.dll
C:\WINDOWS\system32\usnhulrw.dll
C:\WINDOWS\system32\wrluhnsu.ini
C:\WINDOWS\system32\X2
C:\WINDOWS\system32\X4
C:\WINDOWS\system32\yrwrvcad.exe
C:\WINDOWS\system32\ytxwdcxp.ini
C:\WINDOWS\tsitra572.exe
C:\WINDOWS\wtubuoaA.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NET_AGENT
-------\DomainService
-------\Net Agent


((((((((((((((((((((((((( Files Created from 2007-09-09 to 2007-10-09 )))))))))))))))))))))))))))))))
.

2007-10-08 22:36 6,465 ---hs---- C:\WINDOWS\system32\ruwxx.bak1
2007-10-05 01:36 313,440 --a------ C:\WINDOWS\system32\xxwur.dll
2007-10-05 01:35 <DIR> d-------- C:\Program Files\Temporary
2007-10-05 01:35 707,536 --a------ C:\temp\regit.exe
2007-10-05 01:31 <DIR> d-------- C:\WINDOWS\system32\vMW02a
2007-10-05 01:31 <DIR> d-------- C:\temp\xOe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-09 04:30 2,296 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err
2007-10-06 16:25 --------- d-----w C:\Documents and Settings\THOAI TANG\Application Data\BitTorrent
2007-09-14 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-14 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Corporation
2007-09-12 20:51 --------- d-----w C:\Program Files\QuickTime
2007-09-09 06:19 --------- d-----w C:\Documents and Settings\THOAI TANG\Application Data\Aim
2007-09-04 20:03 --------- d-----w C:\Program Files\Common Files\DVDVIDEOSOFT
2007-09-04 07:07 --------- d-----w C:\Documents and Settings\THOAI TANG\Application Data\LimeWire
2007-09-01 19:31 --------- d-----w C:\Documents and Settings\THOAI TANG\Application Data\Viewpoint
2007-09-01 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-08-22 05:42 26,176 ----a-w C:\WINDOWS\system32\yVmP34cH.exe
2007-08-20 04:36 --------- d-----w C:\Program Files\CinemaForge
2007-08-16 10:40 29,184 ----a-w C:\sdtuev.exe
2007-07-26 23:06 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-07-26 23:06 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-07-26 23:06 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-07-26 23:06 144,704 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-26 23:06 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-07-26 23:06 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-07-26 23:06 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-07-26 23:06 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-07-26 23:03 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-07-26 23:03 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-07-26 23:03 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-07-26 23:03 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-07-26 23:03 740,442 ----a-w C:\WINDOWS\system32\DivX.dll
2007-07-26 23:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-07-26 23:03 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-07-26 23:03 53,248 -c--a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-07-26 23:03 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-07-26 23:03 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-07-26 23:03 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-07-26 23:03 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-07-26 23:03 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-05-11 04:32 47,064 -c--a-w C:\Documents and Settings\THOAI TANG\Application Data\GDIPFONTCACHEV1.DAT
2006-01-25 08:23 560 -c--a-w C:\Documents and Settings\THOAI TANG\Application Data\ViewerApp.dat
2005-03-06 21:48:59 56 -csh--r C:\WINDOWS\system32\E9049E4DDC.sys
2005-03-06 21:48:59 1,890 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B49C744-86BC-44AE-B513-D251DE5ED91A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B812AA1-DE4A-45DB-98BE-3FBDC2EBDF6B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79F0BF28-BD94-47B0-86E2-6983D62291E9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEA43DD7-F897-4D15-AE92-58AEBE151F64}]
2007-10-05 01:36 313440 --a------ C:\WINDOWS\system32\xxwur.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="D:\antivirus stuff\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="D:\antivirus stuff\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - D:\WinZip\WZQKPICK.EXE [2006-12-02 18:35:19]
Wireless-G Notebook Adapter.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2006-09-18 19:31:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyyyy]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\xxwur.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Remocon Driver.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Remocon Driver.lnk
backup=C:\WINDOWS\pss\Remocon Driver.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^THOAI TANG^Start Menu^Programs^Startup^Click to DVD Automatic Mode Launcher.lnk]
path=C:\Documents and Settings\THOAI TANG\Start Menu\Programs\Startup\Click to DVD Automatic Mode Launcher.lnk
backup=C:\WINDOWS\pss\Click to DVD Automatic Mode Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^THOAI TANG^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\THOAI TANG\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
C:\WINDOWS\System32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hcontrol]
C:\WINDOWS\ATK0100\Hcontrol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HKSERV.EXE]
C:\Program Files\Sony\HotKey Utility\HKserv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1124510339\ee\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]
C:\Program Files\Sony\ISB Utility\ISBMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\izone]
C:\ein.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
ICO.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PD0870 STISvc]
RunDLL32.exe P0870Pin.dll,RunDLL32EP 513

