Win32.BackDoor-DNM;TR/Dripper.Gen;TR/Crypt;more

I recently was given an emachines computer from my stepfather and it did not have any virus protection on it. It also did not have the SP2 update from Microsoft. I tried to install the update but it said that I didn't have permission. I'm not sure if this happened because it has viruses or not, so I installed avira antivirus. I received these warnings from avira:

C:\Windows\System32\drivers\svchost.exe Is the TR/Dropper.Gen Trojan

C:\Windows\Nail.exe Is the TR/Crypt.ULPM.Gen Trojan

C:\documents and settings\josh\local settings\temp\yhrsxqic.exe Is the TR/Dldr.Swizzor.CO Trojan

C:\documents and settings\josh\local settings\temp\...\wupd.exe Is the TR/Dldr.Intexp.B Trojan

C:\documents and settings\josh\local settings\temp\...\wupt.exe Is the TR/Dldr.Intexp.A Trojan


Here is the DDS.txt:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Josh at 0:13:01.78 on Fri 03/06/2009
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.447.108 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\Josh\Application Data\Google\wcwdu16814728.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Josh\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer provided by Verizon Online
mDefault_Page_URL = hxxp://www.emachines.com
uSearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
uURLSearchHooks: H - No File
mWinlogon: Shell=Explorer.exe c:\windows\Nail.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ngpw34.clsIS: {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - c:\windows\ngpw34.dll
BHO: IExplorr29.clsIS: {54ed9b49-81d1-4866-95a6-30f01de0047e} - c:\windows\iexplorr29.dll
BHO: {6558519b-bd79-9eac-2944-9eeba430d9b9} - c:\windows\system32\xdoclz.dll
{6bd9132b-b337-55be-d705-10550585736b}
BHO: {83de62e0-5805-11d8-9b25-00e04c60faf2} -
BHO: IExplorr26.clsIS: {90e34f98-e3e6-4cd7-a592-e964fed8af78} - c:\windows\iexplorr26.dll
BHO: IExplorr27.clsIS: {94326e3f-f51f-4863-a832-4acd0d7d4bc3} - c:\windows\iexplorr27.dll
BHO: IExplorr11.clsIS: {bc0d2038-2de5-4a6f-92bc-b18a3e0de32a} - c:\windows\iexplorr11.dll
BHO: {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Search Help: {e8eaeb34-f7b5-4c55-87ff-720faf53d841} - CSearchHelpIEExtension Object
BHO: ngsw31.clsIS: {e9147a0a-a866-4214-b47c-da821891240f} - c:\windows\ngsw31.dll
TB: {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - No File
TB: {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [cB79Rjj2V] oddnetsh.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Gpw] c:\windows\system32\l?gonui.exe
uRun: [MyEmoticons] c:\program files\myemoticons\MYEMOTICONS.EXE
uRun: [cdloader] "c:\documents and settings\josh\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [SVCHOST.EXE] c:\windows\system32\drivers\svchost.exe
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [CHotkey] zHotkey.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [conscorr] c:\windows\conscorr.exe
mRun: [g] c:\windows\g.exe
mRun: [LzsvH9] c:\windows\LzsvH9.exe
mRun: [WildTangent CDA] "c:\program files\wildtangent\apps\cda\gamedrvr.exe" /startup "c:\program files\wildtangent\apps\cda\cdaEngine0500.dll"
mRun: [CMESys] "c:\program files\common files\cmeii\CMESys.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RZO] c:\documents and settings\josh\local settings\temp\RZO.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [realtecks] "c:\documents and settings\josh\application data\google\wcwdu16814728.exe" 2
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [g.exe] c:\windows\g.exe
mRun: [LzsvH9.exe] c:\windows\LzsvH9.exe
mRun: [RZO.exe] c:\documents and settings\josh\local settings\temp\RZO.exe
