Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Really Forked It Up This Time


  • This topic is locked This topic is locked
22 replies to this topic

#1 rbharris

rbharris

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 08 November 2006 - 12:40 PM

Logfile of HijackThis v1.99.1
Scan saved at 11:36:07 AM, on 11/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\msasvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\isdejsw.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jmfkioi.exe
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [isdejswA] C:\WINDOWS\isdejswA.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ryan\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1155604805208
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA
91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155605745756
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {AE3B25B6-4C21-4038-BD35-99A05B5EF3EB} - C:\WINDOWS\system32\s9ndzm6.dll
O20 - AppInit_DLLs: dxclib303562752.dll,phbodkpd.dll
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\isdejsw.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

Was wondering if anyone can help.

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:31 PM

Posted 08 November 2006 - 01:09 PM

Go to this folder where Hijackthis is kept and rename the hijackthis application to "showme".
This can be done by right clicking on the program and clicking "rename".
Press enter, then open "showme.exe" by double clicking.
Post a new Hijackthis log from the newly named application.

#3 rbharris

rbharris
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 08 November 2006 - 02:12 PM

Will Do.

Logfile of HijackThis v1.99.1
Scan saved at 1:08:49 PM, on 11/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\msasvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\isdejsw.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\showme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jmfkioi.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11A8EFA8-EC8B-43D9-916D-2C287A68EC4A} - C:\Program Files\ComPlus Applications\medo.dll (file missing)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: Jkzlbfarb Class - {754515CD-5059-4133-B6D5-3757DD84D6C0} - C:\WINDOWS\system32\s9ndzm6.dll
O2 - BHO: (no name) - {BFD12129-43D6-427E-B493-D22D195A9345} - C:\WINDOWS\system32\efefd.dll
O2 - BHO: (no name) - {D1641948-AB89-FC5A-DEDB-D728E77B30EC} - C:\WINDOWS\system32\urskww.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [isdejswA] C:\WINDOWS\isdejswA.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ryan\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1155604805208
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155605745756
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {AE3B25B6-4C21-4038-BD35-99A05B5EF3EB} - C:\WINDOWS\system32\s9ndzm6.dll
O20 - AppInit_DLLs: dxclib303562752.dll,phbodkpd.dll
O20 - Winlogon Notify: efefd - C:\WINDOWS\system32\efefd.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winclk32 - C:\WINDOWS\SYSTEM32\winclk32.dll
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\isdejsw.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:31 PM

Posted 08 November 2006 - 05:44 PM

Ok, let's get started on all the infections you have.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Please download SmitfraudFix (by S!Ri)
Extract the contents (a folder named SmitfraudFix) to your Desktop.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Once in Safe Mode, open the SmitfraudFix folder again.
Double-click smitfraudfix.cmd.
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.
Also post a new Hijackthis log.

David

#5 rbharris

rbharris
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 08 November 2006 - 06:02 PM

heres what smitfraud says:

SmitFraudFix v2.119

Scan done at 16:53:26.52, Wed 11/08/2006
Run from D:\Downloads\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End






and a new hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 4:57:28 PM, on 11/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\isdejswA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\msasvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\isdejsw.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\showme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jmfkioi.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11A8EFA8-EC8B-43D9-916D-2C287A68EC4A} - C:\Program Files\ComPlus Applications\medo.dll (file missing)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: Jkzlbfarb Class - {754515CD-5059-4133-B6D5-3757DD84D6C0} - C:\WINDOWS\system32\s9ndzm6.dll
O2 - BHO: (no name) - {8F48D374-270F-4D56-86D8-774FC5E17E8F} - C:\WINDOWS\system32\efefd.dll
O2 - BHO: (no name) - {D1641948-AB89-FC5A-DEDB-D728E77B30EC} - C:\WINDOWS\system32\urskww.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [isdejswA] C:\WINDOWS\isdejswA.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ryan\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {AE3B25B6-4C21-4038-BD35-99A05B5EF3EB} - C:\WINDOWS\system32\s9ndzm6.dll
O20 - AppInit_DLLs: dxclib303562752.dll,phbodkpd.dll
O20 - Winlogon Notify: efefd - C:\WINDOWS\system32\efefd.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winclk32 - C:\WINDOWS\SYSTEM32\winclk32.dll
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\isdejsw.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:31 PM

Posted 08 November 2006 - 06:15 PM

Ok good, let's move on..

Please download VundoFix.exe to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

David

#7 rbharris

rbharris
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 09 November 2006 - 12:06 AM

Fantastic, heres what vundofix found:

VundoFix V6.2.8

Checking Java version...

Scan started at 10:55:34 PM 11/8/2006

Listing files found while scanning....

C:\WINDOWS\system32\winclk32.dll
C:\WINDOWS\system32\efefd.dll
C:\WINDOWS\system32\dfefe.ini
C:\WINDOWS\system32\dfefe.bak1
C:\WINDOWS\system32\dfefe.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\winclk32.dll
C:\WINDOWS\system32\winclk32.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\efefd.dll
C:\WINDOWS\system32\efefd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dfefe.ini
C:\WINDOWS\system32\dfefe.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\dfefe.bak1
C:\WINDOWS\system32\dfefe.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\dfefe.bak2
C:\WINDOWS\system32\dfefe.bak2 Has been deleted!

