Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help Me


  • Please log in to reply
12 replies to this topic

#1 jayoo

jayoo

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 07 July 2006 - 03:09 PM

i downloaded a file and it self installed all kinds of adware/trojan/virus on my comp. i managed to fix some of them but some kept coming back after deleted. Also my IE & firefox is no longer working.
i have used Ad-Aware SE, ewido anti-spyware, Spyware Nuker XT, Spybot - Search & Destroy & spysweeper.
and still these files kept coming back.
here is the registery i couldnt delete that kept coming back on my desktop manager:
TheMonitor - C:\WINDOWS\SYSC00.exe
ftexc - C:\WINDOWS\SYSTEM32\mptft.exe
pxaqxy -C:\WINDOWS\SYSTEM32\qgvyxa.exe
cupttqaA -C:\WINDOWS\cupttqaA.exe
mugsa -C:\WINDOWS\SYSTEM32\qgvyxa.exe


Also my Ewido anti-spyware keeps catching these files come up like a pop up
C:\WINDOWS\system32\efcdabb.dll adware.Virtumode
C:\WINDOWS\system32\wnuypjb downloader.Qoologic.bj
C:\WINDOWS\system32\hpmdx.exe downloader.Qoologic.bj
C:\WINDOWS\system32\qgvayxa.exe downloader.Qoologic.bj


here is my hijack log. ty agian for helping


Logfile of HijackThis v1.99.1
Scan saved at 12:26:35 PM, on 7/7/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\{070A7B40-0BB8-1033-0517-060327030001}\Update.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\DC++ downlaods\setup & exe\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\hpmdx.exe
F2 - REG:system.ini: UserInit=userinit.exe,rlthjgp.exe
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\efcdabb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam.exe" -silent
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\jay\Local Settings\Temp\{6A93B723-ECAF-4C1A-B8C8-5FC1721A1EE3}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} - http://update.nprotect.net/nprotect/webzen/npx.cab
O20 - Winlogon Notify: efcdabb - C:\WINDOWS\SYSTEM32\efcdabb.dll
O20 - Winlogon Notify: winjne32 - C:\WINDOWS\SYSTEM32\winjne32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe



please if i can get any help on how to remove the problem, it would be very appreciated. ty

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:41 AM

Posted 07 July 2006 - 04:56 PM

Hello there,

It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above. It is important that you complete the following instructions in the correct order, and also that you don't miss anything out! Your system is terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show. Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution. So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens,Click Scan for Vundo button.
  • Once the scan is complete,Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the 2 entries below into the top 2 boxes
    • C:\WINDOWS\system32\efcdabb.dll
    • C:\WINDOWS\system32\bbadcfe.*
  • Click Add Files and Click Close Window
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
* Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog, and the vundo fix log.
David

#3 jayoo

jayoo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 07 July 2006 - 05:49 PM

hello david and thank you for your quick reply. i kno you guys are very busy and i apreciate it
i have done everything you said
i have ran the Vundofix and it found nothing
i tried to add the files you told me to add but nothing seemed to happen
C:\WINDOWS\system32\efcdabb.dll
C:\WINDOWS\system32\bbadcfe.*

sorry to tell you this now but i have ran Vundofix before
here is the Vondofix log


VundoFix V5.0.0

Checking Java version...

Scan started at 1:32:05 PM 7/7/2006

Listing files found while scanning....

C:\windows\system32\efcdabb.dll
Attempting to delete C:\windows\system32\efcdabb.dll
C:\windows\system32\efcdabb.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V5.0.0

Checking Java version...

Java version is 1.5.0.7

Scan started at 3:16:42 PM 7/7/2006

Listing files found while scanning....

No infected files were found.


VundoFix V5.0.0

Checking Java version...

Java version is 1.5.0.7

Scan started at 3:26:00 PM 7/7/2006

Listing files found while scanning....

No infected files were found.


VundoFix V5.0.0

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.7

Scan started at 3:38:06 PM 7/7/2006

Listing files found while scanning....

No infected files were found.


VundoFix V5.0.0

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.7

Scan started at 3:54:01 PM 7/7/2006

Listing files found while scanning....

No infected files were found.






i did the Combo fix and went smoothly
here is my log for Combofix

Start Time= Fri 07/07/2006 15:28:48.74
Running from: C:\Documents and Settings\jay\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

15:31:51.49

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\System32\qgvyxa.exe
C:\WINDOWS\System32\hpmdx.exe
C:\WINDOWS\system32\rlthjgp.exe


* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-04-18 15:30:14 536,576 "C:\WINDOWS\system32\DivXsm.exe"
2006-05-03 02:56:58 127,078 "C:\WINDOWS\system32\javaws.exe"
2006-07-07 08:30:00 127,488 "C:\WINDOWS\system32\qgvyxa.exe"
2006-07-07 15:10:40 28,672 "C:\WINDOWS\system32\hpmdx.exe"
2006-05-03 01:19:40 53,346 "C:\WINDOWS\system32\javaw.exe"
2006-04-18 15:30:28 90,112 "C:\WINDOWS\system32\dpl100.dll"
2006-04-18 15:30:28 344,064 "C:\WINDOWS\system32\dpus11.dll"
2006-04-18 15:30:28 200,704 "C:\WINDOWS\system32\dtu100.dll"
2006-04-18 15:34:56 339,968 "C:\WINDOWS\system32\pxwave.dll"
2006-07-07 05:19:24 23,552 "C:\WINDOWS\system32\rlthjgp.exe"
2006-04-18 15:31:14 1,044,480 "C:\WINDOWS\system32\libdivx.dll"
2006-07-07 05:19:06 8,464 "C:\WINDOWS\system32\sporder.dll"
2006-04-18 15:31:14 200,704 "C:\WINDOWS\system32\ssldivx.dll"
2006-04-18 15:30:24 245,408 "C:\WINDOWS\system32\unicows.dll"
2006-07-07 15:10:40 51,712 "C:\WINDOWS\system32\wnuypjb.dll"
2006-04-18 15:30:28 294,912 "C:\WINDOWS\system32\dpu10.dll"
2006-04-18 15:30:28 294,912 "C:\WINDOWS\system32\dpu11.dll"
2006-04-18 15:30:28 57,344 "C:\WINDOWS\system32\dpv11.dll"
2006-04-18 15:34:58 421,888 "C:\WINDOWS\system32\pxdrv.dll"
2006-04-18 15:34:58 172,032 "C:\WINDOWS\system32\pxmas.dll"
2006-07-07 08:30:00 127,488 "C:\WINDOWS\system32\vekck.dat"
2006-07-07 14:07:44 312 "C:\WINDOWS\obcgp.dll"
2006-07-07 15:05:52 15,168 "C:\WINDOWS\mozver.dat"
2006-07-07 05:23:58 52 "C:\WINDOWS\vvwvbq.dat"
2006-07-07 05:30:24 127,488 "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\inhaf.exe"