StartupFolder: c:\docume~1\josh\startm~1\programs\startup\openof~1.lnk - j:\program files\openoffice.org 2.4\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\precis~1.lnk - c:\program files\precisiontime\PrecisionTime.exe
uPolicies-explorer: SpecifyDefaultButtons = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Web Rebates - file://c:\program files\web_rebates\sy1150\tp1150\scri1150a.htm
IE: {120E090D-9136-4b78-8258-F0B44B4BD2AC} - c:\windows\system32\ms.exe
IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\program files\icq\ICQ.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - hxxp://www.addictivetechnologies.net/DM0/cab/ATPartners.cab
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - hxxp://www.2nd-thought.com/files/install.exe
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab28578.cab
DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - hxxp://toolbar.isearch.com/general/drm.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - hxxp://www.atelys.com/src/Speedup.ocx
DPF: {62360003-D8A7-418B-9DC6-2B9DE95273A0} - hxxp://fdl.msn.com/public/investor/v8/0326/ticker.cab
DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - hxxps://www.gamespyid.com/alaunch.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {8A8F3D75-6564-4599-A7DC-313B43A89E1D} - hxxp://www.kazaa.net.cn/digital/AdInstaller.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} - hxxp://autos.msn.com/components/ocx/survid/MSSurVid.cab
DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - hxxp://hotsearchbar.com/toolbar2/winhot32.cab
DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - hxxp://messenger.zone.msn.com/binary/ZAxRcMgr.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38029.8977199074
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab28578.cab
DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} - hxxp://autos.msn.com/components/ocx/exterior/Outside.cab
DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - hxxp://messenger.zone.msn.com/binary/Bankshot.cab28578.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} - hxxp://messenger.zone.msn.com/binary/WoF.cab28578.cab
DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - hxxp://cabs.roings.com/cabs/mmed.cab
DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - hxxp://messenger.zone.msn.com/binary/Chess.cab28578.cab
DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} - hxxp://www.gamespot.com/KDX22/download/kdx.cab
DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
TCP: {31F9B1E7-D1EE-4FA4-8673-AEBEA9063D6F} = 208.67.222.222,208.67.220.220
LSA: Notification Packages = scecli scecli scecli scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\josh\apee28~1\mozilla\firefox\profiles\k1uzx82q.default\
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2009-2-28 22336]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2009-2-28 45376]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-2-23 12800]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-2-28 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-2-28 151297]
S2 .NET Connection Service;.NET Framework Service;c:\windows\svchost.exe --> c:\windows\svchost.exe [?]
S2 SvcProc;System Startup Service ;c:\windows\svcproc.exe [2002-6-15 6656]
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;c:\windows\system32\svchost.exe -k netsvcs [2009-2-23 12800]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-12-23 50704]
S4 Nvshtwtx;Nvshtwtx; [x]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-03-05 22:06 1,245 ----h--- c:\windows\g
2009-03-05 19:32 <DIR> --d----- c:\docume~1\josh\apee28~1\W Photo Studio Viewer
2009-02-28 21:19 <DIR> --d----- c:\program files\CCleaner