Performing Repairs to the registry.
Done!



And here is another hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 11:03:09 PM, on 11/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\isdejswA.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\msasvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\isdejsw.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\HijackThis\showme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jmfkioi.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11A8EFA8-EC8B-43D9-916D-2C287A68EC4A} - C:\Program Files\ComPlus Applications\medo.dll (file missing)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: Jkzlbfarb Class - {754515CD-5059-4133-B6D5-3757DD84D6C0} - C:\WINDOWS\system32\s9ndzm6.dll
O2 - BHO: (no name) - {8F48D374-270F-4D56-86D8-774FC5E17E8F} - C:\WINDOWS\system32\efefd.dll (file missing)
O2 - BHO: (no name) - {D1641948-AB89-FC5A-DEDB-D728E77B30EC} - C:\WINDOWS\system32\urskww.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [isdejswA] C:\WINDOWS\isdejswA.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ryan\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {AE3B25B6-4C21-4038-BD35-99A05B5EF3EB} - C:\WINDOWS\system32\s9ndzm6.dll
O20 - AppInit_DLLs: dxclib303562752.dll,phbodkpd.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\isdejsw.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe



I appreciate all of the help.

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:31 PM

Posted 09 November 2006 - 01:39 PM

Ok good work, let's move on.
We've still got loads of nsaties to deal with.

Run HijackThis.
On the first menu, click Open the Misc Tools Section
Click Open Uninstall Manager
Click Save List - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

David

#9 rbharris

rbharris
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 09 November 2006 - 04:35 PM

Heres is the uninstall_list:

Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Photoshop 5.5
Adobe Reader 7.0.5
AOL Instant Messenger
Battlefield 2™
Call Of Cthulhu DCoTE
Call of Duty
Computer Alarm Clock
DeluxeCommunications
Deus Ex
Deus Ex - Invisible War (remove only)
DH Driver Cleaner Professional Edition
Diskeeper Professional Premier Edition
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Elinks
ewido anti-spyware 4.0
Grand Theft Auto Vice City
HijackThis 1.99.1
IpWins
iTunes
Java 2 Runtime Environment, SE v1.4.2_12
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Flash Player 8
MediaTickets by OIN
Microsoft Office XP Professional
Morrowind
Mozilla Firefox (1.0.7)
Nero 7 Ultra Edition
NVIDIA Drivers
NVTweak
Oblivion
PowerDVD
QuickTime
Star Wars Jedi Knight Jedi Academy
Star Wars JK II Jedi Outcast
Steam
TargetSaver
TES Construction Set
ToolBar888
Tweak UI
Viewpoint Media Player
VSAdd-in for Internet Explorer
Web Nexus Network
Winamp (remove only)
Window Washer
Windows Live Messenger
Windows Overlay Components
Windows XP Service Pack 2
WinFast® Display Driver
WinFox Setup
WinRAR archiver
Yazzle by OIN

And the combofix:

Ryan - 06-11-09 15:26:18.70 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Ryan\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-11-07 19:04 142 gcnio.dll.qoo
06-11-07 19:03 53 vowncl.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\bkd.exe


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\cfg32.exe
C:\WINDOWS\cfg32a.exe
C:\WINDOWS\system32\tpuninstall.exe
C:\WINDOWS\system32\tsuninst.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Inetget2
C:\Program Files\Ipwins
C:\Program Files\Common Files\{34515FC0-081A-1033-1007-031210200001}
C:\Program Files\Common Files\{64515FC0-081A-1033-1007-031210200001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\CROSOF~1.NET
C:\QooBox\Purity\Program Files\YSTEM~1
C:\QooBox\Purity\Program Files\CROSOF~1.NET\??crosoft.NET
C:\QooBox\Purity\Program Files\YSTEM~1\??ool32.exe


((((((((((((((((((((((((((((((( Files Created from 2006-10-09 to 2006-11-09 ))))))))))))))))))))))))))))))))))