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


07/07/2006 08:29 AM 127,488 vekck.dat.vir
07/07/2006 08:29 AM 127,488 qgvyxa.exe.vir
07/07/2006 05:30 AM 127,488 inhaf.exe.vir
07/07/2006 03:10 PM 51,712 wnuypjb.dll.vir
07/07/2006 03:10 PM 28,672 hpmdx.exe.vir
07/07/2006 05:19 AM 23,552 rlthjgp.exe.vir


DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-04-18 15:30:14 536,576 "C:\WINDOWS\system32\DivXsm.exe"
2006-05-03 02:56:58 127,078 "C:\WINDOWS\system32\javaws.exe"
2006-05-03 01:19:40 53,346 "C:\WINDOWS\system32\javaw.exe"
2006-04-18 15:31:14 1,044,480 "C:\WINDOWS\system32\libdivx.dll"
2006-07-07 05:19:06 8,464 "C:\WINDOWS\system32\sporder.dll"
2006-04-18 15:31:14 200,704 "C:\WINDOWS\system32\ssldivx.dll"
2006-04-18 15:30:24 245,408 "C:\WINDOWS\system32\unicows.dll"
2006-04-18 15:30:28 90,112 "C:\WINDOWS\system32\dpl100.dll"
2006-04-18 15:30:28 344,064 "C:\WINDOWS\system32\dpus11.dll"
2006-04-18 15:30:28 200,704 "C:\WINDOWS\system32\dtu100.dll"
2006-04-18 15:34:56 339,968 "C:\WINDOWS\system32\pxwave.dll"
2006-04-18 15:30:28 294,912 "C:\WINDOWS\system32\dpu10.dll"
2006-04-18 15:30:28 294,912 "C:\WINDOWS\system32\dpu11.dll"
2006-04-18 15:30:28 57,344 "C:\WINDOWS\system32\dpv11.dll"
2006-04-18 15:34:58 421,888 "C:\WINDOWS\system32\pxdrv.dll"
2006-04-18 15:34:58 172,032 "C:\WINDOWS\system32\pxmas.dll"
2006-07-07 14:07:44 312 "C:\WINDOWS\obcgp.dll"
2006-07-07 15:05:52 15,168 "C:\WINDOWS\mozver.dat"
2006-07-07 05:23:58 52 "C:\WINDOWS\vvwvbq.dat"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\newname.dat
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\keyboard101.dat
C:\Documents and Settings\LocalService\Application Data\NetMon


