Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Help


  • Please log in to reply
27 replies to this topic

#1 TheComputerNoob

TheComputerNoob

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 29 June 2007 - 09:03 PM

Well , I am fairly new to Hijack this and cannot really tell which is good and the bad. Is it possible if someone can view my log, and see if there is anything wrong, and what can fix it? Thanks

Logfile of HijackThis v1.99.1
Scan saved at 9:02:44 PM, on 6/29/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\windows\system32\LEXPPS.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Ares\Ares.exe
C:\windows\System32\ttscchoi.exe
C:\Program Files\Eset\nod32krn.exe
C:\windows\System32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Rongavilla\Desktop\HijackThis.exe

O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - C:\windows\System32\evticppx.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {967AA597-278A-4297-AB47-D97C7F574418} - C:\windows\System32\vturq.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PC Tilecomnu] Tilecomnu.com
O4 - HKLM\..\RunServices: [Internet Security Service] msq23.exe
O4 - HKLM\..\RunServices: [NvCp1Do] C:\gs.exe
O4 - HKLM\..\RunServices: [NvCp1De] c:\windows\sass.exe
O4 - HKLM\..\RunServices: [NvCp1Da] d:\windows\sass.exe
O4 - HKLM\..\RunServices: [Rund] "c:\Program Files\sass.exe"
O4 - HKLM\..\RunServices: [Msnsgrst.exe] d:\Program Files\sass.exe
O4 - HKLM\..\RunServices: [Msnsgry.exe] d:\sass.exe
O4 - HKLM\..\RunServices: [Internet Security Servicexs] msqI23.exe
O4 - HKLM\..\RunServices: [Edzy AntiVirus] xuovqw.exe
O4 - HKLM\..\RunServices: [PC Tilecomnu] Tilecomnu.com
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\windows\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\windows\web\related.htm
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: DomainService - - C:\windows\System32\ttscchoi.exe
O23 - Service: EnGenius Network Analysis Tool - Unknown owner - C:\WINDOWS\System32\dllcache\winegne.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\windows\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe
O23 - Service: Windows Management Service (wms) - Unknown owner - C:\WINDOWS\System32\wms.exe (file missing)

BC AdBot (Login to Remove)

 


m

#2 TheComputerNoob

TheComputerNoob
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 29 June 2007 - 11:13 PM

Can someone please help me?

#3 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:31 AM

Posted 30 June 2007 - 04:14 AM

You have a number of infections, including this:

http://www.sophos.com/security/analyses/w32rbotgql.html

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

#4 TheComputerNoob

TheComputerNoob
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 08 July 2007 - 04:25 PM

Well, I have been away for a week , and I have been redirected to my previous topic ( this ), by another site.

After reading your post, it seems like my computer is in extreme danger. . . and I would like to know how I can reformat my computer AND reinstall the OS. Unfortunately, I do not have any resources to help reinstall my computer.

I would gladly appreciate your help, on fixing my computer.


Also, on my computer, banking has been used on my computer, but there hasn't been anything going wrong. Why?

Thanks

#5 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:31 AM

Posted 09 July 2007 - 12:43 PM

After reading your post, it seems like my computer is in extreme danger. . . and I would like to know how I can reformat my computer AND reinstall the OS.


Since you say you don't have the resources to reinstall your computer, you can't

Also, on my computer, banking has been used on my computer, but there hasn't been anything going wrong. Why?


There are a variety of scenarios I can think of:

Your PC is being used for something else, e.g. attacking websites, sending out spam e-mail
They haven't got around to stealing your banking details yet

To start cleaning:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum
Download the latest version of ComboFix from Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#6 TheComputerNoob

TheComputerNoob
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 09 July 2007 - 01:52 PM

SDFix: Version 1.90

Run by Rongavilla on Mon 07/09/2007 at 01:45 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
EnGenius Network Analysis Tool

ImagePath:
"C:\WINDOWS\System32\dllcache\winegne.exe"

EnGenius Network Analysis Tool - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\windows\system32\.exe - Deleted
C:\WINDOWS\SYSTEM32\ERASEM~1.EXE - Deleted
C:\windows\system32\eraseme_61628.exe - Deleted
C:\windows\system32\.exe - Deleted
C:\windows\system32\i - Deleted
C:\windows\system32\Sysctrls.exe - Deleted
C:\windows\Temp\removalfile.bat - Deleted



Removing Temp Files...

