Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Oh Gheez, Crazy Aim Problem


  • Please log in to reply
1 reply to this topic

#1 Redeemer

Redeemer

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 28 April 2006 - 06:28 PM

I've been frantically trying to recover my computer throughout a virus i received via AOL instant messenger. The file is packed ina .rar file and appears to be an svc file. The file unloads slews of trojans/spyware/malware. I've narrowed most of it down but am still in a mess. Here is my Hijack This! log

Logfile of HijackThis v1.99.1
Scan saved at 7:19:54 PM, on 4/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SYSTEM32\Userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\loce2n.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\aniServ.exe
C:\WINDOWS\system32\loce2n.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\DOCUME~1\User\LOCALS~1\Temp\nein.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\oovcb.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,ykcflqw.exe
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: DPCUpdater Object - {E291663A-2D6F-4B56-B9DF-AE239AEF6A5B} - C:\WINDOWS\system32\awvts.dll
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - AppInit_DLLs: repairs303169575.dll
O20 - Winlogon Notify: awvts - C:\WINDOWS\system32\awvts.dll
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\jtn4075qe.dll
O23 - Service: Airgo Networks NIC Service (ANISERVICE) - Airgo Networks, Inc. - C:\WINDOWS\System32\aniServ.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)



i get rid of these via spyware search & destroy but they keep planting themselves! I think i've traced the problem to some AppInit_DLLs thingy but i have no idea. Also, newdotnet and surfbuddy wont get out of my system. If you have any information regarding any of the viewable problems please let me know.

BC AdBot (Login to Remove)

 


m

#2 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:23 AM

Posted 29 April 2006 - 03:09 AM

Hi Redeemer,

You're heavily infected indeed!

Download Brute Force Uninstaller to your C:\
  • Unzip it to it's own folder (C:\BFU). So the folder BFU must be present on your root. in the most cases is this C:\
  • Download qoofix.bat (right-click on the link and choose 'save as...')
  • move qoofix.bat into the C:\BFU - folder. (Important!)
  • Double-click on qooFix.bat, and close all open browsers and windows.
  • Choose for option 1 (Qoolfix autofix) and do what it asks.
  • Be patient, this can take 5 minutes
  • After the reboot, post a new hijackthis log here
------------------

Open HijackThis.
  • Click Open the Misc Tools section.
  • Click Open Uninstall Manager.
  • Click Save list (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users