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-07 14:07:44 312 ( A.... ) "C:\WINDOWS\obcgp.dll"
2006-07-07 13:45:40 ( .D... ) "C:\Program Files\Common Files\Java"
2006-07-07 10:55:38 ( .D... ) "C:\Program Files\Lavasoft"
2006-07-07 10:50:52 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-07 09:58:54 ( .D... ) "C:\Documents and Settings\jay\Application Data\URSoft"
2006-07-07 09:58:50 ( .D... ) "C:\Program Files\Your Uninstaller 2006"
2006-07-07 09:54:06 ( .D... ) "C:\Documents and Settings\jay\Application Data\Mozilla"
2006-07-07 09:54:04 ( .D... ) "C:\Program Files\Mozilla Firefox"
2006-07-07 08:51:16 ( .D... ) "C:\Documents and Settings\jay\Application Data\PC Tools"
2006-07-07 06:41:46 ( .D... ) "C:\Documents and Settings\jay\Application Data\Regrun"
2006-07-07 06:40:42 ( .D... ) "C:\Program Files\Greatis"
2006-07-07 05:26:18 ( .D... ) "C:\Program Files\PartyPoker"
2006-07-07 05:25:04 ( .D... ) "C:\Program Files\Common Files\partypoker"
2006-07-07 05:23:22 1063 ( A.... ) "C:\WINDOWS\system32\vika901a.sys"
2006-07-07 05:23:22 1063 ( A.... ) "C:\WINDOWS\system32\vika901a.sys"
2006-07-07 05:20:12 33012 ( A.... ) "C:\WINDOWS\system32\tpuninstall.exe"
2006-07-07 05:19:56 ( .D... ) "C:\Program Files\Batty"
2006-07-07 05:19:48 38412 ( A.... ) "C:\WINDOWS\ssqbn.exe"
2006-07-07 05:19:40 61440 ( A.... ) "C:\WINDOWS\system32\vika901a.dll"
2006-07-07 05:19:38 32976 ( A.... ) "C:\WINDOWS\system32\uninstIcn.exe"
2006-07-07 05:19:38 ( .D... ) "C:\Program Files\PSHope"
2006-07-07 05:19:36 235134 ( A.... ) "C:\WINDOWS\srvklallas.exe"
2006-07-07 05:19:36 184829 ( A.... ) "C:\WINDOWS\srvnvuzebk.exe"
2006-07-07 05:19:06 8464 ( A.... ) "C:\WINDOWS\system32\sporder.dll"
2006-07-07 05:18:56 ( .D... ) "C:\Program Files\Common Files\mqrq"
2006-07-07 05:18:24 ( .D... ) "C:\Program Files\Common Files\{070A7B40-0BB8-1033-0517-060327030001}"
2006-07-07 05:18:18 15872 ( A.... ) "C:\WINDOWS\system32\winjne32.dll"
2006-06-30 23:22:14 ( .D... ) "C:\Program Files\SpeedFan"
2006-06-29 09:26:56 ( .D... ) "C:\Program Files\ATITool"
2006-06-29 07:07:36 61440 ( A.... ) "C:\WINDOWS\system32\BattyRun.dll"
2006-06-26 03:43:00 ( .D... ) "C:\Program Files\VIA"
2006-06-23 08:22:08 9216 ( A.... ) "C:\WINDOWS\dmspasg.dll"
2006-06-20 17:55:26 389120 ( A.... ) "C:\WINDOWS\system32\nodeipproc.dll"
2006-06-09 09:16:16 ( .D... ) "C:\Program Files\Presets"
2006-06-09 09:16:16 ( .D... ) "C:\Program Files\Plug-Ins"
2006-06-09 09:09:52 ( .D... ) "C:\Program Files\NVIDIA Corporation"
2006-05-03 02:56:58 127078 ( A.... ) "C:\WINDOWS\system32\javaws.exe"
2006-05-03 01:19:40 53346 ( A.... ) "C:\WINDOWS\system32\javaw.exe"
2006-05-03 01:19:30 49248 ( A.... ) "C:\WINDOWS\system32\java.exe"
2006-04-19 13:09:20 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx0c.dll"
2006-04-19 13:09:20 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx07.dll"
2006-04-19 13:09:20 761856 ( A.... ) "C:\WINDOWS\system32\divx_xx11.dll"
2006-04-19 13:09:20 619156 ( A.... ) "C:\WINDOWS\system32\DivX.dll"
2006-04-18 15:34:58 421888 ( ..... ) "C:\WINDOWS\system32\pxdrv.dll"
2006-04-18 15:34:58 372736 ( ..... ) "C:\WINDOWS\system32\px.dll"
2006-04-18 15:34:58 172032 ( ..... ) "C:\WINDOWS\system32\pxmas.dll"
2006-04-18 15:34:58 109568 ( ..... ) "C:\WINDOWS\system32\pxinsi64.exe"
2006-04-18 15:34:58 61440 ( ..... ) "C:\WINDOWS\system32\pxhpinst.exe"
2006-04-18 15:34:58 56320 ( ..... ) "C:\WINDOWS\system32\pxinsa64.exe"
2006-04-18 15:34:56 339968 ( ..... ) "C:\WINDOWS\system32\pxwave.dll"
2006-04-18 15:31:14 1044480 ( A.... ) "C:\WINDOWS\system32\libdivx.dll"
2006-04-18 15:31:14 200704 ( A.... ) "C:\WINDOWS\system32\ssldivx.dll"
2006-04-18 15:30:58 3596288 ( A.... ) "C:\WINDOWS\system32\qt-dx331.dll"
2006-04-18 15:30:30 53248 ( A.... ) "C:\WINDOWS\system32\dpuGUI10.dll"
2006-04-18 15:30:28 593920 ( A.... ) "C:\WINDOWS\system32\dpuGUI11.dll"
2006-04-18 15:30:28 344064 ( A.... ) "C:\WINDOWS\system32\dpus11.dll"
2006-04-18 15:30:28 294912 ( A.... ) "C:\WINDOWS\system32\dpu11.dll"
2006-04-18 15:30:28 294912 ( A.... ) "C:\WINDOWS\system32\dpu10.dll"
2006-04-18 15:30:28 200704 ( A.... ) "C:\WINDOWS\system32\dtu100.dll"
2006-04-18 15:30:28 90112 ( A.... ) "C:\WINDOWS\system32\dpl100.dll"
2006-04-18 15:30:28 57344 ( A.... ) "C:\WINDOWS\system32\dpv11.dll"
2006-04-18 15:30:24 245408 ( A.... ) "C:\WINDOWS\system32\unicows.dll"
2006-04-18 15:30:14 536576 ( A.... ) "C:\WINDOWS\system32\DivXsm.exe"
2006-04-10 11:37:12 118784 ( A.... ) "C:\WINDOWS\system32\DivXCodecUpdateChecker.exe"
2006-01-07 07:41:30 210 ( A.... ) "C:\Program Files\INSTALL.LOG"
2005-06-21 05:00:36 26624 ( A.SH. ) "C:\Program Files\Thumbs.db"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-07 13:46 53,346 C:\WINDOWS\system32\javaw.exe
2006-07-07 13:46 49,248 C:\WINDOWS\system32\java.exe
2006-07-07 13:46 127,078 C:\WINDOWS\system32\javaws.exe
2006-07-07 10:27 73,728 C:\WINDOWS\system32\asuninst.exe
2006-07-07 10:27 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-07-07 05:19 8,464 C:\WINDOWS\system32\sporder.dll
2006-07-07 05:19 61,440 C:\WINDOWS\system32\vika901a.dll
2006-07-07 05:19 38,412 C:\WINDOWS\ssqbn.exe
2006-07-07 05:19 33,012 C:\WINDOWS\system32\tpuninstall.exe
2006-07-07 05:19 32,976 C:\WINDOWS\system32\uninstIcn.exe
2006-07-07 05:19 312 C:\WINDOWS\obcgp.dll
2006-07-07 05:19 235,134 C:\WINDOWS\srvklallas.exe
2006-07-07 05:19 184,829 C:\WINDOWS\srvnvuzebk.exe
2006-07-07 05:19 1,063 C:\WINDOWS\system32\vika901a.sys
2006-07-07 05:18 324,304 C:\WINDOWS\cupttqaA.exe
2006-07-07 05:18 303,728 C:\WINDOWS\cupttqa.exe
2006-07-07 05:18 15,872 C:\WINDOWS\system32\winjne32.dll
2006-06-29 07:07 61,440 C:\WINDOWS\system32\BattyRun.dll
2006-06-23 08:22 9,216 C:\WINDOWS\dmspasg.dll
2006-06-20 17:55 389,120 C:\WINDOWS\system32\nodeipproc.dll
2006-06-17 16:04 9,759 C:\WINDOWS\system32\HSF_INST.dll
2006-06-09 09:16 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-06-09 09:16 348,160 C:\WINDOWS\system32\msvcr71.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
@=""
"DeadAIM"="rundll32.exe \"C:\\PROGRA~1\\AIM\\\\DeadAIM.ocm\",ExportedCheckODLs"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"WinProfile"="sndcfg16.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"WinProfile"="sndcfg16.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"Steam"="\"c:\\program files\\valve\\steam.exe\" -silent"
"EasyDVDMon"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{070A7B40-0BB8-1033-0517-060327030001}"="\"C:\\Program Files\\Common Files\\{070A7B40-0BB8-1033-0517-060327030001}\\Update.exe\"

mc-110-12-0000228"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000003

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\NetMeeting\\pofodosu.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,cb,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"furnariidae"="{89e4aaba-3b21-49b3-b922-8ca35193c68e}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

HKEY_LOCAL_MACHINE\system\controlset001\control\safeboot\minimal\svcWRSSSDK
HKEY_LOCAL_MACHINE\system\controlset002\control\safeboot\minimal\svcWRSSSDK


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job

Completion time: Fri 07/07/2006 15:36:20.95
ComboFix ver 06.07.07 - This logfile is located at C:\ComboFix.txt


here is my new HJT log

Logfile of HijackThis v1.99.1
Scan saved at 3:46:55 PM, on 7/7/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Common Files\{070A7B40-0BB8-1033-0517-060327030001}\Update.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\DC++ downlaods\setup & exe\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam.exe" -silent
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} - http://update.nprotect.net/nprotect/webzen/npx.cab
O20 - Winlogon Notify: winjne32 - C:\WINDOWS\SYSTEM32\winjne32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


thank you agian for guiding me thru this. will be waiting for your next reply :thumbsup:

Edited by jayoo, 07 July 2006 - 06:00 PM.


#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:41 AM

Posted 08 July 2006 - 03:59 AM

Heya jayoo,
Vundofix worked well, I just think you missed it working :thumbsup:

* Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following bold part into the Suspicious File Packer window:

C:\WINDOWS\system32\BattyRun.dll
C:\WINDOWS\dmspasg.dll
C:\WINDOWS\system32\vika901a.sys
C:\WINDOWS\system32\vika901a.dll


Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.

You are missing one important program on that computer: An antivirus.
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can and run a complete scan of the computer.
AVG, Avira OR Avast are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decrease the reliability of it seriously!
Zonealarm, Agnitum Outpost Free OR Kerio are FREE firewalls.
Understanding and using firewalls

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT 4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{89e4aaba-3b21-49b3-b922-8ca35193c68e}"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=-

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.


*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} - http://update.nprotect.net/nprotect/webzen/npx.cab
O20 - Winlogon Notify: winjne32 - C:\WINDOWS\SYSTEM32\winjne32.dll


* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

* Download KillBox from here
- Click killbox.exe.
- Select the option "Delete on reboot".
- Click the button: All Files (!important!)
- Now it should flash green.