ADS Check:

C:\windows
No streams found.

C:\windows\system32
No streams found.

C:\windows\system32\svchost.exe
No streams found.

C:\windows\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\windows\\System32\\ttscchoi.exe"="C:\\windows\\System32\\tts"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Program Files\DssEvolution.com\KeyRipper\Setup.exe
C:\Program Files\DssEvolution.com\KeyRipper\Setup.ini
C:\gs.exe
C:\ntldx.exe
C:\Program Files\sass.exe
C:\Program Files\DssEvolution.com\KeyRipper\Setup.exe
C:\WINDOWS\sass.exe
C:\WINDOWS\system32\firewall.exe~
C:\WINDOWS\system32\drivers\NetMotCM.sys

Finished

#7 TheComputerNoob

TheComputerNoob
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 09 July 2007 - 02:00 PM

My ComboFix Log :

"Rongavilla" - 2007-07-09 13:54:04 - ComboFix 07-07-09.3


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\windows\system32\evticppx.dll
C:\windows\system32\jgwyecca.dll
C:\windows\system32\orvxvoty.dll
C:\windows\system32\ytryhbcq.dll
C:\WINDOWS\system32\acceywgj.ini
C:\WINDOWS\system32\qcbhyrty.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\RONGAV~1\Desktop\internet.lnk
C:\windows\system32\aipkwfor.exe
C:\windows\system32\ajiolbyb.exe
C:\windows\system32\beaxjruc.exe
C:\windows\system32\btwujrce.exe
C:\windows\system32\cxwfeqgy.exe
C:\windows\system32\dhgudjam.exe
C:\windows\system32\enuonudk.exe
C:\windows\system32\fbqoudtg.exe
C:\windows\system32\gxmqtthn.exe
C:\windows\system32\huurganp.exe
C:\windows\system32\lrfqaywu.exe
C:\windows\system32\ltgkjfgt.exe
C:\windows\system32\mgcptnke.exe
C:\windows\system32\plsdbsnc.exe
C:\windows\system32\rejjidvt.exe
C:\windows\system32\vjefpoqb.exe
C:\windows\system32\yggtkgfb.exe
C:\windows\system32\yrgisoef.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-06-09 to 2007-07-09 )))))))))))))))))))))))))))))))