2009-02-28 21:18 <DIR> --d----- c:\program files\Trend Micro
2009-02-28 20:56 <DIR> --d----- c:\docume~1\josh\apee28~1\Uniblue
2009-02-28 20:56 <DIR> --d----- c:\program files\Uniblue
2009-02-28 20:55 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2009-02-28 20:24 <DIR> --d----- c:\program files\Sun
2009-02-28 20:24 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-28 20:24 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-28 20:20 <DIR> --d----- c:\docume~1\josh\apee28~1\Inkscape
2009-02-28 20:02 <DIR> --d----- c:\program files\Avira
2009-02-28 20:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-02-28 19:35 <DIR> --d----- c:\documents and settings\josh\amaya
2009-02-28 19:34 <DIR> --d----- c:\program files\Amaya
2009-02-28 16:11 <DIR> --d----- C:\ATI
2009-02-28 03:53 <DIR> --d----- c:\program files\Cloud
2009-02-28 03:51 <DIR> --d----- c:\program files\common files\Akamai
2009-02-28 02:55 <DIR> --d----- c:\program files\Kuma Games
2009-02-28 00:41 <DIR> --d----- c:\program files\AnalogX
2009-02-28 00:07 28,673 a------- c:\windows\system32\drivers\svchost.exe
2009-02-27 22:11 <DIR> --d----- c:\program files\FlashFXP
2009-02-27 22:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\FlashFXP
2009-02-27 22:10 <DIR> --d----- c:\program files\LittleFighter2
2009-02-25 14:53 <DIR> --d----- c:\program files\WinPcap
2009-02-25 14:34 <DIR> --d----- c:\docume~1\josh\apee28~1\mjusbsp
2009-02-25 14:34 56,832 ac------ c:\windows\system32\dllcache\usbaudio.sys
2009-02-25 14:34 56,832 a------- c:\windows\system32\drivers\USBAUDIO.sys
2009-02-25 02:54 <DIR> --d----- c:\program files\Netscape
2009-02-25 02:52 <DIR> --d----- c:\program files\DivX
2009-02-25 02:45 1,409 a------- c:\windows\QTFont.for
2009-02-25 02:45 54,156 a---h--- c:\windows\QTFont.qfn
2009-02-23 16:11 480,256 a------- c:\windows\system32\dllcache\cintsetp.exe
2009-02-23 16:10 535,552 a------- c:\windows\system32\rpcrt4.dll
2009-02-23 14:43 595,968 -------- c:\windows\system32\_002878_.tmp.dll
2009-02-23 11:42 88,566 a------- c:\windows\system32\nvapps.xml
2009-02-23 11:10 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-02-23 11:09 <DIR> --d----- c:\documents and settings\josh\.java
2009-02-23 02:11 31,768 a------- c:\windows\system32\wucltui.dll.mui
2009-02-23 02:11 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui
2009-02-23 02:11 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-02-23 02:11 18,456 a------- c:\windows\system32\wuaueng.dll.mui
2009-02-22 20:52 <DIR> --d----- c:\documents and settings\josh\.thumbnails
2009-02-22 20:45 <DIR> --d----- c:\documents and settings\josh\.gimp-2.2
2009-02-22 18:13 <DIR> --d----- c:\documents and settings\josh\.schism
2009-02-22 18:11 <DIR> --d----- c:\program files\ASIO4ALL v2
2009-02-22 16:57 71,819 a------- c:\windows\hpdj6500.hi2
2009-02-22 16:57 7,251 a------- c:\windows\hpdj6500.bu2
2009-02-22 16:35 <DIR> --d----- c:\docume~1\josh\apee28~1\Warsow
2009-02-22 16:24 225,280 a------- c:\windows\system32\rewire.dll
2009-02-22 16:24 <DIR> --d----- c:\program files\VstPlugins
2009-02-22 16:24 1,294,336 a------- c:\windows\system32\vorbis.acm
2009-02-22 16:22 <DIR> --d----- c:\program files\Image-Line
2009-02-22 16:09 3,328 ac------ c:\windows\system32\dllcache\pciide.sys
2009-02-22 16:09 3,328 a------- c:\windows\system32\drivers\pciide.sys
2009-02-22 16:09 208,896 a------- c:\windows\system32\nvusmb.exe
2009-02-22 16:09 699 -------- c:\windows\system32\nvsmb.nvu
2009-02-22 16:08 208,896 a------- c:\windows\system32\nvumctl.exe
2009-02-22 16:08 1,217 -------- c:\windows\system32\nvmctl.nvu
2009-02-22 16:08 17,056 a------- c:\windows\system32\nvdisp.nvu
2009-02-22 16:08 <DIR> --d----- c:\windows\nview