Now copy the next bold part:

C:\WINDOWS\obcgp.dll
C:\WINDOWS\vvwvbq.dat
C:\WINDOWS\ssqbn.exe
C:\WINDOWS\system32\uninstIcn.exe
C:\WINDOWS\system32\sndcfg16.exe
C:\WINDOWS\system32\winjne32.dll
C:\WINDOWS\cupttqaA.exe
C:\WINDOWS\cupttqa.exe
C:\WINDOWS\srvklallas.exe
C:\WINDOWS\srvnvuzebk.exe


- Open 'file' in the killboxmenu on top and choose Paste from clipboard
- Then press the button that looks like a red circle with a white X in it.
- Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
- If you don't get that message, reboot manually.
- Your computer should reboot now.

Ignore the errors you'll get after reboot, that's normal, they will be gone after performing next steps..

After the reboot find and delete the following two folders:
C:\Program Files\Common Files\mqrq
C:\Program Files\Common Files\{070A7B40-0BB8-1033-0517-060327030001}

Then post a new Hijackthis log, and new Combofix log.
David

#5 jayoo

jayoo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 08 July 2006 - 06:09 AM

hello agian david.

everything you said worked perfectly. ill be buying norton anti virus very soon, o btw am i missing any important files?

here is the HJT log after the reboot

Logfile of HijackThis v1.99.1
Scan saved at 4:03:12 AM, on 7/8/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\jay\Desktop\Hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam.exe" -silent
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: winjne32 - winjne32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


and here is the new combofix log

Start Time= Sat 07/08/2006 4:04:49.92
Running from: C:\Documents and Settings\jay\Desktop\Combofix

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-07 13:45:40 ( .D... ) "C:\Program Files\Common Files\Java"
2006-07-07 10:55:38 ( .D... ) "C:\Program Files\Lavasoft"
2006-07-07 10:50:52 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-07 09:58:54 ( .D... ) "C:\Documents and Settings\jay\Application Data\URSoft"
2006-07-07 09:58:50 ( .D... ) "C:\Program Files\Your Uninstaller 2006"
2006-07-07 09:54:06 ( .D... ) "C:\Documents and Settings\jay\Application Data\Mozilla"
2006-07-07 09:54:04 ( .D... ) "C:\Program Files\Mozilla Firefox"
2006-07-07 08:51:16 ( .D... ) "C:\Documents and Settings\jay\Application Data\PC Tools"
2006-07-07 06:41:46 ( .D... ) "C:\Documents and Settings\jay\Application Data\Regrun"
2006-07-07 06:40:42 ( .D... ) "C:\Program Files\Greatis"
2006-07-07 05:25:04 ( .D... ) "C:\Program Files\Common Files\partypoker"
2006-07-07 05:23:22 1063 ( A.... ) "C:\WINDOWS\system32\vika901a.sys"
2006-07-07 05:23:22 1063 ( A.... ) "C:\WINDOWS\system32\vika901a.sys"
2006-07-07 05:20:12 33012 ( A.... ) "C:\WINDOWS\system32\tpuninstall.exe"
2006-07-07 05:19:56 ( .D... ) "C:\Program Files\Batty"
2006-07-07 05:19:40 61440 ( A.... ) "C:\WINDOWS\system32\vika901a.dll"
2006-07-07 05:19:38 ( .D... ) "C:\Program Files\PSHope"
2006-07-07 05:19:06 8464 ( A.... ) "C:\WINDOWS\system32\sporder.dll"
2006-06-30 23:22:14 ( .D... ) "C:\Program Files\SpeedFan"
2006-06-29 09:26:56 ( .D... ) "C:\Program Files\ATITool"
2006-06-29 07:07:36 61440 ( A.... ) "C:\WINDOWS\system32\BattyRun.dll"
2006-06-26 03:43:00 ( .D... ) "C:\Program Files\VIA"
2006-06-23 08:22:08 9216 ( A.... ) "C:\WINDOWS\dmspasg.dll"
2006-06-20 17:55:26 389120 ( A.... ) "C:\WINDOWS\system32\nodeipproc.dll"
2006-06-09 09:16:16 ( .D... ) "C:\Program Files\Presets"
2006-06-09 09:16:16 ( .D... ) "C:\Program Files\Plug-Ins"
2006-06-09 09:09:52 ( .D... ) "C:\Program Files\NVIDIA Corporation"
2006-05-03 02:56:58 127078 ( A.... ) "C:\WINDOWS\system32\javaws.exe"
2006-05-03 01:19:40 53346 ( A.... ) "C:\WINDOWS\system32\javaw.exe"
2006-05-03 01:19:30 49248 ( A.... ) "C:\WINDOWS\system32\java.exe"
2006-04-19 13:09:20 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx0c.dll"
2006-04-19 13:09:20 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx07.dll"
2006-04-19 13:09:20 761856 ( A.... ) "C:\WINDOWS\system32\divx_xx11.dll"
2006-04-19 13:09:20 619156 ( A.... ) "C:\WINDOWS\system32\DivX.dll"
2006-04-18 15:34:58 421888 ( ..... ) "C:\WINDOWS\system32\pxdrv.dll"
2006-04-18 15:34:58 372736 ( ..... ) "C:\WINDOWS\system32\px.dll"
2006-04-18 15:34:58 172032 ( ..... ) "C:\WINDOWS\system32\pxmas.dll"
2006-04-18 15:34:58 109568 ( ..... ) "C:\WINDOWS\system32\pxinsi64.exe"
2006-04-18 15:34:58 61440 ( ..... ) "C:\WINDOWS\system32\pxhpinst.exe"
2006-04-18 15:34:58 56320 ( ..... ) "C:\WINDOWS\system32\pxinsa64.exe"
2006-04-18 15:34:56 339968 ( ..... ) "C:\WINDOWS\system32\pxwave.dll"
2006-04-18 15:31:14 1044480 ( A.... ) "C:\WINDOWS\system32\libdivx.dll"
2006-04-18 15:31:14 200704 ( A.... ) "C:\WINDOWS\system32\ssldivx.dll"
2006-04-18 15:30:58 3596288 ( A.... ) "C:\WINDOWS\system32\qt-dx331.dll"
2006-04-18 15:30:30 53248 ( A.... ) "C:\WINDOWS\system32\dpuGUI10.dll"
2006-04-18 15:30:28 593920 ( A.... ) "C:\WINDOWS\system32\dpuGUI11.dll"
2006-04-18 15:30:28 344064 ( A.... ) "C:\WINDOWS\system32\dpus11.dll"
2006-04-18 15:30:28 294912 ( A.... ) "C:\WINDOWS\system32\dpu11.dll"
2006-04-18 15:30:28 294912 ( A.... ) "C:\WINDOWS\system32\dpu10.dll"
2006-04-18 15:30:28 200704 ( A.... ) "C:\WINDOWS\system32\dtu100.dll"
2006-04-18 15:30:28 90112 ( A.... ) "C:\WINDOWS\system32\dpl100.dll"
2006-04-18 15:30:28 57344 ( A.... ) "C:\WINDOWS\system32\dpv11.dll"
2006-04-18 15:30:24 245408 ( A.... ) "C:\WINDOWS\system32\unicows.dll"
2006-04-18 15:30:14 536576 ( A.... ) "C:\WINDOWS\system32\DivXsm.exe"
2006-04-10 11:37:12 118784 ( A.... ) "C:\WINDOWS\system32\DivXCodecUpdateChecker.exe"
2006-01-07 07:41:30 210 ( A.... ) "C:\Program Files\INSTALL.LOG"
2005-06-21 05:00:36 26624 ( A.SH. ) "C:\Program Files\Thumbs.db"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-07 13:46 53,346 C:\WINDOWS\system32\javaw.exe
2006-07-07 13:46 49,248 C:\WINDOWS\system32\java.exe
2006-07-07 13:46 127,078 C:\WINDOWS\system32\javaws.exe
2006-07-07 10:27 73,728 C:\WINDOWS\system32\asuninst.exe
2006-07-07 10:27 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-07-07 05:19 8,464 C:\WINDOWS\system32\sporder.dll
2006-07-07 05:19 61,440 C:\WINDOWS\system32\vika901a.dll
2006-07-07 05:19 33,012 C:\WINDOWS\system32\tpuninstall.exe
2006-07-07 05:19 1,063 C:\WINDOWS\system32\vika901a.sys
2006-06-29 07:07 61,440 C:\WINDOWS\system32\BattyRun.dll
2006-06-23 08:22 9,216 C:\WINDOWS\dmspasg.dll
2006-06-20 17:55 389,120 C:\WINDOWS\system32\nodeipproc.dll
2006-06-17 16:04 9,759 C:\WINDOWS\system32\HSF_INST.dll
2006-06-09 09:16 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-06-09 09:16 348,160 C:\WINDOWS\system32\msvcr71.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
@=""
"DeadAIM"="rundll32.exe \"C:\\PROGRA~1\\AIM\\\\DeadAIM.ocm\",ExportedCheckODLs"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"Steam"="\"c:\\program files\\valve\\steam.exe\" -silent"
"EasyDVDMon"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{070A7B40-0BB8-1033-0517-060327030001}"="\"C:\\Program Files\\Common Files\\{070A7B40-0BB8-1033-0517-060327030001}\\Update.exe\" mc-110-12-0000228"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000003