2006-11-08 19:22 60,436 --a------ C:\WINDOWS\system32\ppgmolvq.dll
2006-11-08 16:52 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-11-08 16:52 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-11-08 16:52 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-11-08 16:52 2,090 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-08 16:52 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-11-08 11:32 877,376 -r-hs---- C:\WINDOWS\isdejswA.exe
2006-11-07 22:22 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2006-11-07 19:22 60,436 --a------ C:\WINDOWS\system32\xqylophu.dll
2006-11-07 19:04 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2006-11-07 19:04 55,808 --a------ C:\WINDOWS\isdejsw.exe
2006-11-07 19:04 178,306 --a------ C:\WINDOWS\ac3_0008.exe
2006-11-07 19:04 1,259 --a------ C:\WINDOWS\system32\pfdcedb1.sys
2006-11-07 19:03 55,296 --a------ C:\WINDOWS\system32\msvcrl.dll
2006-11-07 19:03 397,312 --a------ C:\WINDOWS\cfg32p.dll
2006-11-07 19:03 3,584 --a------ C:\WINDOWS\system32\msasvc.exe
2006-11-07 19:03 28,672 --a------ C:\WINDOWS\system32\histuay.exe
2006-11-07 19:03 217,276 --a------ C:\WINDOWS\srvilrfq.exe
2006-11-07 19:03 204,800 --a------ C:\WINDOWS\system32\s9ndzm6.dll
2006-11-07 19:03 167,936 --a------ C:\WINDOWS\win32075281683054.exe
2006-11-07 18:58 60,436 --a------ C:\WINDOWS\system32\diffstnx.dll
2006-11-07 18:58 2 --a------ C:\WINDOWS\system32\wnscpsv.exe
2006-11-07 18:58 126,976 --a------ C:\WINDOWS\system32\urskww.dll
2006-11-07 18:58 110,612 --a------ C:\WINDOWS\system32\uhokgakj.exe
2006-11-07 18:52 59,392 --a------ C:\WINDOWS\system32\drvgac.dll
2006-11-07 18:52 40,973 ---hs---- C:\WINDOWS\system32\fccbaxv.dll
2006-10-30 14:31 53,248 -ra------ C:\WINDOWS\system32\mskbcoin.dll
2006-10-25 21:59 208,896 --a------ C:\WINDOWS\system32\nvuide.exe
2006-10-25 21:59 208,896 --a------ C:\WINDOWS\system32\nvugart.exe
2006-10-23 16:51 73,728 --a------ C:\WINDOWS\system32\GkSui18.EXE
2006-10-23 16:51 69,632 C:\WINDOWS\system32Copy of GkSui18.EXE
2006-10-22 12:22 888,832 --a------ C:\WINDOWS\system32\nvmobls.dll
2006-10-22 12:22 86,016 --a------ C:\WINDOWS\system32\nvmctray.dll
2006-10-22 12:22 81,920 --a------ C:\WINDOWS\system32\nvwddi.dll
2006-10-22 12:22 794,624 --a------ C:\WINDOWS\system32\nvcplui.exe
2006-10-22 12:22 7,700,480 --a------ C:\WINDOWS\system32\nvcpl.dll
2006-10-22 12:22 581,632 --a------ C:\WINDOWS\system32\nvhwvid.dll
2006-10-22 12:22 5,644,288 --a------ C:\WINDOWS\system32\nvoglnt.dll
2006-10-22 12:22 5,619,712 --a------ C:\WINDOWS\system32\nvdisps.dll
2006-10-22 12:22 5,255,168 --a------ C:\WINDOWS\system32\nvdispsr.dll
2006-10-22 12:22 466,944 --a------ C:\WINDOWS\system32\nvshell.dll
2006-10-22 12:22 458,752 --a------ C:\WINDOWS\system32\nvmccssr.dll
2006-10-22 12:22 45,056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2006-10-22 12:22 442,368 --a------ C:\WINDOWS\system32\nvappbar.exe
2006-10-22 12:22 425,984 --a------ C:\WINDOWS\system32\keystone.exe
2006-10-22 12:22 4,527,488 --a------ C:\WINDOWS\system32\nv4_disp.dll
2006-10-22 12:22 35,840 --a------ C:\WINDOWS\system32\nvcodins.dll
2006-10-22 12:22 35,840 --a------ C:\WINDOWS\system32\nvcod.dll
2006-10-22 12:22 311,296 --a------ C:\WINDOWS\system32\nvexpbar.dll
2006-10-22 12:22 3,994,624 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2006-10-22 12:22 3,203,072 --a------ C:\WINDOWS\system32\nvgamesr.dll
2006-10-22 12:22 3,047,424 --a------ C:\WINDOWS\system32\nvgames.dll
2006-10-22 12:22 286,720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2006-10-22 12:22 229,376 --a------ C:\WINDOWS\system32\nvmccs.dll
2006-10-22 12:22 212,992 --a------ C:\WINDOWS\system32\nvapi.dll
2006-10-22 12:22 2,973,696 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2006-10-22 12:22 2,924,544 --a------ C:\WINDOWS\system32\nvvitvs.dll
2006-10-22 12:22 2,859,008 --a------ C:\WINDOWS\system32\nvmoblsr.dll
2006-10-22 12:22 188,416 --a------ C:\WINDOWS\system32\nvmccss.dll
2006-10-22 12:22 159,810 --a------ C:\WINDOWS\system32\nvsvc32.exe
2006-10-22 12:22 147,456 --a------ C:\WINDOWS\system32\nvcolor.exe
2006-10-22 12:22 1,732,608 --a------ C:\WINDOWS\system32\nvwssr.dll
2006-10-22 12:22 1,662,976 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2006-10-22 12:22 1,622,016 --a------ C:\WINDOWS\system32\nwiz.exe
2006-10-22 12:22 1,470,464 --a------ C:\WINDOWS\system32\nview.dll
2006-10-22 12:22 1,339,392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2006-10-22 12:22 1,236,992 --a------ C:\WINDOWS\system32\nvwss.dll
2006-10-22 12:22 1,019,904 --a------ C:\WINDOWS\system32\nvwimg.dll
2006-10-22 12:22 1,011,712 --a------ C:\WINDOWS\system32\nvcpluir.dll
2006-10-21 15:30 136,448 --a------ C:\WINDOWS\RMTOOLS.DLL
2006-10-10 00:43 45,056 --a------ C:\WINDOWS\system32\HSSICore.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-11-09 15:26 -------- d-------- C:\Program Files\Common Files
2006-11-09 15:23 -------- d-------- C:\Program Files\HijackThis
2006-11-08 23:15 -------- d-------- C:\Program Files\Steam
2006-11-08 09:25 -------- d-------- C:\Program Files\TryMedia
2006-11-08 09:22 -------- d-------- C:\Documents and Settings\Ryan\Application Data\IMVU
2006-11-07 22:27 -------- d-------- C:\Program Files\NVTweak
2006-11-07 19:19 -------- d-------- C:\Program Files\Common Files\qkrz
2006-11-07 19:06 32208 ---hs---- C:\Program Files\Common Files\Y1324OU.exe
2006-11-07 19:04 -------- d-------- C:\Program Files\PSCastor
2006-11-07 19:03 656 --a------ C:\WINDOWS\system32\sfc_os.dll
2006-11-07 19:03 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-11-07 19:03 -------- d-------- C:\Program Files\Internet Explorer
2006-11-07 19:03 -------- d-------- C:\Program Files\ComPlus Applications
2006-11-07 19:01 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-07 18:58 -------- d-------- C:\Program Files\VSAdd-in
2006-11-07 18:58 -------- d-------- C:\Documents and Settings\Ryan\Application Data\SearchToolbarCorp
2006-11-07 02:37 -------- d-------- C:\Program Files\Yahoo! Games
2006-11-05 10:06 -------- d-------- C:\Program Files\MSN Messenger
2006-10-30 14:50 -------- d-------- C:\Program Files\Microsoft IntelliType Pro 5.5
2006-10-30 14:50 -------- d-------- C:\Program Files\Microsoft IntelliType Pro
2006-10-28 16:21 -------- d-------- C:\Program Files\Computer Alarm Clock
2006-10-26 21:40 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-10-26 21:37 -------- d-------- C:\Documents and Settings\Ryan\Application Data\Netscape