==================== Find3M ====================

2008-12-23 07:35 281,104 a------- c:\windows\system32\wpcap.dll
2008-12-23 07:35 100,880 a------- c:\windows\system32\Packet.dll
2008-12-23 07:33 53,299 a------- c:\windows\system32\pthreadVC.dll
2008-12-10 16:33 200,704 a------- c:\windows\system32\dtu100.dll
2008-12-10 16:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-12-08 18:28 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-12-08 18:28 344,064 a------- c:\windows\system32\dpus11.dll
2008-12-08 18:28 294,912 a------- c:\windows\system32\dpu11.dll
2008-12-08 18:28 57,344 a------- c:\windows\system32\dpv11.dll
2004-11-13 11:38 81,408 ---shr-- c:\docume~1\josh\apee28~1\rncr.exe
2004-06-04 19:31 168,753 a------- c:\docume~1\josh\apee28~1\tvmknwrd.dll
2004-05-02 11:09 905 a------- c:\program files\uninstal.log
2004-10-29 05:18 253,962 ---sh--- c:\windows\system32\Mkwwa.exe

============= FINISH: 0:13:37.67 ===============




I would deeply appreciate any help given,
Thanks

Ok, Avira found another Trojan:
C:\Program Files\MyEmoticons\uninstall.exe Is thee TR/VB.btr Trojan

Edited by jcoate42, 07 March 2009 - 04:43 PM.

Another thing I forgot to mention is that a Windows Security Center Alert keeps popping up:
"To help protect your computer, Windows Firewall has blocked some features of this program.
Do you want to block this suspicious software?
Name: Win32.BackDoor-DNM
Risk Level: High
Description: DNM is a worm trojan program that reords
keystrokes and takes screen shots of the computer, stealing
personal financial information.....

This really sounds like bad news. I definitely need to get rid of this.


I've noticed also that there have been almost 30 views of this post and 0 replies. If there is any further information needed to
resolve this please let me know.

Avira just let me know that I have yet another Trojan:

C:\Windows\system32\coolapi32.dll Is the TR/Spy.gen Trojan

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. Please download Trend Micro - HijackThis. Do a new scan with Trend Micro - HijackThis and post it in your next reply. Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:

• Reply to this thread; do not start another!
• Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
• Do not run any other tool until instructed to do so!
• Let me know if any of the links do not work or if any of the tools do not work.
• Tell me about problems or symptoms that occur during the fix.
• Do not run any other programs or open any other windows while doing a fix.
• Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.

Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:10:10 PM, on 3/19/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\Pen_Tablet.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\System32\WTablet\Pen_TabletUser.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\Pen_Tablet.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PrecisionTime\PrecisionTime.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Malorie\Application Data\mjusbsp\magicJack.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 69.2.200.63 auto.search.msn.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ngpw34.clsIS - {2D7CB618-CC1C-4126-A7E3-F5B12D3BCF71} - c:\windows\ngpw34.dll
O2 - BHO: IExplorr29.clsIS - {54ED9B49-81D1-4866-95A6-30F01DE0047E} - c:\windows\iexplorr29.dll
O2 - BHO: (no name) - {6558519B-BD79-9EAC-2944-9EEBA430D9B9} - C:\WINDOWS\System32\xdoclz.dll
O2 - BHO: (no name) - {6BD9132B-B337-55BE-D705-10550585736B} - (no file)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - (no file)
O2 - BHO: IExplorr26.clsIS - {90E34F98-E3E6-4CD7-A592-E964FED8AF78} - c:\windows\iexplorr26.dll
O2 - BHO: IExplorr27.clsIS - {94326E3F-F51F-4863-A832-4ACD0D7D4BC3} - c:\windows\iexplorr27.dll
O2 - BHO: IExplorr11.clsIS - {BC0D2038-2DE5-4A6F-92BC-B18A3E0DE32A} - c:\windows\iexplorr11.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - (no file)
O2 - BHO: ngsw31.clsIS - {E9147A0A-A866-4214-B47C-DA821891240F} - c:\windows\ngsw31.dll
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [g] C:\windows\g.exe
O4 - HKLM\..\Run: [LzsvH9] C:\windows\LzsvH9.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RZO] C:\documents and settings\josh\local settings\temp\RZO.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [g.exe] C:\windows\g.exe
O4 - HKLM\..\Run: [LzsvH9.exe] C:\windows\LzsvH9.exe
O4 - HKLM\..\Run: [RZO.exe] C:\documents and settings\josh\local settings\temp\RZO.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Malorie\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/ATPartners.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/drm.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.8.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28578.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx
O16 - DPF: {62360003-D8A7-418B-9DC6-2B9DE95273A0} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v8/0326/ticker.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8A8F3D75-6564-4599-A7DC-313B43A89E1D} (AdInstaller Control) - http://www.kazaa.net.cn/digital/AdInstaller.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar.com/toolbar2/winhot32.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab28578.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab28578.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28578.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab28578.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28578.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{31F9B1E7-D1EE-4FA4-8673-AEBEA9063D6F}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\System32\Pen_Tablet.exe