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\NetMeeting\\pofodosu.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,cb,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"furnariidae"="{89e4aaba-3b21-49b3-b922-8ca35193c68e}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

HKEY_LOCAL_MACHINE\system\controlset001\control\safeboot\minimal\svcWRSSSDK
HKEY_LOCAL_MACHINE\system\controlset002\control\safeboot\minimal\svcWRSSSDK


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At4.job

Completion time: Sat 07/08/2006 4:05:11.62
ComboFix ver 06.07.07 - This logfile is located at C:\ComboFix.txt



thank you agian for taking you time on this! very apreciated

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:41 AM

Posted 08 July 2006 - 06:33 AM

No problem, jayoo, glad to be able to help.

I analysed those 4 files and they are all safe to delete.
Please navigate to the following and delete them:

C:\WINDOWS\system32\BattyRun.dll
C:\WINDOWS\dmspasg.dll
C:\WINDOWS\system32\vika901a.sys
C:\WINDOWS\system32\vika901a.dll

I need you attempt the registry fix again.
I have created the file for you and it is attached below.
[attachment=902:attachment]
Save this and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Please reboot and post back with a new Hijackthis log and a new Combofix log.
Also, please let me know how the computer is running for you :thumbsup:
David

#7 jayoo

jayoo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 08 July 2006 - 07:21 AM

hello david

my computer is running much better now, i get pop up from IE once in awhile tho and the files still show up on my startup task manager(startup shield):

TheMonitor - C:\WINDOWS\SYSC00.exe
ftexc - C:\WINDOWS\SYSTEM32\mptft.exe
pxaqxy -C:\WINDOWS\SYSTEM32\qgvyxa.exe
cupttqaA -C:\WINDOWS\cupttqaA.exe
mugsa -C:\WINDOWS\SYSTEM32\qgvyxa.exe
SunJavaupdatesched -C:\Program files\Java\jre1.5.0_07\bin\jusched.exe
sould i allow or denay these?

here is my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:12:43 AM, on 7/8/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\jay\Desktop\ANTI-Malvirus\Hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam.exe" -silent
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: winjne32 - winjne32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

and here is the Combofix log:

Start Time= Sat 07/08/2006 5:13:16.28
Running from: C:\Documents and Settings\jay\Desktop\ANTI-Malvirus\Combofix