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\poolsv]
"C:\WINDOWS\poolsv.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Services]
C:\WINDOWS\system32\29.tmp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonyPowerCfg]
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMConsole.exe]
C:\Program Files\sony\vaio media integrated server\Platform\VMConsole.exe /windowmin

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"wtubuoaA"=C:\WINDOWS\wtubuoaA.exe
"!AVG Anti-Spyware"="D:\antivirus stuff\AVG Anti-Spyware 7.5\avgas.exe" /minimized

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R2 NICSer_WPC54G;NICSer_WPC54G;C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\CBTNDIS5.SYS
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys
R3 oibtvcom;Bluetooth Virtual COM Port;C:\WINDOWS\system32\Drivers\oivmvcom.sys
R3 oivmctrl;VCOMM Device Controller;C:\WINDOWS\system32\Drivers\oivmctrl.sys
R3 SPI;Sony Programmable I/O Control Device;C:\WINDOWS\system32\DRIVERS\SonyPI.sys
S2 SPF4;Sunbelt Personal Firewall 4;"D:\antivirus stuff\firewall\kpf4ss.exe"
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 NTProcDrv;Process creation detector for NT.;\??\C:\Documents and Settings\THOAI TANG\Desktop\bot\sroboten1.58\NtProcDrv.sys
S3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys
S3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys
S3 SONYTVC;Sony MPEG RR-Engine;C:\WINDOWS\system32\DRIVERS\SONYTVC.sys
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command - 9DSetup_USA_CB_v2.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\AutorunsDisabled\{F146C9B1-VMVQ-A9RC-NUFL-D02300B4E999}]
C:\WINDOWS\system32\tmrsrv32.exe
.
Contents of the 'Scheduled Tasks' folder
"2004-09-14 19:16:27 C:\WINDOWS\Tasks\Registration reminder 1.job"
"2004-09-14 19:16:28 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2007-10-09 05:38:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-08 22:34:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\ruwxx.bak1

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2007-10-08 22:38:33 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-08 22:38
C:\ComboFix2.txt ... 2007-10-06 19:51
C:\ComboFix3.txt ... 2007-08-04 22:40
.
--- E O F ---

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:37 AM

Posted 09 October 2007 - 02:11 PM

Good work! Let's continue.. :thumbsup:

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: (no name) - {2B49C744-86BC-44AE-B513-D251DE5ED91A} - (no file)
O2 - BHO: (no name) - {6B812AA1-DE4A-45DB-98BE-3FBDC2EBDF6B} - (no file)
O2 - BHO: (no name) - {79F0BF28-BD94-47B0-86E2-6983D62291E9} - (no file)
O2 - BHO: (no name) - {DEA43DD7-F897-4D15-AE92-58AEBE151F64} - C:\WINDOWS\system32\xxwur.dll
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O20 - Winlogon Notify: ddcyyyy - C:\WINDOWS\

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system32\ruwxx.bak1
C:\WINDOWS\system32\xxwur.dll
C:\temp\regit.exe
C:\WINDOWS\poolsv.exe
C:\WINDOWS\system32\yVmP34cH.exe
C:\sdtuev.exe
C:\WINDOWS\system32\29.tmp
C:\WINDOWS\system32\tmrsrv32.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Reboot the PC now.

