Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help Removing A Virus!


  • This topic is locked This topic is locked
6 replies to this topic

#1 S-A-N-D-M-A-N

S-A-N-D-M-A-N

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 10 September 2006 - 07:05 PM

Everytime i come on my PC, which is very rare now days. i get like 5 error popups right when it starts up and about 5 random popups from the internet. Plus Adware and malware. I DLed hijack this and did the scan ill post the log i think it is. not a big PC wiz so im not sure. i think this is it though. Any help is appreciated!



F2 - REG:system.ini: UserInit=userinit.exe,wpmpnfq.exe
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469F-83B8-BD2AE6D9FA2E} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-83B8-BD2AE6D9FA2E} - (no file)
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143534237\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_11a.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_8.exe
O4 - HKLM\..\Run: [gpvafe76] RUNDLL32.EXE w0a6a6e7.dll,n 002afe74000000030a6a6e7
O4 - HKLM\..\Run: [{2B-BE-E3-38-ZN}] C:\WINDOWS\system32\ojdsregs.exe CORN003
O4 - HKLM\..\Run: [w0a78977.dll] RUNDLL32.EXE w0a78977.dll,I2 002afe7400a78977
O4 - HKLM\..\Run: [mrvhywoA] C:\WINDOWS\mrvhywoA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [mrchajgA] C:\WINDOWS\mrchajgA.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\qwinkpex.exe CORN003
O4 - HKLM\..\Run: [ms049106376-140] C:\WINDOWS\ms049106376-140.exe
O4 - HKLM\..\Run: [win3208376-1409106] C:\WINDOWS\win3208376-1409106.exe
O4 - HKLM\..\Run: [ms0606376-14091] C:\WINDOWS\ms0606376-14091.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00009.exe"
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - HKCU\..\Run: [qyabe] C:\WINDOWS\System32\ulohda.exe reg_run
O4 - HKCU\..\Run: [Registry Defender] "C:\Program Files\Registry Defender Trial\RegistryDefender.exe"
O4 - HKCU\..\Run: [CMFibula] "C:\Program Files\CMFibula\CMFibula.exe"
O4 - HKCU\..\Run: [PSCloner] "C:\Program Files\PSCloner\PSCloner.exe"
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134987713828
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/...FreeInstall.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {65BD126C-9E4B-4371-911F-EE85CA17D52B} - C:\WINDOWS\System32\OTPDDP~1.DLL
O20 - AppInit_DLLs: BattyRun2.dll
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\guard.tmp
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:10:09 PM

Posted 11 September 2006 - 02:46 AM

Hi and welcome. My name is kairis and I will be helping you.

You have some crap there! But don't worry; we'll get you cleaned up!
Please follow my steps in the right order...
We'll start with this:

* It is very important that your computer has an anti-virus software running on your machine.
* This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:It is critical to have both a firewall and anti virus to protect your system and to keep them updated


Use a Firewall -
* I can not stress how important it is that you use a Firewall on your computer.
* Without a firewall your computer is susceptible to being hacked and taken over.
* Simply using a Firewall in its default configuration can lower your risk greatly.
You should also have a good firewall. Here are 2 free ones available for personal use:Step 1:
I need you to rename Hijackthis because I suspect that you may have the Vundo infection that can hide some entries in your log.
Please go to the folder where you saved Hijackthis.exe
Right-click on it, then select Rename.
"Name it as: scanner.exe and than reboot.

Step 2:
Please download Combofix
to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Step 3:
In your next reply, please include the following logs: Fresh Hijackthis, and Combofix report. Thanks.

Edited by kairis, 11 September 2006 - 02:58 AM.


#3 S-A-N-D-M-A-N

S-A-N-D-M-A-N
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 15 September 2006 - 11:26 PM