2007-07-09 13:53 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-09 13:45 <DIR> d-------- C:\WINDOWS\ERUNT
2007-07-08 22:45 <DIR> d-------- C:\Program Files\InCode Solutions
2007-07-08 15:55 <DIR> d-------- C:\Program Files\DssEvolution.com
2007-07-07 22:40 36,624 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-07-07 22:40 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-07 22:40 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-07 22:40 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-07 22:40 <DIR> d-------- C:\Program Files\DivX
2007-07-02 12:41 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-02 12:41 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-02 12:41 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-02 12:41 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-02 12:37 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-02 12:37 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-02 12:37 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-02 12:37 740,442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-02 12:37 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-02 12:37 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-02 12:37 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-02 12:37 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-02 12:37 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-02 12:37 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-02 12:37 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-02 12:37 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-02 12:36 124,472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-07-02 12:36 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-06-28 16:04 <DIR> d-------- C:\DOCUME~1\RONGAV~1\APPLIC~1\ArcSoft
2007-06-28 16:01 212,480 --a------ C:\WINDOWS\pcdlib32.dll
2007-06-28 16:01 <DIR> d-------- C:\Program Files\ArcSoft
2007-06-28 14:56 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-06-28 14:56 <DIR> d-------- C:\Program Files\Canon
2007-06-27 20:13 299,520 --a------ C:\WINDOWS\uninst.exe
2007-06-27 20:11 <DIR> d-------- C:\DOCUME~1\RONGAV~1\WINDOWS
2007-06-27 20:10 182,880 --a------ C:\WINDOWS\system32\iuengine.dll
2007-06-27 20:10 <DIR> d-------- C:\WUTemp
2007-06-27 13:10 27 --a------ C:\WINDOWS\tamer.bat
2007-06-27 12:08 95,232 --a------ C:\WINDOWS\system32\KMcafe.exe
2007-06-26 22:29 <DIR> d-------- C:\DOCUME~1\RONGAV~1\APPLIC~1\GetRightToGo
2007-06-26 22:24 266,336 --a------ C:\WINDOWS\system32\pmnlj.dll.vir
2007-06-26 22:12 <DIR> d-------- C:\VundoFix Backups
2007-06-26 19:01 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-06-26 19:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-06-26 19:00 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-06-26 18:58 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-06-26 18:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-26 18:51 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-06-26 17:51 <DIR> d-------- C:\DOCUME~1\RONGAV~1\APPLIC~1\Uniblue
2007-06-26 17:36 929,905 --a------ C:\WINDOWS\system32\ytovxvro.ini.ren
2007-06-26 16:42 1,461,639 --ahs---- C:\WINDOWS\system32\qrutv.ini2.ren
2007-06-26 16:42 1,461,575 --a------ C:\WINDOWS\system32\qrutv.ini.ren
2007-06-26 12:19 57,856 --a------ C:\WINDOWS\system32\urdvxc.exe.ren
2007-06-25 20:38 662 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-23 14:06 <DIR> d--hs---- C:\WINDOWS\CSC
2007-06-22 15:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-22 13:58 4,672 --a------ C:\WINDOWS\system32\senktyef.exe
2007-06-22 12:21 163,840 ---hs---- C:\WINDOWS\sass.exe
2007-06-22 12:21 163,840 ---hs---- C:\Program Files\sass.exe
2007-06-22 12:21 163,840 ---hs---- C:\ntldx.exe
2007-06-22 12:21 163,840 ---hs---- C:\gs.exe
2007-06-21 16:38 <DIR> d-------- C:\Program Files\Ares
2007-06-20 14:05 24,832 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-06-19 09:42 1,460,872 --a------ C:\WINDOWS\system32\qrutv.bak2.ren
2007-06-18 16:54 1,181,280 --a------ C:\WINDOWS\system32\qrutv.bak1.ren
2007-06-18 15:48 31,254 --a------ C:\WINDOWS\system32\mljhhhg.dll.vir
2007-06-17 16:09 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-06-17 16:07 21,840 --a------ C:\WINDOWS\system32\SIntfNT.dll
2007-06-17 16:07 17,212 --a------ C:\WINDOWS\system32\SIntf32.dll
2007-06-17 16:07 12,067 --a------ C:\WINDOWS\system32\SIntf16.dll
2007-06-17 15:55 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2007-06-17 15:55 35,679 --a------ C:\WINDOWS\DIIUnin.dat
2007-06-17 15:55 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2007-06-17 15:50 <DIR> d-------- C:\Program Files\Diablo II