2006-10-26 21:36 -------- d-------- C:\Program Files\Folding@Home
2006-10-22 15:06 208896 --a------ C:\WINDOWS\system32\nvusmb.exe
2006-10-22 15:06 208896 --a------ C:\WINDOWS\system32\nvumctl.exe
2006-10-21 15:24 -------- d---s---- C:\Documents and Settings\Ryan\Application Data\Microsoft
2006-10-21 15:23 -------- d-------- C:\Program Files\Netscape
2006-09-20 21:00 -------- d-------- C:\Program Files\DivX
2006-09-18 12:11 778240 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-09-18 12:11 778240 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-09-18 12:11 761856 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-09-18 12:11 620180 --a------ C:\WINDOWS\system32\DivX.dll
2006-09-17 08:13 -------- d-------- C:\Program Files\IMVU
2006-09-15 15:16 53248 --a------ C:\WINDOWS\uni_e6h.exe
2006-09-14 18:31 -------- d-------- C:\Program Files\AIM
2006-09-14 18:31 -------- d-------- C:\Documents and Settings\Ryan\Application Data\Aim
2006-09-14 18:30 -------- d-------- C:\Program Files\Viewpoint
2006-09-12 16:24 46345 --a------ C:\WINDOWS\NSSetDefaultBrowser.EXE
2006-08-14 19:54 99965 --a------ C:\WINDOWS\UninstallFirefox.exe
2006-08-14 19:14 737280 --a------ C:\WINDOWS\iun6002.exe
2006-08-14 18:54 0 -rahs---- C:\MSDOS.SYS
2006-08-14 18:54 0 -rahs---- C:\IO.SYS
2006-08-14 18:54 0 --a------ C:\CONFIG.SYS
2006-08-14 18:54 0 --a------ C:\AUTOEXEC.BAT
2006-08-14 12:54 62 --ahs---- C:\Documents and Settings\Ryan\Application Data\desktop.ini
2006-08-11 11:35 520192 --a------ C:\WINDOWS\system32\DivXsm.exe
2006-08-11 11:35 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-08-11 11:35 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-08-11 11:35 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-08-11 11:31 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-08-11 11:31 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2006-08-11 11:31 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-08-11 11:31 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2006-08-11 11:31 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-08-11 11:31 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-08-11 11:31 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-08-11 11:31 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-08-11 11:31 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-08-11 11:31 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"isdejswA"="C:\\WINDOWS\\isdejswA.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.exe.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.exe.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ryan^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]
"path"="C:\\Documents and Settings\\Ryan\\Start Menu\\Programs\\Startup\\Folding@Home 5.03.lnk"
"backup"="C:\\WINDOWS\\pss\\Folding@Home 5.03.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\FOLDIN~1\\winFAH.exe "
"item"="Folding@Home 5.03"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Computer Alarm Clock]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cac"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\COMPUT~1\\cac.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Configuration Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cfg32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\cfg32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="drvgac"
"hkey"="HKLM"
"command"="rundll32.exe C:\\WINDOWS\\system32\\drvgac.dll,startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dnbw]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="javaw"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\CROSOF~1.NET\\javaw.exe\" -vt ndrv"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvsuy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hhhcxj"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\hhhcxj.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Internet Window Washer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Clearpch"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\FREEIN~1\\Clearpch.exe -Start"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hyltxh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hhhcxj"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\hhhcxj.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ipwins"
"hkey"="HKLM"
"command"="C:\\Program Files\\ipwins\\ipwins.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\isdejswA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="isdejswA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\isdejswA.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="itype"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Microsoft IntelliType Pro\\itype.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Rundll32 P17"
"hkey"="HKLM"
"command"="Rundll32 P17.dll,P17Helper"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pfdcedb1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w2041a73.dll,n 006cedab000000032041a73"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSCastor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PSCastor"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\PSCastor\\PSCastor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qkrz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qkrzm"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\COMMON~1\\qkrz\\qkrzm.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\j2re1.4.2_12\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UIWatcher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UIWatcher"
"hkey"="HKCU"
"command"="C:\\Program Files\\Ashampoo\\Ashampoo UnInstaller Platinum 2\\UIWatcher.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vyn]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="??ool32"
"hkey"="HKCU"
"command"="C:\\Program Files\\?ystem\\??ool32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win32075281683054]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="win32075281683054"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\win32075281683054.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast2KLoadDefault]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rundll32"
"hkey"="HKLM"
"command"="rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFoxV2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WF2K"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\WF2K.EXE Initial"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-09 15:29:01.26
C:\ComboFix.txt ... 06-11-09 15:29