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-07 13:45:40 ( .D... ) "C:\Program Files\Common Files\Java"
2006-07-07 10:55:38 ( .D... ) "C:\Program Files\Lavasoft"
2006-07-07 10:50:52 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-07 09:58:54 ( .D... ) "C:\Documents and Settings\jay\Application Data\URSoft"
2006-07-07 09:54:06 ( .D... ) "C:\Documents and Settings\jay\Application Data\Mozilla"
2006-07-07 09:54:04 ( .D... ) "C:\Program Files\Mozilla Firefox"
2006-07-07 08:51:16 ( .D... ) "C:\Documents and Settings\jay\Application Data\PC Tools"
2006-07-07 06:41:46 ( .D... ) "C:\Documents and Settings\jay\Application Data\Regrun"
2006-07-07 06:40:42 ( .D... ) "C:\Program Files\Greatis"
2006-07-07 05:25:04 ( .D... ) "C:\Program Files\Common Files\partypoker"
2006-07-07 05:20:12 33012 ( A.... ) "C:\WINDOWS\system32\tpuninstall.exe"
2006-07-07 05:19:56 ( .D... ) "C:\Program Files\Batty"
2006-07-07 05:19:38 ( .D... ) "C:\Program Files\PSHope"
2006-07-07 05:19:06 8464 ( A.... ) "C:\WINDOWS\system32\sporder.dll"
2006-06-30 23:22:14 ( .D... ) "C:\Program Files\SpeedFan"
2006-06-29 09:26:56 ( .D... ) "C:\Program Files\ATITool"
2006-06-26 03:43:00 ( .D... ) "C:\Program Files\VIA"
2006-06-20 17:55:26 389120 ( A.... ) "C:\WINDOWS\system32\nodeipproc.dll"
2006-06-09 09:16:16 ( .D... ) "C:\Program Files\Presets"
2006-06-09 09:16:16 ( .D... ) "C:\Program Files\Plug-Ins"
2006-06-09 09:09:52 ( .D... ) "C:\Program Files\NVIDIA Corporation"
2006-05-03 02:56:58 127078 ( A.... ) "C:\WINDOWS\system32\javaws.exe"
2006-05-03 01:19:40 53346 ( A.... ) "C:\WINDOWS\system32\javaw.exe"
2006-05-03 01:19:30 49248 ( A.... ) "C:\WINDOWS\system32\java.exe"
2006-04-19 13:09:20 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx0c.dll"
2006-04-19 13:09:20 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx07.dll"
2006-04-19 13:09:20 761856 ( A.... ) "C:\WINDOWS\system32\divx_xx11.dll"
2006-04-19 13:09:20 619156 ( A.... ) "C:\WINDOWS\system32\DivX.dll"
2006-04-18 15:34:58 421888 ( ..... ) "C:\WINDOWS\system32\pxdrv.dll"
2006-04-18 15:34:58 372736 ( ..... ) "C:\WINDOWS\system32\px.dll"
2006-04-18 15:34:58 172032 ( ..... ) "C:\WINDOWS\system32\pxmas.dll"
2006-04-18 15:34:58 109568 ( ..... ) "C:\WINDOWS\system32\pxinsi64.exe"
2006-04-18 15:34:58 61440 ( ..... ) "C:\WINDOWS\system32\pxhpinst.exe"
2006-04-18 15:34:58 56320 ( ..... ) "C:\WINDOWS\system32\pxinsa64.exe"
2006-04-18 15:34:56 339968 ( ..... ) "C:\WINDOWS\system32\pxwave.dll"
2006-04-18 15:31:14 1044480 ( A.... ) "C:\WINDOWS\system32\libdivx.dll"
2006-04-18 15:31:14 200704 ( A.... ) "C:\WINDOWS\system32\ssldivx.dll"
2006-04-18 15:30:58 3596288 ( A.... ) "C:\WINDOWS\system32\qt-dx331.dll"
2006-04-18 15:30:30 53248 ( A.... ) "C:\WINDOWS\system32\dpuGUI10.dll"
2006-04-18 15:30:28 593920 ( A.... ) "C:\WINDOWS\system32\dpuGUI11.dll"
2006-04-18 15:30:28 344064 ( A.... ) "C:\WINDOWS\system32\dpus11.dll"
2006-04-18 15:30:28 294912 ( A.... ) "C:\WINDOWS\system32\dpu11.dll"
2006-04-18 15:30:28 294912 ( A.... ) "C:\WINDOWS\system32\dpu10.dll"
2006-04-18 15:30:28 200704 ( A.... ) "C:\WINDOWS\system32\dtu100.dll"
2006-04-18 15:30:28 90112 ( A.... ) "C:\WINDOWS\system32\dpl100.dll"
2006-04-18 15:30:28 57344 ( A.... ) "C:\WINDOWS\system32\dpv11.dll"
2006-04-18 15:30:24 245408 ( A.... ) "C:\WINDOWS\system32\unicows.dll"
2006-04-18 15:30:14 536576 ( A.... ) "C:\WINDOWS\system32\DivXsm.exe"
2006-04-10 11:37:12 118784 ( A.... ) "C:\WINDOWS\system32\DivXCodecUpdateChecker.exe"
2006-01-07 07:41:30 210 ( A.... ) "C:\Program Files\INSTALL.LOG"
2005-06-21 05:00:36 26624 ( A.SH. ) "C:\Program Files\Thumbs.db"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-07 13:46 53,346 C:\WINDOWS\system32\javaw.exe
2006-07-07 13:46 49,248 C:\WINDOWS\system32\java.exe
2006-07-07 13:46 127,078 C:\WINDOWS\system32\javaws.exe
2006-07-07 10:27 73,728 C:\WINDOWS\system32\asuninst.exe
2006-07-07 10:27 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-07-07 05:19 8,464 C:\WINDOWS\system32\sporder.dll
2006-07-07 05:19 33,012 C:\WINDOWS\system32\tpuninstall.exe
2006-06-20 17:55 389,120 C:\WINDOWS\system32\nodeipproc.dll
2006-06-17 16:04 9,759 C:\WINDOWS\system32\HSF_INST.dll
2006-06-09 09:16 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-06-09 09:16 348,160 C:\WINDOWS\system32\msvcr71.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
@=""
"DeadAIM"="rundll32.exe \"C:\\PROGRA~1\\AIM\\\\DeadAIM.ocm\",ExportedCheckODLs"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"Steam"="\"c:\\program files\\valve\\steam.exe\" -silent"
"EasyDVDMon"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{070A7B40-0BB8-1033-0517-060327030001}"="\"C:\\Program Files\\Common Files\\{070A7B40-0BB8-1033-0517-060327030001}\\Update.exe\"

mc-110-12-0000228"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000003

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\NetMeeting\\pofodosu.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,cb,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"furnariidae"="{89e4aaba-3b21-49b3-b922-8ca35193c68e}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

HKEY_LOCAL_MACHINE\system\controlset001\control\safeboot\minimal\svcWRSSSDK
HKEY_LOCAL_MACHINE\system\controlset002\control\safeboot\minimal\svcWRSSSDK


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At4.job

Completion time: Sat 07/08/2006 5:13:44.26
ComboFix ver 06.07.07 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-08.051316.txt


ty :thumbsup:

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:41 AM

Posted 08 July 2006 - 07:26 AM

Hello there,

It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above. It is important that you complete the following instructions in the correct order, and also that you don't miss anything out!
We haven't finished yet jayoo :thumbsup:

* Download Brute Force Uninstaller.
Unzip it to a folder of it’s own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

c:\bfu\alcanshorty.bfu

Click Ok
Then click execute in Brute Force Uninstaller.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

* Reboot into SAFE MODE
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.
If it does not work on the first try, reboot and try again, as you have to be quick when you press it.

* Now open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Please reboot back to normal mode.

As with all malware like this, it never comes alone and there are probably infected files left on your computer. Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report in your next reply by using Add Reply, along with a new Hijackthis log, along with the ewido log.
David

#9 jayoo

jayoo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 08 July 2006 - 01:13 PM

ok finished scanning ewido and did Panda online scan, took quite sometime
the ewido log is too long to post here is there a way i can attach the file here?
well here are the logs to panda activescan log, HJT log, & combofix log