--
End of file - 11040 bytes

I have some bad news for you.

Win32.BackDoor-DNM

The entries above indicate your computer may be infected with backdoor trojans. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. These trojans leave a backdoor open on the system that can allow hacker total and complete access to your computer. Hackers can operate your computer just as if he were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs. Backdoor trojans send your identity information to a third party who may use that information for their own purposes such as identity theft, stolen bank funds, stealing credit card information etc.

Before deciding whether your computer needs cleaning or reformatting, you need to ask yourself some very serious questions.

Do you use your computer for any of the following?

• Online banking/Business purposes
  
• storing sensitive or very personal information

If you answered yes to any of those questions, you should disconnect your computer from the Internet and do a complete format and reinstall. If you use online banking, then you should contact your bank and arrange to have your password changed immediately. You should change any other passwords you use as these may have been compromised.

David Bach's Six Ways to Avoid Identity Theft

Here are six things you need to know to fight back against identity theft:

1. Keep your private information private.

Half of all identity theft in which the thief is identified is committed by a friend, coworker, neighbor, in-home employee, or relative of the victim. So make it a habit not to leave things lying around at home or in the office -- specifically your wallet, checkbook, or anything else containing private or financial information, including your mail.

Also, before you toss anything in the trash containing your private information, be sure to shred it. This isn't new advice, but I'd be remiss not to mention it.

2. Get a copy of your credit reports.

Often, victims of identity theft have no idea their credit is being used or destroyed until they apply for a loan and pull their credit score. So pull your credit report now, and make a plan to check it regularly.

By law, you're entitled to a free credit report from each of the three major credit bureaus -- Equifax, Experian, and TransUnion -- once every year. Go to AnnualCreditReport.com and stagger your requests so that you'll receive one report from each credit bureau every four months. Put the dates on your calendar so you don't forget. Keep in mind that this is for your free credit report only, not your credit score.

For your credit score, you'll need to go to myFICO. While you're there, you may want to check out their Identity Theft Security Deluxe product, which monitors your credit score and credit report automatically for $49.95 a year.

3. Find out if your state has a credit freeze law.

Here's a virtually foolproof way to prevent a thief from stealing your identity and using your personal data to get approved for credit. With this new law you're able to block ("freeze") all access to your credit report and credit score.

It's not necessarily the most convenient solution to protect yourself from fraud. Anytime you need to have your credit checked -- for instance, if you're buying a car or cell phone or even interviewing for a job -- you'll need to lift the block ("thaw" your record), which takes about three days. But if you have real concerns about identity theft or perhaps are already a victim, this is an option you may want to consider.

Some states will only grant a credit freeze if you're already a victim of identity theft. Find out if your state has a credit freeze law, including what it costs, by visiting FinancialPrivacyNow.org.

4. Check your bank statements weekly.

One of the great things about online banking is that you can log on and check your account at any time. Make a point of checking your bank statement weekly to be sure there aren't any red flags.

The same goes for your credit card statements. In fact, you may want to consider canceling your paper statements altogether and opting for online statements. After all, you're more likely to have personal information stolen from your mail than from the Internet.

That said, be sure to always use a secure computer. Using a public computer, like one at your local library, is risky due to tracking software that thieves can use to steal your passwords.