Looks like the combofix found some nasty programs :thumbsup:

#10 rbharris

rbharris
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 09 November 2006 - 04:50 PM

and heres a new hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 3:47:09 PM, on 11/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\msasvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\isdejsw.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\isdejswA.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\showme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11A8EFA8-EC8B-43D9-916D-2C287A68EC4A} - C:\Program Files\ComPlus Applications\medo.dll (file missing)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: Jkzlbfarb Class - {754515CD-5059-4133-B6D5-3757DD84D6C0} - C:\WINDOWS\system32\s9ndzm6.dll
O2 - BHO: (no name) - {8F48D374-270F-4D56-86D8-774FC5E17E8F} - C:\WINDOWS\system32\efefd.dll (file missing)
O2 - BHO: (no name) - {D1641948-AB89-FC5A-DEDB-D728E77B30EC} - C:\WINDOWS\system32\urskww.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [isdejswA] C:\WINDOWS\isdejswA.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ryan\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {AE3B25B6-4C21-4038-BD35-99A05B5EF3EB} - C:\WINDOWS\system32\s9ndzm6.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\isdejsw.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:31 PM

Posted 09 November 2006 - 05:30 PM

Hello there, we've definatley got some nasties to kill here.
Good luck, and see you on the other side! :thumbsup:

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Click on start, then control panel, and then double-click on add/remove programs.
From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

DeluxeCommunications
IpWins
MediaTickets by OIN
TargetSaver
ToolBar888
Viewpoint Media Player
VSAdd-in for Internet Explorer
Web Nexus Network
Windows Overlay Components
Yazzle by OIN


Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {11A8EFA8-EC8B-43D9-916D-2C287A68EC4A} - C:\Program Files\ComPlus Applications\medo.dll (file missing)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: Jkzlbfarb Class - {754515CD-5059-4133-B6D5-3757DD84D6C0} - C:\WINDOWS\system32\s9ndzm6.dll
O2 - BHO: (no name) - {8F48D374-270F-4D56-86D8-774FC5E17E8F} - C:\WINDOWS\system32\efefd.dll (file missing)
O2 - BHO: (no name) - {D1641948-AB89-FC5A-DEDB-D728E77B30EC} - C:\WINDOWS\system32\urskww.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [isdejswA] C:\WINDOWS\isdejswA.exe
O18 - Filter: text/html - {AE3B25B6-4C21-4038-BD35-99A05B5EF3EB} - C:\WINDOWS\system32\s9ndzm6.dll
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\isdejsw.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system32\ppgmolvq.dll
C:\WINDOWS\isdejswA.exe
C:\WINDOWS\system32\nvudisp.exe
C:\WINDOWS\system32\xqylophu.dll
C:\WINDOWS\win32075281683054.exe
C:\WINDOWS\system32\sporder.dll
C:\WINDOWS\isdejsw.exe
C:\WINDOWS\ac3_0008.exe
C:\WINDOWS\cfg32p.dll
C:\WINDOWS\system32\msasvc.exe
C:\WINDOWS\system32\histuay.exe
C:\WINDOWS\srvilrfq.exe
C:\WINDOWS\system32\s9ndzm6.dll
C:\WINDOWS\win32075281683054.exe
C:\WINDOWS\system32\diffstnx.dll
C:\WINDOWS\system32\wnscpsv.exe
C:\WINDOWS\system32\urskww.dll
C:\Program Files\Common Files\Y1324OU.exe
C:\WINDOWS\system32\uhokgakj.exe
C:\WINDOWS\system32\drvgac.dll
C:\WINDOWS\system32\fccbaxv.dll
C:\WINDOWS\uni_e6h.exe
C:\WINDOWS\system32\s9ndzm6.dll
C:\WINDOWS\system32\msasvc.exe
C:\WINDOWS\cfg32.exe
C:\WINDOWS\iun6002.exe
C:\WINDOWS\isdejswA.exe
C:\WINDOWS\system32\w2041a73.dll
C:\WINDOWS\system32\hhhcxj.exe
C:\WINDOWS\system32\drvgac.dll