Incident Status Location

Adware:adware/comet Not disinfected c:\windows\inf\dm.PNF
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\jay\Local Settings\Temporary Internet Files\Ssk.log
Potentially unwanted tool:application/need2find Not disinfected c:\program files\Need2Find
Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\jay\Application Data\Registry Cleaner
Spyware:spyware/virtumonde Not disinfected Windows Registry
Virus:Trj/Downloader.JKC Disinfected C:\!KillBox\ssqbn.exe
Adware:Adware/DollarRevenue Not disinfected C:\!KillBox\winjne32.dll
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\jay\Application Data\Netscape\NSB\Profiles\9yjjf6id.default\cookies.txt[.atwola.com/]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\jay\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-bae16f0-3aa83661.zip[GetAccess.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\jay\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-bae16f0-3aa83661.zip[Installer.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\jay\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jrl.jar-562403c5-6a40c7f0.zip[GetAccess.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\jay\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jrl.jar-562403c5-6a40c7f0.zip[Installer.class]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\jay\Cookies\jay@adrevolver[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\jay\Cookies\jay@apmebf[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\jay\Cookies\jay@azjmp[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\jay\Cookies\jay@errorsafe[1].txt
Spyware:Cookie/Media-motor Not disinfected C:\Documents and Settings\jay\Cookies\jay@mmm.media-motor[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\jay\Cookies\jay@realmedia[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\jay\Cookies\jay@www.errorsafe[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\jay\Desktop\ANTI-Malvirus\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\jay\My Documents\download\ofuqitzjay\Scripts\xufishv5\external\process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\jay\My Documents\JP files\FF stuff\Xunleashed scripts\CTS_rel_v_1_1.rar[xufishv5\external\process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\jay\My Documents\Xunleashed\Scripts\xufishv5\external\process.exe
Adware:Adware/NewAds Not disinfected C:\WINDOWS\system32\tpuninstall.exe
Adware:Adware/SpywareQuake Not disinfected C:\WINDOWS\system32\zlara.dll

Edited by jayoo, 08 July 2006 - 01:19 PM.


#10 jayoo

jayoo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 08 July 2006 - 01:14 PM

HJT log

Logfile of HijackThis v1.99.1
Scan saved at 11:00:52 AM, on 7/8/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\jay\Desktop\ANTI-Malvirus\Hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam.exe" -silent
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: winjne32 - winjne32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe




Combofix log


Start Time= Sat 07/08/2006 11:01:07.92
Running from: C:\Documents and Settings\jay\Desktop\ANTI-Malvirus\Combofix

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-07 13:45:40 ( .D... ) "C:\Program Files\Common Files\Java"
2006-07-07 10:55:38 ( .D... ) "C:\Program Files\Lavasoft"
2006-07-07 10:50:52 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-07 09:58:54 ( .D... ) "C:\Documents and Settings\jay\Application Data\URSoft"
2006-07-07 09:54:06 ( .D... ) "C:\Documents and Settings\jay\Application Data\Mozilla"
2006-07-07 09:54:04 ( .D... ) "C:\Program Files\Mozilla Firefox"
2006-07-07 08:51:16 ( .D... ) "C:\Documents and Settings\jay\Application Data\PC Tools"
2006-07-07 06:41:46 ( .D... ) "C:\Documents and Settings\jay\Application Data\Regrun"
2006-07-07 06:40:42 ( .D... ) "C:\Program Files\Greatis"
2006-07-07 05:25:04 ( .D... ) "C:\Program Files\Common Files\partypoker"
2006-07-07 05:20:12 33012 ( A.... ) "C:\WINDOWS\system32\tpuninstall.exe"
2006-07-07 05:19:56 ( .D... ) "C:\Program Files\Batty"
2006-07-07 05:19:38 ( .D... ) "C:\Program Files\PSHope"
2006-07-07 05:19:06 8464 ( A.... ) "C:\WINDOWS\system32\sporder.dll"
2006-06-30 23:22:14 ( .D... ) "C:\Program Files\SpeedFan"
2006-06-29 09:26:56 ( .D... ) "C:\Program Files\ATITool"
2006-06-26 03:43:00 ( .D... ) "C:\Program Files\VIA"
2006-06-09 09:16:16 ( .D... ) "C:\Program Files\Presets"
2006-06-09 09:16:16 ( .D... ) "C:\Program Files\Plug-Ins"
2006-06-09 09:09:52 ( .D... ) "C:\Program Files\NVIDIA Corporation"
2006-05-03 02:56:58 127078 ( A.... ) "C:\WINDOWS\system32\javaws.exe"
2006-05-03 01:19:40 53346 ( A.... ) "C:\WINDOWS\system32\javaw.exe"
2006-05-03 01:19:30 49248 ( A.... ) "C:\WINDOWS\system32\java.exe"
2006-04-19 13:09:20 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx0c.dll"
2006-04-19 13:09:20 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx07.dll"
2006-04-19 13:09:20 761856 ( A.... ) "C:\WINDOWS\system32\divx_xx11.dll"
2006-04-19 13:09:20 619156 ( A.... ) "C:\WINDOWS\system32\DivX.dll"
2006-04-18 15:34:58 421888 ( ..... ) "C:\WINDOWS\system32\pxdrv.dll"
2006-04-18 15:34:58 372736 ( ..... ) "C:\WINDOWS\system32\px.dll"
2006-04-18 15:34:58 172032 ( ..... ) "C:\WINDOWS\system32\pxmas.dll"
2006-04-18 15:34:58 109568 ( ..... ) "C:\WINDOWS\system32\pxinsi64.exe"
2006-04-18 15:34:58 61440 ( ..... ) "C:\WINDOWS\system32\pxhpinst.exe"
2006-04-18 15:34:58 56320 ( ..... ) "C:\WINDOWS\system32\pxinsa64.exe"
2006-04-18 15:34:56 339968 ( ..... ) "C:\WINDOWS\system32\pxwave.dll"
2006-04-18 15:31:14 1044480 ( A.... ) "C:\WINDOWS\system32\libdivx.dll"
2006-04-18 15:31:14 200704 ( A.... ) "C:\WINDOWS\system32\ssldivx.dll"
2006-04-18 15:30:58 3596288 ( A.... ) "C:\WINDOWS\system32\qt-dx331.dll"
2006-04-18 15:30:30 53248 ( A.... ) "C:\WINDOWS\system32\dpuGUI10.dll"
2006-04-18 15:30:28 593920 ( A.... ) "C:\WINDOWS\system32\dpuGUI11.dll"
2006-04-18 15:30:28 344064 ( A.... ) "C:\WINDOWS\system32\dpus11.dll"
2006-04-18 15:30:28 294912 ( A.... ) "C:\WINDOWS\system32\dpu11.dll"
2006-04-18 15:30:28 294912 ( A.... ) "C:\WINDOWS\system32\dpu10.dll"
2006-04-18 15:30:28 200704 ( A.... ) "C:\WINDOWS\system32\dtu100.dll"
2006-04-18 15:30:28 90112 ( A.... ) "C:\WINDOWS\system32\dpl100.dll"
2006-04-18 15:30:28 57344 ( A.... ) "C:\WINDOWS\system32\dpv11.dll"
2006-04-18 15:30:24 245408 ( A.... ) "C:\WINDOWS\system32\unicows.dll"
2006-04-18 15:30:14 536576 ( A.... ) "C:\WINDOWS\system32\DivXsm.exe"
2006-04-10 11:37:12 118784 ( A.... ) "C:\WINDOWS\system32\DivXCodecUpdateChecker.exe"
2006-01-07 07:41:30 210 ( A.... ) "C:\Program Files\INSTALL.LOG"
2005-06-21 05:00:36 26624 ( A.SH. ) "C:\Program Files\Thumbs.db"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-07 13:46 53,346 C:\WINDOWS\system32\javaw.exe
2006-07-07 13:46 49,248 C:\WINDOWS\system32\java.exe
2006-07-07 13:46 127,078 C:\WINDOWS\system32\javaws.exe
2006-07-07 10:27 73,728 C:\WINDOWS\system32\asuninst.exe
2006-07-07 10:27 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-07-07 05:19 8,464 C:\WINDOWS\system32\sporder.dll
2006-07-07 05:19 33,012 C:\WINDOWS\system32\tpuninstall.exe
2006-06-17 16:04 9,759 C:\WINDOWS\system32\HSF_INST.dll
2006-06-09 09:16 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-06-09 09:16 348,160 C:\WINDOWS\system32\msvcr71.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
@=""
"DeadAIM"="rundll32.exe \"C:\\PROGRA~1\\AIM\\\\DeadAIM.ocm\",ExportedCheckODLs"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"Steam"="\"c:\\program files\\valve\\steam.exe\" -silent"
"EasyDVDMon"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{070A7B40-0BB8-1033-0517-060327030001}"="\"C:\\Program Files\\Common Files\\{070A7B40-0BB8-1033-0517-060327030001}\\Update.exe\"