ComboFix Log:
ComboFix 06.09.14 - Running from: C:\Documents and Settings\Garrett\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{91F29F06-5472-4B60-938B-028D9891403E}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{91F29F06-5472-4B60-938B-028D9891403E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{91F29F06-5472-4B60-938B-028D9891403E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{91F29F06-5472-4B60-938B-028D9891403E}\InprocServer32]
@="C:\\WINDOWS\\system32\\syellstyle.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{32762FC6-F1BA-4E74-90AA-DB9E45045B6C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{32762FC6-F1BA-4E74-90AA-DB9E45045B6C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{32762FC6-F1BA-4E74-90AA-DB9E45045B6C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{32762FC6-F1BA-4E74-90AA-DB9E45045B6C}\InprocServer32]
@="C:\\WINDOWS\\system32\\surialui.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{8B5E5795-13D4-480D-9AEB-130647F0A15F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8B5E5795-13D4-480D-9AEB-130647F0A15F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8B5E5795-13D4-480D-9AEB-130647F0A15F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8B5E5795-13D4-480D-9AEB-130647F0A15F}\InprocServer32]
@="C:\\WINDOWS\\system32\\mjvidc32.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{AE316203-8450-437E-BD74-C07C7D9B3E97}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AE316203-8450-437E-BD74-C07C7D9B3E97}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AE316203-8450-437E-BD74-C07C7D9B3E97}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AE316203-8450-437E-BD74-C07C7D9B3E97}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{F55616CF-E991-45D4-835F-5CF74610B34C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F55616CF-E991-45D4-835F-5CF74610B34C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F55616CF-E991-45D4-835F-5CF74610B34C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F55616CF-E991-45D4-835F-5CF74610B34C}\InprocServer32]
@="C:\\WINDOWS\\system32\\spimeng.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{57B46378-1638-4D46-9B1C-CD2997DC8510}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{57B46378-1638-4D46-9B1C-CD2997DC8510}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{57B46378-1638-4D46-9B1C-CD2997DC8510}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{57B46378-1638-4D46-9B1C-CD2997DC8510}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{C8F09BBF-C127-4862-9DEB-6482184B5184}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C8F09BBF-C127-4862-9DEB-6482184B5184}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C8F09BBF-C127-4862-9DEB-6482184B5184}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C8F09BBF-C127-4862-9DEB-6482184B5184}\InprocServer32]
@="C:\\WINDOWS\\system32\\pqtorec.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\system32\kfdru1.dll
C:\WINDOWS\system32\KNDAL.DLL
C:\WINDOWS\system32\kvdnec.dll
C:\WINDOWS\system32\kydhe220.dll
C:\WINDOWS\system32\lv6m09j1e.dll
C:\WINDOWS\system32\mwdocs.dll
C:\WINDOWS\system32\pqtorec.dll
C:\WINDOWS\system32\u8ruli9918.dll
C:\WINDOWS\system32\wenrnr.dll


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-08-26 14:34 28672 ra8pv.exe.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\Duce6.exe
C:\Documents and Settings\Garrett\Local Settings\Temporary Internet Files\Content.IE5\D1BN6SMT\dfndrff_11a[1].exe
C:\Documents and Settings\Garrett\Local Settings\Temporary Internet Files\Content.IE5\D1BN6SMT\dfndrff_8[1].exe
C:\Documents and Settings\Garrett\Local Settings\Temporary Internet Files\Content.IE5\D1BN6SMT\drsmartload45a[1].exe
C:\Documents and Settings\Garrett\Local Settings\Temporary Internet Files\Content.IE5\D1BN6SMT\drsmartload45a[2].exe
C:\Documents and Settings\Garrett\Local Settings\Temporary Internet Files\Content.IE5\D1BN6SMT\drsmartload46a[1].exe
C:\Documents and Settings\Garrett\Local Settings\Temporary Internet Files\Content.IE5\D1BN6SMT\drsmartload46a[2].exe
C:\Documents and Settings\Garrett\Local Settings\Temporary Internet Files\Content.IE5\D1BN6SMT\drsmartload849a[1].exe
C:\Documents and Settings\Garrett\Local Settings\Temporary Internet Files\Content.IE5\D1BN6SMT\drsmartload849a[2].exe
C:\Documents and Settings\Garrett\Local Settings\Temporary Internet Files\Content.IE5\FTCCDRJD\drsmartload45a[2].exe
C:\Documents and Settings\Garrett\Local Settings\Temporary Internet Files\Content.IE5\FTCCDRJD\drsmartload46a[2].exe
C:\Documents and Settings\Garrett\Local Settings\Temporary Internet Files\Content.IE5\FTCCDRJD\drsmartload849a[1].exe
C:\Documents and Settings\Garrett\Local Settings\Temporary Internet Files\Content.IE5\FTCCDRJD\drsmartload849a[2].exe
C:\Documents and Settings\Garrett\Local Settings\Temporary Internet Files\Content.IE5\D1BN6SMT\kybrdff_8[1].exe
C:\Documents and Settings\Garrett\Local Settings\Temporary Internet Files\Content.IE5\D1BN6SMT\MTE3NDI6ODoxNg[1].exe
C:\Documents and Settings\Garrett\Local Settings\Temporary Internet Files\Content.IE5\D1BN6SMT\MTE3NDI6ODoxNg[2].exe
C:\Documents and Settings\Garrett\Local Settings\Temporary Internet Files\Content.IE5\CLCHMF85\nwnmfg_8[1].exe
C:\Documents and Settings\Garrett\Local Settings\Temporary Internet Files\Content.IE5\CLCHMF85\nwnmfg_8[2].exe
C:\Documents and Settings\Garrett\Local Settings\Temporary Internet Files\Content.IE5\D1BN6SMT\nwnmff_8[1].exe
C:\Documents and Settings\Garrett\Local Settings\Temporary Internet Files\Content.IE5\FTCCDRJD\nwnmff_11[1].exe
C:\Documents and Settings\Garrett\Local Settings\Temporary Internet Files\Content.IE5\D1BN6SMT\stub_113_4_0_4_0[1].exe
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\ghynf.exe
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\redistributor.exe
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\setup.exe.tmp
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\offun.exe
C:\WINDOWS\ssqbn.exe
C:\WINDOWS\system32ghynf.exe
C:\WINDOWS\system32n9nyb.exe
C:\WINDOWS\uninst104.exe
C:\WINDOWS\uni_ehhhh.exe
C:\Program Files\cmfibula
C:\Program Files\outlook
C:\Program Files\PSLister
C:\Program Files\batty2
C:\Program Files\Common Files\{AC02BE38-08A3-1033-1021-050922050001}


