Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected! nds0q.exe/herss.exe


  • Please log in to reply
1 reply to this topic

#1 jim101

jim101

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 24 October 2009 - 01:25 PM

My anti virus is picking up various infections. herss.exe, nds0q.exe etc Please help!

Here is my DDS log


DDS (Ver_09-10-24.02) - NTFSx86
Run by James at 13:55:01.34 on Sat 10/24/2009
Internet Explorer: 6.0.2900.5512

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {1FD79A59-37B1-459B-9097-09F9FAB8A523} - No File
BHO: CDNSCacheObj Object: {376892ae-1825-4e5f-9f85-23f9640051cc} - c:\windows\mplayerplgn.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
uRun: [Google Update] "c:\documents and settings\james\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [cdoosoft] c:\docume~1\james\locals~1\temp\herss.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PSQLLauncher] "c:\program files\fingerprint reader suite\launcher.exe" /startup
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: psfus - c:\windows\system32\psqlpwd.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
LSA: Notification Packages = scecli psqlpwd

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-10-24 17:47:42 0 d-----w- c:\program files\Trend Micro
2009-10-24 02:42:23 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-10-24 02:42:23 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-10-24 02:42:20 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-10-24 02:42:20 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-10-23 21:50:07 37376 ----a-w- c:\windows\system32\drivers\rixdptsk.sys
2009-10-23 21:50:07 32256 ----a-w- c:\windows\system32\drivers\rimmptsk.sys
2009-10-23 21:50:07 16480 ----a-w- c:\windows\system32\rixdicon.dll
2009-10-23 21:50:04 90112 ----a-w- c:\windows\system32\snymsico.dll
2009-10-23 21:50:04 43520 ----a-w- c:\windows\system32\drivers\rimsptsk.sys
2009-10-23 21:44:03 0 d-----w- c:\docume~1\james\applic~1\TMP
2009-10-23 20:11:29 0 d-----w- c:\windows\system32\vmm32
2009-10-23 20:08:41 0 d-----w- c:\program files\Dell
2009-10-23 20:08:35 0 d-----w- c:\program files\Creative
2009-10-22 17:07:30 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-10-22 17:07:30 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-10-22 00:18:27 3255 ----a-w- c:\windows\system32\wbem\Outlook_01ca52ad2d4be990.mof
2009-10-22 00:08:47 512000 -c----w- c:\windows\system32\dllcache\jscript.dll
2009-10-21 01:43:35 0 d-----w- c:\windows\system32\scripting
2009-10-21 01:43:35 0 d-----w- c:\windows\system32\en
2009-10-21 01:43:35 0 d-----w- c:\windows\l2schemas
2009-10-21 01:43:34 0 d-----w- c:\windows\system32\bits
2009-10-21 01:39:22 0 d-----w- c:\windows\network diagnostic
2009-10-19 12:49:05 0 d-----w- c:\docume~1\james\applic~1\foobar2000
2009-10-19 12:48:58 0 d-----w- c:\program files\foobar2000
2009-10-19 12:28:20 32592 ----a-w- c:\windows\system32\msonpmon.dll
2009-10-19 12:24:42 0 d-----w- c:\program files\Microsoft Visual Studio 8
2009-10-19 12:24:03 0 d-----w- c:\windows\SHELLNEW
2009-10-19 12:19:40 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-10-19 12:19:40 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2009-10-19 12:19:40 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-10-19 11:08:01 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat
2009-10-18 15:56:52 0 d-----w- c:\windows\system32\XPSViewer
2009-10-18 15:56:25 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-18 15:56:25 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-18 15:56:25 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-18 15:56:25 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-18 15:56:25 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-18 15:56:25 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-18 15:56:25 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-18 15:56:25 0 d-----w- C:\8a7c0d16710e432f93762f
2009-10-18 15:54:19 0 d-----w- c:\program files\MSXML 6.0
2009-10-18 13:19:26 0 d-----w- c:\windows\system32\AGEIA
2009-10-18 13:19:19 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-10-18 13:18:07 0 d-----w- C:\NVIDIA
2009-10-18 12:55:14 206 ----a-w- c:\windows\system32\MRT.INI
2009-10-17 22:44:54 178176 ----a-w- c:\windows\system32\unrar.dll
2009-10-17 22:44:51 0 d-----w- c:\program files\K-Lite Codec Pack
2009-10-17 22:43:30 0 d-----w- c:\program files\Media Player Classic
2009-10-17 18:59:36 0 d-----w- c:\program files\Sierra Entertainment
2009-10-17 18:43:23 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2009-10-17 18:43:23 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2009-10-17 18:43:22 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2009-10-17 18:42:56 0 d-----w- c:\program files\Heroes of Newerth
2009-10-17 18:10:13 0 d-----w- C:\Movies
2009-10-17 16:34:59 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2009-10-17 16:12:46 0 d-----w- c:\program files\Codemasters
2009-10-17 16:09:21 0 d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-10-17 16:09:19 0 d-----w- c:\program files\DAEMON Tools Toolbar
2009-10-17 16:09:16 0 d-----w- c:\program files\DAEMON Tools Lite
2009-10-17 16:07:29 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-10-17 16:07:24 0 d-----w- c:\docume~1\james\applic~1\DAEMON Tools Lite
2009-10-17 14:56:05 0 d-----w- C:\DC Shared
2009-10-17 12:28:33 0 d-----w- c:\docume~1\james\applic~1\DC++
2009-10-17 12:28:14 0 d-----w- c:\program files\DC++
2009-10-17 11:44:08 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-10-17 11:42:03 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-10-17 11:42:00 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-10-17 11:41:57 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-17 11:41:53 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-10-17 11:41:25 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-10-17 11:41:09 115181 --sh--r- C:\se12ydam.exe
2009-10-17 11:31:46 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2009-10-17 11:31:46 0 d-----w- c:\windows\system32\PreInstall
2009-10-17 11:31:45 0 d--h--w- c:\windows\$hf_mig$
2009-10-17 11:23:53 0 d-----w- c:\windows\system32\SoftwareDistribution
2009-10-17 02:02:13 0 d-s---w- c:\documents and settings\james\UserData
2009-10-17 01:51:50 0 d-----w- c:\program files\common files\ODBC
2009-10-17 01:51:47 0 d-----w- c:\program files\common files\SpeechEngines
2009-10-17 01:49:42 0 d-----r- c:\documents and settings\all users\Documents
2009-10-17 00:26:05 0 d-----w- c:\program files\SigmaTel
2009-10-17 00:15:24 0 d-----w- c:\program files\Fingerprint Reader Suite
2009-10-17 00:14:25 0 d-----w- c:\program files\UPEK
2009-10-17 00:14:15 0 d-----w- c:\docume~1\alluse~1\applic~1\UIB
2009-10-17 00:00:42 0 d-sh--w- c:\documents and settings\all users\DRM
2009-10-17 00:00:24 0 d--h--w- c:\program files\WindowsUpdate
2009-10-16 23:59:29 0 d-----w- c:\program files\common files\MSSoap
2009-10-16 23:58:01 0 d-----w- c:\program files\Online Services
2009-10-16 23:57:55 0 d-----w- c:\program files\Messenger
2009-10-16 23:57:51 0 d-----w- c:\program files\MSN Gaming Zone
2009-10-16 23:57:09 0 d-----w- c:\program files\Windows NT