mc-110-12-0000228"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000003

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\NetMeeting\\pofodosu.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,cb,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"furnariidae"="{89e4aaba-3b21-49b3-b922-8ca35193c68e}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

HKEY_LOCAL_MACHINE\system\controlset001\control\safeboot\minimal\svcWRSSSDK
HKEY_LOCAL_MACHINE\system\controlset002\control\safeboot\minimal\svcWRSSSDK


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At4.job

Completion time: Sat 07/08/2006 11:01:29.24
ComboFix ver 06.07.07 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-08.051316.txt
ComboFix.2006-07-08.110107.txt

Edited by jayoo, 08 July 2006 - 01:17 PM.


#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:41 AM

Posted 09 July 2006 - 03:16 AM

Heya Jayoo.

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the ewido log that you want to submit.
Then click the Send File button below.

Any reason why your windows isn't up to date? You don't have even ServicePack1 installed!
Remember that your system is extremely vulnerable without the necessary security patches/updates, so malware can get installed automatically while surfing without any problems.
Please visit http://www.microsoft.com/windowsxp/downloa...p1/network.mspx and update to Service Pack 1. Without this update, you're wide open to re-infection, and we're both just wasting our time.
When your system is clean afterwards, then update to SP2, because updating to SP2 CAN cause problems as long as you are infected.

Please empty this folder:
C:\!KillBox

- Click killbox.exe.
- Select the option "Delete on reboot".
- Click the button: All Files (!important!)
- Now it should flash green.

Now copy the next bold part:

c:\windows\inf\dm.PNF
C:\Documents and Settings\jay\Local Settings\Temporary Internet Files\Ssk.log
c:\program files\Need2Find
C:\WINDOWS\system32\tpuninstall.exe
C:\WINDOWS\system32\zlara.dll


- Open 'file' in the killboxmenu on top and choose Paste from clipboard
- Then press the button that looks like a red circle with a white X in it.
- Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
- If you don't get that message, reboot manually.
- Your computer should reboot now.

Ignore the errors you'll get after reboot, that's normal, they will be gone after performing next steps..

* Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there. (except for "My current home page")

I see remains of a smitfraud infection.
Please download SmitfraudFix (by S!Ri)
  • Extract the content (a folder named SmitfraudFix) to your Desktop.
  • Open the SmitfraudFix folder and double-click smitfraudfix.cmd
  • Select option #1 - Search by typing 1, and press Enter.
  • A text file will appear, which lists infected files (if present).
  • Please copy/paste the content of that report into your next reply.
  • Note : process.exe is detected by some antivirus programs as a "RiskTool"; it is not a virus, but a program used to stop system processes.
David

#12 jayoo

jayoo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 09 July 2006 - 07:38 AM

ok i have sent the ewido file but unfortunately i cant install WSP1 or 2 because my key is invalid. i turned on auto update window and it started updating the new files and tried to install sp1. after it failed to install it installed a GWAtray.exe into my windows/system32. now everytime i restart my computer i get the
Windows Genuine Advantage Notiftication telling me to buy genuine windows. well my computer was running very well for a long time without the sp1. this is probably the worst problem i had on my computer.

well here is my SmitfraudFix log



SmitFraudFix v2.68b

Scan done at 5:08:41.26, Sun 07/09/2006
Run from C:\Documents and Settings\jay\Desktop\ANTI-Malvirus\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\jay\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\jay\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"furnariidae"="{89e4aaba-3b21-49b3-b922-8ca35193c68e}"


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



and heres my new hjt log



Logfile of HijackThis v1.99.1
Scan saved at 5:30:00 AM, on 7/9/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\jay\Desktop\ANTI-Malvirus\Hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam.exe" -silent
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winjne32 - winjne32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe




thank you david for not giving up on me. :thumbsup:

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:41 AM

Posted 09 July 2006 - 07:46 AM

Hey there,

Please fix this entry wih HJT:
O20 - Winlogon Notify: winjne32 - winjne32.dll (file missing)

I assume that you have an illegal version of Windows. Although your computer is clean now, I can almost guaruntee that a few months down the line you will be in the same situation that you were about a week ago. Without the updates you get with a paid version of windows, you will get infected, no matter how hard you try - I guaruntee that. I cannot force you, but I would seriously recommend that you go and purchase a legal copy of Windows and update to Service Pack 2 - you will be protected again the sort of malicious files that caused this in the first place. Although I have cleaned this computer as much as I possibly can you will notice you may still get errors and the damage done is irreversible - if this happens again you may loose everything on your computer. Just a warning. Think of update like medicine - if you get ill again and don't have the medicine, you die. I'm not a Microsoft sales person either, but I stongly suggest you purchase a legal copy.

If you don't then you can try and improve the security on your computer.
The latest log is looking clean!
Follow this list and your potential for being infected again will reduce dramatically.

Use an Anti Virus Software -
* It is very important that your computer has an anti-virus software running on your machine.
* This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
* Click here for more information on -> * Computer Safety On line - Anti-Virus[
* I would recommend Grisoft's AVG or AVAST.
* These are the more secure and better ones.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall -
* I can not stress how important it is that you use a Firewall on your computer.
* Without a firewall your computer is susceptible to being hacked and taken over.
* Simply using a Firewall in its default configuration can lower your risk greatly.
* For an article on Firewalls and a listing of some available ones see the link below:
* Click here for more information on -> Computer Safety On line - Software Firewalls
* I would recommend ZoneAlarm as a firewall as it's easy to use.

Visit Microsoft's Windows Update Site Frequently -
* It is important that you visit http://www.windowsupdate.com regularly.
* This will ensure your computer has always the latest security updates available installed on your computer.
* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option.
* This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
* You should also scan your computer with program on a regular basis just as you would an anti virus software.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Lavasofts© Ad-Aware - Install and download Ad-Aware.
* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Javacools© SpywareBlaster -
* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
* A article on anti-malware products with links for this program and others can be found here:
* Click here for more info -->Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

If you have any addition questions just ask...
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users