Please find and delete the following folders:
C:\WINDOWS\system32\vMW02a
C:\Program Files\Temporary
C:\temp\xOe

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\izone]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\poolsv]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Services]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\AutorunsDisabled\{F146C9B1-VMVQ-A9RC-NUFL-D02300B4E999}]

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Reboot again and post a new Hijackthis log for review..

Edited by D-Trojanator, 09 October 2007 - 03:43 PM.


#7 buttcrum

buttcrum
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 09 October 2007 - 03:13 PM

i dont know what happened but whenever i reboot normally it says
system error lsass.exe not found or lssas or something like that but i cant reboot normally or in safe mode i had to
go into reboot into last working settings

here is hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:11:31 PM, on 10/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\antivirus stuff\AVG Anti-Spyware 7.5\guard.exe
D:\antivirus stuff\AVG Anti-Spyware 7.5\avgas.exe
D:\antivirus stuff\Spybot - Search & Destroy\TeaTimer.exe
D:\WinZip\WZQKPICK.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
D:\antivirus stuff\firewall\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
C:\Program Files\Sony\Giga Pocket\RM_SV.exe
D:\antivirus stuff\firewall\kpf4gui.exe
D:\antivirus stuff\firewall\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\hijackthis\HiJackThis\showme.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\THOAI TANG\Application Data\Mozilla\Profiles\default\uc3xzh14.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\antivirus stuff\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6C8192CB-52B8-463F-8F53-5A79EF895F86} - C:\WINDOWS\system32\xxwur.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\antivirus stuff\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\hcwtojht.dll",sitypnow
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\antivirus stuff\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = D:\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\antivirus stuff\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - D:\antivirus stuff\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: Spyware Doctor Service (sdCoreService) - Unknown owner - D:\antivirus stuff\Spyware Doctor\swdsvc.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - D:\antivirus stuff\firewall\kpf4ss.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe

--
End of file - 7541 bytes

#8 buttcrum

buttcrum
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 09 October 2007 - 03:23 PM

i can restart normally now but i dont know if something happened because i did
use last working settings
if it cancelled all the things i just did
and what do i do with fix.reg it is still on my desktop should i just leave it there?

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:37 AM

Posted 09 October 2007 - 03:44 PM

Hey there, not sure what happened, but to be safe we shall restore the PC. :thumbsup:
Luckily, combofix automatically created a restore point which we can revert back to.
If you know how to restore your PC then go ahead and restore to the 8th of October..

If you aren't sure have a look at the "Use System Restore" section from here:
http://www.microsoft.com/windowsxp/using/h...ew_03may19.mspx

Also, delete the fix.reg now from the desktop, we don't need it now.

Then, run HijackThis.
Click on Open the Misc Tools Section.
Then press Generate StartupList log, making sure that both boxes next to it are checked.
Select Yes at the prompt.
A Notepad file will open, and will automatically be saved in your HijackThis folder.
Paste this log in your next reply.

Download VirtumundoBeGone.
Save it to your desktop, and reboot your System
Close all running programs (including your Internet Browser)
Double-click "VirtumundoBeGone.exe" on the desktop
Follow the directions as indicated.

The program will generate a "Blue Screen of Death".
This is an expected part of the process, so don't be concerned when it happens.
The program generates a log, which it should have placed on your Desktop
Copy & paste the VirtumundoBeGone log back here together with a new hijackthislog.

#10 buttcrum

buttcrum
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 09 October 2007 - 10:51 PM

hi i could not restore my computer because i used last known good configuration and that is the only restore point i can go to
and the viruomundo link doesnt work


here is the hijackthis log and startuplist log



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:25 PM, on 10/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\antivirus stuff\AVG Anti-Spyware 7.5\guard.exe
D:\antivirus stuff\AVG Anti-Spyware 7.5\avgas.exe
D:\antivirus stuff\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
D:\WinZip\WZQKPICK.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
D:\antivirus stuff\firewall\kpf4ss.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
C:\Program Files\Sony\Giga Pocket\RM_SV.exe
C:\WINDOWS\system32\drwtsn32.exe
D:\antivirus stuff\firewall\kpf4gui.exe
D:\antivirus stuff\firewall\kpf4gui.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\hijackthis\HiJackThis\showme.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\THOAI TANG\Application Data\Mozilla\Profiles\default\uc3xzh14.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\antivirus stuff\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {55E671DF-70C6-47D8-9267-BA6324C463C5} - C:\WINDOWS\system32\xxwur.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\antivirus stuff\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\hcwtojht.dll",sitypnow
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\antivirus stuff\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = D:\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\antivirus stuff\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - D:\antivirus stuff\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: Spyware Doctor Service (sdCoreService) - Unknown owner - D:\antivirus stuff\Spyware Doctor\swdsvc.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - D:\antivirus stuff\firewall\kpf4ss.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe

--
End of file - 7474 bytes

#11 buttcrum

buttcrum
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 09 October 2007 - 10:52 PM

heres startuplist


StartupList report, 10/9/2007, 8:37:16 PM
StartupList version: 1.52.2
Started from : C:\Program Files\hijackthis\HiJackThis\showme.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\antivirus stuff\AVG Anti-Spyware 7.5\guard.exe
D:\antivirus stuff\AVG Anti-Spyware 7.5\avgas.exe
D:\antivirus stuff\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
D:\WinZip\WZQKPICK.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
D:\antivirus stuff\firewall\kpf4ss.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
C:\Program Files\Sony\Giga Pocket\RM_SV.exe
C:\WINDOWS\system32\drwtsn32.exe
D:\antivirus stuff\firewall\kpf4gui.exe
D:\antivirus stuff\firewall\kpf4gui.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\hijackthis\HiJackThis\showme.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
WinZip Quick Pick.lnk = D:\WinZip\WZQKPICK.EXE
Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

!AVG Anti-Spyware = "D:\antivirus stuff\AVG Anti-Spyware 7.5\avgas.exe" /minimized
SearchIndexer = rundll32.exe "C:\WINDOWS\system32\hcwtojht.dll",sitypnow

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SpybotSD TeaTimer = D:\antivirus stuff\Spybot - Search & Destroy\TeaTimer.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

[AutorunsDisabled]
Steam = "C:\Program Files\Steam\Steam.exe" -silent

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - D:\antivirus stuff\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\WINDOWS\system32\xxwur.dll - {55E671DF-70C6-47D8-9267-BA6324C463C5}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Registration reminder 1.job
Registration reminder 3.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[ewidoOnlineScan Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\EWIDOO~1.DLL
CODEBASE = http://downloads.ewido.net/ewidoOnlineScan.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #5: C:\WINDOWS\system32\wshbth.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 5,962 bytes
Report generated in 0.070 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#12 buttcrum

buttcrum
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 10 October 2007 - 11:56 PM

nevermind vurtiomundebegone worked today here is the log it found nothing

[10/10/2007, 21:50:51] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\THOAI TANG\Desktop\VirtumundoBeGone.exe" )
[10/10/2007, 21:51:01] - Detected System Information:
[10/10/2007, 21:51:01] - Windows Version: 5.1.2600, Service Pack 2
[10/10/2007, 21:51:01] - Current Username: THOAI TANG (Admin)
[10/10/2007, 21:51:01] - Windows is in NORMAL mode.
[10/10/2007, 21:51:01] - Searching for Browser Helper Objects:
[10/10/2007, 21:51:01] - BHO 1: {2B49C744-86BC-44AE-B513-D251DE5ED91A} ()
[10/10/2007, 21:51:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/10/2007, 21:51:01] - No filename found. Continuing.
[10/10/2007, 21:51:01] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[10/10/2007, 21:51:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/10/2007, 21:51:01] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[10/10/2007, 21:51:01] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[10/10/2007, 21:51:01] - BHO 3: {6B812AA1-DE4A-45DB-98BE-3FBDC2EBDF6B} ()
[10/10/2007, 21:51:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/10/2007, 21:51:01] - No filename found. Continuing.
[10/10/2007, 21:51:01] - BHO 4: {79F0BF28-BD94-47B0-86E2-6983D62291E9} ()
[10/10/2007, 21:51:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/10/2007, 21:51:01] - No filename found. Continuing.
[10/10/2007, 21:51:01] - BHO 5: {DEA43DD7-F897-4D15-AE92-58AEBE151F64} ()
[10/10/2007, 21:51:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/10/2007, 21:51:01] - No filename found. Continuing.
[10/10/2007, 21:51:01] - BHO 6: {E392C320-D78D-443F-BE00-76577A317ED3} ()
[10/10/2007, 21:51:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/10/2007, 21:51:01] - Checking for HKLM\...\Winlogon\Notify\xxwur
[10/10/2007, 21:51:01] - Key not found: HKLM\...\Winlogon\Notify\xxwur, continuing.
[10/10/2007, 21:51:01] - Finished Searching Browser Helper Objects
[10/10/2007, 21:51:01] - Finishing up...
[10/10/2007, 21:51:01] - Nothing found! Exiting...