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Please find and delete these folders:
C:\Program Files\Common Files\qkrz
C:\Program Files\PSCastor
C:\Program Files\ipwins
C:\Program Files\VSAdd-in

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Configuration Manager]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dnbw]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvsuy]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hyltxh]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\isdejswA]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pfdcedb1]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSCastor]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qkrz]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vyn]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win32075281683054]

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Open notepad and copy and paste the following text in the quote box into the window:

sc stop MsaSvc
sc delete MsaSvc
sc stop "Windows Overlay Components"
sc delete "Windows Overlay Components"

Save this as fix.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick fix.bat and let the program run.

Download the Rustock.b removal tool from the link below...and save it to your desktop:
http://www.uploads.ejvindh.net/rustbfix.exe

Double click on rustbfix.exe to run the tool.
If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer.
The reboot will probably take quite a while, and perhaps 2 reboots will be needed.
But this will happen automatically.
After the reboot 2 logfiles will open (C\avenger.txt & C\rustbfix\pelog.txt).
Post the content of these logfiles along with a new HijackThis log.
Also post a new Combofix log.

David

#12 rbharris

rbharris
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 09 November 2006 - 06:16 PM

Excellent, here is the Avenger Log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kfchrshi

*******************

Script file located at: \??\C:\ivvfjvqh.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

An the pelog:

************************* Rustock.b-fix -- By ejvindh *************************
Thu 11/09/2006 17:07:18.08


******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....
Examine the Avenger-logfile in order to assess the success of the unload-procedure

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 69070
Total size: 69070 bytes.
Attempting to remove ADS...
system32: deleted 69070 bytes in 1 streams.


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No streams found.


******************************* End of Logfile ********************************



New HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:12:14 PM, on 11/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\HijackThis\showme.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ryan\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

An now the combofix log

Logfile of HijackThis v1.99.1
Scan saved at 5:12:14 PM, on 11/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\HijackThis\showme.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ryan\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe


Out of curiosity, how bad is my infection?? Im assuming not good.

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:31 PM

Posted 10 November 2006 - 06:51 AM

It looks like you've posted a HJt log twice, instead of the combofix log.
Can you post a new Combofix when you have a moment.
The infection was actually very bad, some of the worst we get here.
However with the use of tools, HJT etc, we will be able to fix it up.

#14 rbharris

rbharris
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 10 November 2006 - 11:51 AM

Sorry about that. Yea this is one of the worst cases ive gotten. Usually I would just do a reformat but I was just getting my system where is should be. Heres the combofix.

Ryan - 06-11-10 10:46:24.85 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Ryan\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\CROSOF~1.NET
C:\QooBox\Purity\Program Files\YSTEM~1
C:\QooBox\Purity\Program Files\CROSOF~1.NET\??crosoft.NET
C:\QooBox\Purity\Program Files\YSTEM~1\??ool32.exe


((((((((((((((((((((((((((((((( Files Created from 2006-10-10 to 2006-11-10 ))))))))))))))))))))))))))))))))))