((((((((((((((((((((((((((((((( Files Created from 2006-08-15 to 2006-09-15 ))))))))))))))))))))))))))))))))))


2006-09-15 21:16 106,496 --a------ C:\WINDOWS\Duce6.exe
2006-09-15 21:00 163,840 --a------ C:\WINDOWS\sys02409106376-1.exe
2006-08-27 18:52 25 --a------ C:\WINDOWS\sys0309106376-142006.exe
2006-08-27 18:21 159,744 --a------ C:\WINDOWS\win3208376-1409106.exe
2006-08-26 15:07 78,488 --a------ C:\WINDOWS\system32\XMD5.dll
2006-08-26 15:07 101,888 --a------ C:\WINDOWS\system32\vb6stkit.dll
2006-08-26 14:36 926 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-08-26 14:34 28,672 --a------ C:\WINDOWS\System32ra8pv.exe
2006-08-26 14:34 28,672 --a------ C:\WINDOWS\system32\mnopdb.exe
2006-08-26 14:34 24,576 --a------ C:\WINDOWS\System32ha3f.exe
2006-08-26 14:34 24,576 --a------ C:\WINDOWS\system32\ha3f.exe
2006-08-26 14:34 0 --a------ C:\WINDOWS\System32fufudc.exe
2006-08-26 14:15 186,223 --a------ C:\WINDOWS\srvbysntpz.exe
2006-08-20 15:07 773,728 -r-hs---- C:\WINDOWS\mrchajg.exe
2006-08-20 15:07 764,816 -r-hs---- C:\WINDOWS\mrchajgA.exe
2006-08-20 15:07 186,223 --a------ C:\WINDOWS\srvdbopzfu.exe
2006-08-20 15:05 914,304 -r-hs---- C:\WINDOWS\mrvhywoA.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-15 21:17 -------- d-------- C:\Program Files\Common Files
2006-09-15 21:11 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-15 21:08 -------- d-------- C:\Program Files\Scanner.exe
2006-09-10 17:01 -------- d-------- C:\Program Files\PSCloner
2006-08-27 18:50 -------- d-------- C:\Program Files\World of Warcraft
2006-08-26 15:21 -------- d-------- C:\Program Files\SpywareBot
2006-08-26 14:49 -------- d-------- C:\Documents and Settings\Garrett\Application Data\Talkback
2006-08-26 14:49 -------- d-------- C:\Documents and Settings\Garrett\Application Data\Mozilla
2006-08-26 14:48 -------- d-------- C:\Program Files\Windows NT
2006-08-26 14:31 -------- d-------- C:\Program Files\xerox
2006-08-20 15:24 -------- d-------- C:\Program Files\MSN
2006-08-20 15:07 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-07 21:50 -------- d-------- C:\Program Files\AdwareAlert
2006-08-07 21:34 -------- d-------- C:\Program Files\Lavasoft
2006-08-07 21:34 -------- d-------- C:\Documents and Settings\Garrett\Application Data\Lavasoft
2006-08-07 21:19 820224 --a------ C:\WINDOWS\is-QFO95.exe
2006-08-07 17:03 28672 --a------ C:\WINDOWS\system32\iqqr.exe
2006-08-07 08:17 61440 --a------ C:\WINDOWS\system32\BattyRun2.dll
2006-08-06 23:02 -------- d-------- C:\Documents and Settings\Garrett\Application Data\Symantec
2006-08-06 23:01 1167 --a------ C:\WINDOWS\system32\gpvafe76.sys
2006-08-06 22:50 -------- d-------- C:\Documents and Settings\Garrett\Application Data\Registry Defender
2006-08-06 22:44 32443 --a------ C:\WINDOWS\system32\uninstIcn.exe
2006-08-01 20:20 -------- d---s---- C:\Documents and Settings\Garrett\Application Data\Microsoft
2006-07-28 15:01 -------- d-------- C:\Documents and Settings\Garrett\Application Data\LimeWire
2006-07-13 07:38 389120 --a------ C:\WINDOWS\system32\nodeipproc.dll
2006-06-23 08:22 9216 --a------ C:\WINDOWS\eptpare.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"Registry Defender"="\"C:\\Program Files\\Registry Defender Trial\\RegistryDefender.exe\""
"CMFibula"="\"C:\\Program Files\\CMFibula\\CMFibula.exe\""
"PSCloner"="\"C:\\Program Files\\PSCloner\\PSCloner.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"NVMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1143534237\\ee\\AOLSoftware.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"gpvafe76"="RUNDLL32.EXE w0a6a6e7.dll,n 002afe74000000030a6a6e7"
"{2B-BE-E3-38-ZN}"="C:\\WINDOWS\\system32\\ojdsregs.exe CORN003"
"w0a78977.dll"="RUNDLL32.EXE w0a78977.dll,I2 002afe7400a78977"
"mrvhywoA"="C:\\WINDOWS\\mrvhywoA.exe"
"mrchajgA"="C:\\WINDOWS\\mrchajgA.exe"
"win3208376-1409106"="C:\\WINDOWS\\win3208376-1409106.exe"
"ms0606376-14091"="C:\\WINDOWS\\ms0606376-14091.exe"
"sys02409106376-1"="C:\\WINDOWS\\sys02409106376-1.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\MSN\\kyzes.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Windows NT\\howyqyf.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,4b,00,00,00,00,00,00,00,b5,04,00,00,de,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,4b,00,00,00,00,00,00,00,b5,04,00,00,de,03,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Completion time: Fri 09/15/2006 21:19:56.17
ComboFix.txt