==================== Find3M ====================

2009-10-18 12:48:59 92415 ----a-w- c:\windows\system32\nvModes.dat
2009-10-16 23:58:25 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-16 20:30:12 115618 --sh--r- C:\vb0hsoay.exe
2009-09-25 05:37:11 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37:09 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-21 11:17:52 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-08-19 13:40:58 458752 ----a-w- c:\windows\system32\nvmccssr.dll
2009-08-19 13:40:58 1282048 ----a-w- c:\windows\system32\nvmobls.dll
2009-08-19 13:40:56 188416 ----a-w- c:\windows\system32\nvmccss.dll
2009-08-19 13:40:54 4407296 ----a-w- c:\windows\system32\nvgamesr.dll
2009-08-19 13:40:54 3510272 ----a-w- c:\windows\system32\nvgames.dll
2009-08-19 13:40:52 6074368 ----a-w- c:\windows\system32\nvdispsr.dll
2009-08-19 13:40:48 4018176 ----a-w- c:\windows\system32\nvdisps.dll
2009-08-19 13:40:46 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-08-19 13:40:46 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-08-19 13:40:46 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-08-19 13:40:44 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-08-19 13:40:44 13762560 ----a-w- c:\windows\system32\nvcpl.dll
2009-08-19 11:35:00 815104 ----a-w- c:\windows\system32\nvapi.dll
2009-08-19 11:35:00 678432 ----a-w- c:\windows\system32\nvcuvid.dll
2009-08-19 11:35:00 5957120 ----a-w- c:\windows\system32\nv4_disp.dll
2009-08-19 11:35:00 485920 ----a-w- c:\windows\system32\nvudisp.exe
2009-08-19 11:35:00 1757184 ----a-w- c:\windows\system32\nvcuda.dll
2009-08-19 11:35:00 1580550 ----a-w- c:\windows\system32\nvdata.bin
2009-08-19 11:35:00 155648 ----a-w- c:\windows\system32\nvcodins.dll
2009-08-19 11:35:00 155648 ----a-w- c:\windows\system32\nvcod.dll
2009-08-19 11:35:00 1317408 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-08-19 11:35:00 10039296 ----a-w- c:\windows\system32\nvoglnt.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13:08 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20:09 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-29 04:37:01 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37:01 119808 ------w- c:\windows\system32\t2embed.dll

============= FINISH: 13:55:23.95 ===============


Ark and attach.txt are attached. Thank you.

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:48 PM

Posted 01 November 2009 - 11:00 AM

Hello jim101

Welcome to BleepingComputer :(
==========================
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
===========
Download This file. Note its name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users