5. Be computer savvy.

Even though a relatively small percentage of identity theft occurs online, you should still take necessary precautions.

In addition to being careful about surfing the web on public computers, you should also be aware of the risks involved when using a wireless connection. Wi-Fi and Bluetooth are becoming increasingly popular, and as a result, there is bound to be an increase in wireless hacking.

Wireless connectivity is the perfect platform for thieves to get your personal data. If you have a wireless network at home or work, make sure you are incorporating password-protection and encryption. When accessing public hotspots, use a personal firewall.

Also, keep your computer safe by updating your antivirus and anti-spyware programs regularly. Use passwords so that others can't log on to your computer, laptop, or even your PDA, and be sure to change your passwords often.

Be smart about phishing scams, too. That's when you're sent an email that requests your personal or financial information, or that prompts you to click a link to provide your personal or financial information. If you're unsure of the legitimacy of such a request, call the company that it was supposedly sent from. If an email seems suspicious, it usually is.

6. Be aware of "deleted" data.

The Washington Post recently ran an article on mobile phones -- specifically "smartphones" like the Palm Treo and BlackBerry -- that was quite an eye-opener.

According to the story, resetting your phone to wipe out personal data doesn't exactly delete information. It turns out that your phone's operating system never actually deletes data, only the pointers to where the data is located. Anyone with the right software can recover information that was stored on your phone once you sell or discard it

You need to do is contact the device manufacturer for complete instructions on what to do to wipe your data clean. You can also visit WirelessRecycling.com for instructions. And think twice about what information you store on your device in case it's ever lost or stolen.

If Your Identity Is Stolen

Take the above steps and -- should you ever find yourself in the unfortunate position of having had your identity stolen -- you'll commend yourself for being proactive enough to identify a problem before too much damage was done.

Don't waste a minute once you've discovered suspicious activity -- go directly to the website of the Federal Trade Commission to file a complaint and access their comprehensive guide on the steps you'll need to follow to resolve the situation.

I recommend backing up your important files and reinstalling everything from scratch. There are so many changes that could have been done if that backdoor was used. Even if we cleaned the infections, it would not help to recover the information that has been compromised and there is no guarantee that your computer would be safe to use. Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is another hidden piece of malware which has not been detected by your security tools that protects malicious files and registry keys (which have been detected) so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum.

If you only use your computer for music/games etc, your better option would be to clean it of infections rather than do a reformat. The decision must be made by you.

Here are some informative links to use to help you make a decision:

Danger: Remote Access Trojans

Consumers – Identity Theft

When should I re-format? How should I reinstall?

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Rootkits: The Obscure Hacker Attack

Help: I Got Hacked. Now What Do I Do?

Microsoft Says Recovery from Malware Becoming Impossible

How to report ID theft, fraud, drive-by installs, hijacking and malware? (#10451)

However, if you do not have the resources to reformat your computer and reinstall your operating system and programs, I will be happy to attempt to clean it.

Should you have any questions, please feel free to ask.

Please let me know what you have decided to do in your next post.

Thanks a lot for all of the help. I have decided that I will reformat the hard drive. Unfortunately I don't have a recovery cd for the computer since it was a gift from my step father. I will try to install Ubuntu. I read somewhere online that one of the viruses on saves itself inside the ram. Do you know a way to get rid of this?
Thanks again.

one of the viruses on saves itself inside the ram. Do you know a way to get rid of this?

From my research, when the computer is turned off, the ram clears but I recommend that you ask your question and receive an answer from the computer experts.
Please post your question(s) regarding this in BleepingComputer's Computer Forum, Windows XP Home and Professional, where the computer experts may help you. My expertise is dealing with malware and I prefer that you get the help of computer expert(s) in answering your question(s) and/or solving your problem(s). Please include a link to this thread so that the computer experts may see what we have done.

Thanks a bunch for all of the help. I formatted the hard drives and I've installed Linux, so I won't have to worry about any more windows viruses.

You are welcome. Thank you for letting me know what you decided to do.

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.