HIJACK THIS LOG:
Logfile of HijackThis v1.99.1
Scan saved at 9:24:05 PM, on 9/15/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\AOL\1143534237\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\mrvhywoA.exe
C:\WINDOWS\mrchajgA.exe
C:\WINDOWS\win3208376-1409106.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\WINDOWS\sys02409106376-1.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Scanner.exe\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143534237\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [gpvafe76] RUNDLL32.EXE w0a6a6e7.dll,n 002afe74000000030a6a6e7
O4 - HKLM\..\Run: [{2B-BE-E3-38-ZN}] C:\WINDOWS\system32\ojdsregs.exe CORN003
O4 - HKLM\..\Run: [w0a78977.dll] RUNDLL32.EXE w0a78977.dll,I2 002afe7400a78977
O4 - HKLM\..\Run: [mrvhywoA] C:\WINDOWS\mrvhywoA.exe
O4 - HKLM\..\Run: [mrchajgA] C:\WINDOWS\mrchajgA.exe
O4 - HKLM\..\Run: [win3208376-1409106] C:\WINDOWS\win3208376-1409106.exe
O4 - HKLM\..\Run: [ms0606376-14091] C:\WINDOWS\ms0606376-14091.exe
O4 - HKLM\..\Run: [sys02409106376-1] C:\WINDOWS\sys02409106376-1.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Registry Defender] "C:\Program Files\Registry Defender Trial\RegistryDefender.exe"
O4 - HKCU\..\Run: [CMFibula] "C:\Program Files\CMFibula\CMFibula.exe"
O4 - HKCU\..\Run: [PSCloner] "C:\Program Files\PSCloner\PSCloner.exe"
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134987713828
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/...FreeInstall.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {65BD126C-9E4B-4371-911F-EE85CA17D52B} - (no file)
O20 - AppInit_DLLs: BattyRun2.dll
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#4 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:10:09 PM

Posted 16 September 2006 - 01:43 AM

Hi and thanks for the logs.

The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here to get WinXP SP1a
Apply the update, reboot, then go to Windows Update and install all the Critical Updates (Note: Except for WinXP SP2)
Click here for : Windows Update

After installing all the Patches and updates, reboot, then post a fresh Hijack This log.

=================

It is very important that your computer has an anti-virus software running on your machine.

=================

Use a Firewall

=================

#5 S-A-N-D-M-A-N

S-A-N-D-M-A-N
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 17 September 2006 - 06:34 PM

Well i apprecaite your attempt to help me and all but. dont bother im just gonna bleepin light the peice of bleep on fire. sorry for wasteing your time which could have been used to help someone else

#6 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:10:09 PM

Posted 18 September 2006 - 06:46 AM

Ok.

#7 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:10:09 PM

Posted 25 September 2006 - 02:34 AM

This Topic has been closed. Should you need this Topic reopened, please PM a Staff member with the address of this thread.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users