2006-11-08 16:52 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-11-08 16:52 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-11-08 16:52 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-11-08 16:52 2,090 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-08 16:52 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-11-07 19:04 1,259 --a------ C:\WINDOWS\system32\pfdcedb1.sys
2006-11-07 19:03 55,296 --a------ C:\WINDOWS\system32\msvcrl.dll
2006-10-30 14:31 53,248 -ra------ C:\WINDOWS\system32\mskbcoin.dll
2006-10-25 21:59 208,896 --a------ C:\WINDOWS\system32\nvuide.exe
2006-10-25 21:59 208,896 --a------ C:\WINDOWS\system32\nvugart.exe
2006-10-23 16:51 73,728 --a------ C:\WINDOWS\system32\GkSui18.EXE
2006-10-23 16:51 69,632 C:\WINDOWS\system32Copy of GkSui18.EXE
2006-10-22 12:22 888,832 --a------ C:\WINDOWS\system32\nvmobls.dll
2006-10-22 12:22 86,016 --a------ C:\WINDOWS\system32\nvmctray.dll
2006-10-22 12:22 81,920 --a------ C:\WINDOWS\system32\nvwddi.dll
2006-10-22 12:22 794,624 --a------ C:\WINDOWS\system32\nvcplui.exe
2006-10-22 12:22 7,700,480 --a------ C:\WINDOWS\system32\nvcpl.dll
2006-10-22 12:22 581,632 --a------ C:\WINDOWS\system32\nvhwvid.dll
2006-10-22 12:22 5,644,288 --a------ C:\WINDOWS\system32\nvoglnt.dll
2006-10-22 12:22 5,619,712 --a------ C:\WINDOWS\system32\nvdisps.dll
2006-10-22 12:22 5,255,168 --a------ C:\WINDOWS\system32\nvdispsr.dll
2006-10-22 12:22 466,944 --a------ C:\WINDOWS\system32\nvshell.dll
2006-10-22 12:22 458,752 --a------ C:\WINDOWS\system32\nvmccssr.dll
2006-10-22 12:22 45,056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2006-10-22 12:22 442,368 --a------ C:\WINDOWS\system32\nvappbar.exe
2006-10-22 12:22 425,984 --a------ C:\WINDOWS\system32\keystone.exe
2006-10-22 12:22 4,527,488 --a------ C:\WINDOWS\system32\nv4_disp.dll
2006-10-22 12:22 35,840 --a------ C:\WINDOWS\system32\nvcodins.dll
2006-10-22 12:22 35,840 --a------ C:\WINDOWS\system32\nvcod.dll
2006-10-22 12:22 311,296 --a------ C:\WINDOWS\system32\nvexpbar.dll
2006-10-22 12:22 3,994,624 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2006-10-22 12:22 3,203,072 --a------ C:\WINDOWS\system32\nvgamesr.dll
2006-10-22 12:22 3,047,424 --a------ C:\WINDOWS\system32\nvgames.dll
2006-10-22 12:22 286,720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2006-10-22 12:22 229,376 --a------ C:\WINDOWS\system32\nvmccs.dll
2006-10-22 12:22 212,992 --a------ C:\WINDOWS\system32\nvapi.dll
2006-10-22 12:22 2,973,696 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2006-10-22 12:22 2,924,544 --a------ C:\WINDOWS\system32\nvvitvs.dll
2006-10-22 12:22 2,859,008 --a------ C:\WINDOWS\system32\nvmoblsr.dll
2006-10-22 12:22 188,416 --a------ C:\WINDOWS\system32\nvmccss.dll
2006-10-22 12:22 159,810 --a------ C:\WINDOWS\system32\nvsvc32.exe
2006-10-22 12:22 147,456 --a------ C:\WINDOWS\system32\nvcolor.exe
2006-10-22 12:22 1,732,608 --a------ C:\WINDOWS\system32\nvwssr.dll
2006-10-22 12:22 1,662,976 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2006-10-22 12:22 1,622,016 --a------ C:\WINDOWS\system32\nwiz.exe
2006-10-22 12:22 1,470,464 --a------ C:\WINDOWS\system32\nview.dll
2006-10-22 12:22 1,339,392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2006-10-22 12:22 1,236,992 --a------ C:\WINDOWS\system32\nvwss.dll
2006-10-22 12:22 1,019,904 --a------ C:\WINDOWS\system32\nvwimg.dll
2006-10-22 12:22 1,011,712 --a------ C:\WINDOWS\system32\nvcpluir.dll
2006-10-21 15:30 136,448 --a------ C:\WINDOWS\RMTOOLS.DLL
2006-10-10 00:43 45,056 --a------ C:\WINDOWS\system32\HSSICore.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-09 17:12 -------- d-------- C:\Program Files\HijackThis
2006-11-09 17:03 -------- d-------- C:\Program Files\Common Files
2006-11-09 16:23 -------- d-------- C:\Program Files\GlobFX Technologies
2006-11-08 23:15 -------- d-------- C:\Program Files\Steam
2006-11-08 09:25 -------- d-------- C:\Program Files\TryMedia
2006-11-08 09:22 -------- d-------- C:\Documents and Settings\Ryan\Application Data\IMVU
2006-11-07 22:27 -------- d-------- C:\Program Files\NVTweak
2006-11-07 19:03 656 --a------ C:\WINDOWS\system32\sfc_os.dll
2006-11-07 19:03 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-11-07 19:03 -------- d-------- C:\Program Files\Internet Explorer
2006-11-07 19:03 -------- d-------- C:\Program Files\ComPlus Applications
2006-11-07 19:01 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-07 18:58 -------- d-------- C:\Documents and Settings\Ryan\Application Data\SearchToolbarCorp
2006-11-07 02:37 -------- d-------- C:\Program Files\Yahoo! Games
2006-11-05 10:06 -------- d-------- C:\Program Files\MSN Messenger
2006-10-30 14:50 -------- d-------- C:\Program Files\Microsoft IntelliType Pro 5.5
2006-10-30 14:50 -------- d-------- C:\Program Files\Microsoft IntelliType Pro
2006-10-28 16:21 -------- d-------- C:\Program Files\Computer Alarm Clock
2006-10-26 21:40 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-10-26 21:37 -------- d-------- C:\Documents and Settings\Ryan\Application Data\Netscape
2006-10-26 21:36 -------- d-------- C:\Program Files\Folding@Home
2006-10-22 15:06 208896 --a------ C:\WINDOWS\system32\nvusmb.exe
2006-10-22 15:06 208896 --a------ C:\WINDOWS\system32\nvumctl.exe
2006-10-21 15:24 -------- d---s---- C:\Documents and Settings\Ryan\Application Data\Microsoft
2006-10-21 15:23 -------- d-------- C:\Program Files\Netscape
2006-09-20 21:00 -------- d-------- C:\Program Files\DivX
2006-09-18 12:11 778240 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-09-18 12:11 778240 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-09-18 12:11 761856 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-09-18 12:11 620180 --a------ C:\WINDOWS\system32\DivX.dll
2006-09-17 08:13 -------- d-------- C:\Program Files\IMVU
2006-09-14 18:31 -------- d-------- C:\Program Files\AIM
2006-09-14 18:31 -------- d-------- C:\Documents and Settings\Ryan\Application Data\Aim
2006-09-12 16:24 46345 --a------ C:\WINDOWS\NSSetDefaultBrowser.EXE
2006-08-14 19:54 99965 --a------ C:\WINDOWS\UninstallFirefox.exe
2006-08-14 18:54 0 -rahs---- C:\MSDOS.SYS
2006-08-14 18:54 0 -rahs---- C:\IO.SYS
2006-08-14 18:54 0 --a------ C:\CONFIG.SYS
2006-08-14 18:54 0 --a------ C:\AUTOEXEC.BAT
2006-08-14 12:54 62 --ahs---- C:\Documents and Settings\Ryan\Application Data\desktop.ini
2006-08-11 11:35 520192 --a------ C:\WINDOWS\system32\DivXsm.exe
2006-08-11 11:35 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-08-11 11:35 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-08-11 11:35 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-08-11 11:31 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-08-11 11:31 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2006-08-11 11:31 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-08-11 11:31 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2006-08-11 11:31 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-08-11 11:31 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-08-11 11:31 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-08-11 11:31 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-08-11 11:31 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-08-11 11:31 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.exe.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.exe.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ryan^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]
"path"="C:\\Documents and Settings\\Ryan\\Start Menu\\Programs\\Startup\\Folding@Home 5.03.lnk"
"backup"="C:\\WINDOWS\\pss\\Folding@Home 5.03.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\FOLDIN~1\\winFAH.exe "
"item"="Folding@Home 5.03"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Computer Alarm Clock]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cac"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\COMPUT~1\\cac.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Internet Window Washer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Clearpch"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\FREEIN~1\\Clearpch.exe -Start"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="itype"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Microsoft IntelliType Pro\\itype.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Rundll32 P17"
"hkey"="HKLM"
"command"="Rundll32 P17.dll,P17Helper"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\j2re1.4.2_12\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UIWatcher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UIWatcher"
"hkey"="HKCU"
"command"="C:\\Program Files\\Ashampoo\\Ashampoo UnInstaller Platinum 2\\UIWatcher.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast2KLoadDefault]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rundll32"
"hkey"="HKLM"
"command"="rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFoxV2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WF2K"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\WF2K.EXE Initial"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-10 10:46:55.82
C:\ComboFix.txt ... 06-11-10 10:46
C:\ComboFix2.txt ... 06-11-09 17:13
C:\ComboFix3.txt ... 06-11-09 15:29