2007-06-16 12:31 3,933 --a------ C:\WINDOWS\url32.exe
2007-06-15 20:30 <DIR> d-------- C:\DOCUME~1\RONGAV~1\APPLIC~1\WinRAR
2007-06-15 20:29 <DIR> d--hs---- C:\RECYCLER
2007-06-13 20:38 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-06-13 20:38 146,944 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-06-13 20:38 13,824 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-06-13 14:44 40,960 --a------ C:\WINDOWS\uneng.exe
2007-06-13 14:43 <DIR> d-------- C:\Program Files\Common Files\Adaptec Shared
2007-06-13 14:43 <DIR> d-------- C:\Program Files\Adaptec
2007-06-12 19:33 <DIR> d---s---- C:\DOCUME~1\RONGAV~1\UserData
2007-06-12 18:31 94,208 -ra------ C:\WINDOWS\system32\nvrspt.dll
2007-06-12 18:31 90,112 -ra------ C:\WINDOWS\system32\nvrstr.dll
2007-06-12 18:31 90,112 -ra------ C:\WINDOWS\system32\nvrssl.dll
2007-06-12 18:31 90,112 -ra------ C:\WINDOWS\system32\nvrssk.dll
2007-06-12 18:31 90,112 -ra------ C:\WINDOWS\system32\nvrspl.dll
2007-06-12 18:31 90,112 -ra------ C:\WINDOWS\system32\nvrshu.dll
2007-06-12 18:31 86,016 -ra------ C:\WINDOWS\system32\nvrsja.dll
2007-06-12 18:31 81,920 -ra------ C:\WINDOWS\system32\nvrsko.dll
2007-06-12 18:31 81,920 -ra------ C:\WINDOWS\system32\nvrshe.dll
2007-06-12 18:31 73,728 -ra------ C:\WINDOWS\system32\nvrszht.dll
2007-06-12 18:31 61,440 -ra------ C:\WINDOWS\system32\nvrszhc.dll
2007-06-12 18:31 114,688 -ra------ C:\WINDOWS\system32\nvrsptb.dll
2007-06-12 18:31 114,688 -ra------ C:\WINDOWS\system32\nvrsnl.dll
2007-06-12 18:31 114,688 -ra------ C:\WINDOWS\system32\nvrsit.dll
2007-06-12 18:31 114,688 -ra------ C:\WINDOWS\system32\nvrsfr.dll
2007-06-12 18:31 114,688 -ra------ C:\WINDOWS\system32\nvrses.dll
2007-06-12 18:31 110,592 -ra------ C:\WINDOWS\system32\nvrsru.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-02 19:41:11 2,560 ------w C:\windows\system32\drivers\cdralw2k.sys
2007-07-02 19:41:10 2,432 ------w C:\windows\system32\drivers\cdr4_xp.sys
2007-06-16 21:28:16 66,048 ----a-w C:\windows\system32\notepad.exe
2007-06-16 19:42:02 118,784 ----a-w C:\windows\system32\wscript.exe
2007-06-16 19:41:47 1,135,616 ----a-w C:\windows\system32\ntbackup.exe
2007-06-16 19:41:43 63,488 ----a-w C:\windows\system32\msiexec.exe
2007-06-16 19:41:43 24,064 ----a-w C:\windows\system32\mshta.exe
2007-06-16 19:41:40 8,192 ----a-w C:\windows\system32\lpr.exe
2007-06-16 19:41:40 6,144 ----a-w C:\windows\system32\lpq.exe
2007-06-16 19:41:40 55,296 ----a-w C:\windows\system32\logman.exe
2007-06-16 19:41:40 504,320 ----a-w C:\windows\system32\logonui.exe
2007-06-16 19:41:40 219,648 ----a-w C:\windows\system32\logon.scr
2007-06-16 19:41:39 9,728 ----a-w C:\windows\system32\label.exe
2007-06-16 19:41:39 68,096 ----a-w C:\windows\system32\locator.exe
2007-06-16 19:41:39 5,120 ----a-w C:\windows\system32\lodctr.exe
2007-06-16 19:41:39 29,696 ----a-w C:\windows\system32\lights.exe
2007-06-16 19:41:39 25,088 ----a-w C:\windows\system32\lnkstub.exe
2007-06-16 19:41:39 24,576 ----a-w C:\windows\system32\logagent.exe
2007-06-16 19:41:37 58,368 ----a-w C:\windows\system32\ipv6.exe
2007-06-16 19:41:37 44,032 ----a-w C:\windows\system32\ipsec6.exe
2007-06-16 19:41:37 22,016 ----a-w C:\windows\system32\ipxroute.exe
2007-06-16 19:41:36 49,664 ----a-w C:\windows\system32\ipconfig.exe
2007-06-16 19:41:36 192,512 ----a-w C:\windows\system32\ImapiRox.exe
2007-06-16 19:41:35 99,840 ----a-w C:\windows\system32\iexpress.exe
2007-06-16 19:41:35 118,784 ----a-w C:\windows\system32\imapi.exe
2007-06-16 19:41:34 7,680 ----a-w C:\windows\system32\hostname.exe
2007-06-16 19:41:34 57,344 ----a-w C:\windows\system32\gpupdate.exe
2007-06-16 19:41:34 37,888 ----a-w C:\windows\system32\grpconv.exe
2007-06-16 19:41:34 14,848 ----a-w C:\windows\system32\help.exe
2007-06-16 19:41:34 111,616 ----a-w C:\windows\system32\gpresult.exe
2007-06-16 19:41:33 55,296 ----a-w C:\windows\system32\getmac.exe
2007-06-16 19:41:33 40,448 ----a-w C:\windows\system32\ftp.exe
2007-06-16 19:41:12 4,096 ----a-w C:\windows\system32\actmovie.exe
2007-06-16 19:38:19 134,144 ----a-w C:\windows\regedit.exe
2007-06-13 21:44:14 45,056 ----a-w C:\windows\system32\cdrtc.dll
2007-06-13 21:44:14 45,056 ----a-w C:\windows\system32\cdral.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{967AA597-278A-4297-AB47-D97C7F574418}]
C:\windows\System32\vturq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-06-12 18:25]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"NvCp1Do"=C:\gs.exe
"NvCp1De"=c:\windows\sass.exe
"NvCp1Da"=d:\windows\sass.exe
"Rund"="c:\Program Files\sass.exe"
"Msnsgrst.exe"=d:\Program Files\sass.exe
"Msnsgry.exe"=d:\sass.exe
"Internet Security Servicexs"=msqI23.exe
"PC Tilecomnu"=Tilecomnu.com