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:37 AM

Posted 11 October 2007 - 03:11 PM

Ok, it looks like we are going to have to pull out the big guns now to delete these files.. :thumbsup:
Be very careful with this tool, and do not use it for anything else, except the code I propose..

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\xxwur.dll
C:\WINDOWS\system32\hcwtojht.dll

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

Please then open Hijackthis and fix these entries if present:
O2 - BHO: (no name) - {55E671DF-70C6-47D8-9267-BA6324C463C5} - C:\WINDOWS\system32\xxwur.dll
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\hcwtojht.dll",sitypnow
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)

Reboot and post a new Hijackthis log..

#14 buttcrum

buttcrum
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 12 October 2007 - 01:32 AM

i think avenger only restarted my computer once but im not positive

here are the logs

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:44:23 PM, on 10/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\antivirus stuff\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
D:\antivirus stuff\AVG Anti-Spyware 7.5\guard.exe
D:\WinZip\WZQKPICK.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\system32\tyghdvwi.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
D:\antivirus stuff\firewall\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
C:\Program Files\Sony\Giga Pocket\RM_SV.exe
D:\antivirus stuff\firewall\kpf4gui.exe
D:\antivirus stuff\firewall\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis\HiJackThis\showme.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\THOAI TANG\Application Data\Mozilla\Profiles\default\uc3xzh14.slt\prefs.js)
O2 - BHO: (no name) - {2B49C744-86BC-44AE-B513-D251DE5ED91A} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\antivirus stuff\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6B812AA1-DE4A-45DB-98BE-3FBDC2EBDF6B} - (no file)
O2 - BHO: (no name) - {79F0BF28-BD94-47B0-86E2-6983D62291E9} - (no file)
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\hgcweavy.dll
O2 - BHO: (no name) - {DEA43DD7-F897-4D15-AE92-58AEBE151F64} - (no file)
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\antivirus stuff\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\bbwodpmn.dll",sitypnow
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\antivirus stuff\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = D:\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O20 - Winlogon Notify: ddcyyyy - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\antivirus stuff\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\tyghdvwi.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - D:\antivirus stuff\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: Spyware Doctor Service (sdCoreService) - Unknown owner - D:\antivirus stuff\Spyware Doctor\swdsvc.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - D:\antivirus stuff\firewall\kpf4ss.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe

--
End of file - 7921 bytes



Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\sldyjjcy

*******************

Script file located at: \??\C:\Program Files\ldswnkvc.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\xxwur.dll deleted successfully.


File C:\WINDOWS\system32\hcwtojht.dll not found!
Deletion of file C:\WINDOWS\system32\hcwtojht.dll failed!

Could not process line:
C:\WINDOWS\system32\hcwtojht.dll
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

#15 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:37 AM

Posted 12 October 2007 - 01:30 PM

Ok good, we got rid of that stubborun file, but you are getting reinfected each time..
You are missing one important program on that computer - an antivirus!
This is somewhat suicidal in today's digital world.

I'm sorry I didn't notice it earlier, I thought you had Symantec running, but it looks pretty corrupted at the moment..

You need to install an antivirus program as soon as you can and run a complete scan of the computer.
AVG and Avast are excellent, free antivirus programs..
Never install more than one antivirus on your system - several together can cause problems and decrease performance.

Norton/Symantec can be stubborn to uninstall, have you already tried to remove it?
Before we clean the new infections, I want you to get protected..




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users