#15 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:31 PM

Posted 12 November 2006 - 03:55 PM

Hello there,

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Please download LSPfix and save it to the Desktop and unzip it.
Run LSPfix and place a check against the I know what I am doing checkbox.
Highlight every instance of newdotnet6_38.dll and move it from the Keep to the Remove panel, if not already there.
Be sure to move nothing other than the files listed below; because otherwise you will loose your internet connection!
When done, click on Finish to exit the program; do not use the X in the top right-hand corner as nothing will happen!
Reboot.

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

Close all instances of Internet Explorer .
Go to your control panel and open "Internet Options".
Click on the "General" tab.
Click the "Delete Cookies" button, then the "Delete Files" button.
When prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

Go to start and click on the "run" button.
Type the following in the fox --> cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
Press OK to remove them.

Please download Ad-Aware SE Personal and install it.
If you already have Ad-Aware SE, please configure it as indicated below.
If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

Run Ad-Aware, and click Check for updates now.
Select Configurations (click the Gear wheel at the top) as follows:
General Button > Safety & Settings > Check (Green) all three.
Tweak Button > Cleaning Engine > uncheck "Always try to unload modules before deletion".
Click Proceed.

To start the scan, Click > "Scan Now" at left.
Select "Search for low-risk threats".
Select "Perform full system scan".
Click "Next".

When the scan has completed, select Next.
In the Scanning Results window, select the "Critical Objects" tab.
Right-click on the screen and choose "Select all objects".
Click Next to remove the infections found, and click OK to the prompt.
Restart the computer.

Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users