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Network Security"=C:\windows\System32\NSecurity.exe
"Windows Service Network"=biqpkoaijmk.exe
"WindowsXp Security"=C:\windows\System32\spool.exe
"Internet Security Service"=msq23.exe
"Nex"=C:\windows\System32\nex.exe
"Internet Security Servicexs"=msqI23.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
NvCp1Do C:\gs.exe
NvCp1De c:\windows\sass.exe
NvCp1Da d:\windows\sass.exe
Rund c:\Program Files\sass.exe
Msnsgrst.exe d:\Program Files\sass.exe
Msnsgry.exe d:\sass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Edzy AntiVirus]
xuovqw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
rundll32.exe "C:\windows\System32\kgvfkffc.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com]
rundll32.exe "C:\windows\System32\jgwyecca.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Security Service]
msq23.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Security Servicexs]
msqI23.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON]
C:\windows\System32\LXSUPMON.EXE RUN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Msnsgrst.exe]
d:\Program Files\sass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Msnsgry.exe]
d:\sass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Security]
C:\windows\System32\NSecurity.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nex]
C:\windows\System32\nex.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCp1Da]
d:\windows\sass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCp1De]
c:\windows\sass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCp1Do]
C:\gs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Tilecomnu]
Tilecomnu.com

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoveIT Pro XT]
C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rund]
c:\Program Files\sass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Service Update]
C:\windows\System32\alggg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDLL (sslms.exe)]
rundll32.exe C:\windows\System32\sslms.exe,start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Network Firewall]
C:\WINDOWS\System32\firewall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Service Network]
vwqecsmpogp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsXp Security]
C:\windows\System32\spool.exe


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}
rundll32 iesetup.dll,IEAccessUserInst

Contents of the 'Scheduled Tasks' folder
2007-06-27 01:47:21 C:\windows\tasks\Uniblue SpyEraser Nag.job
2007-06-27 01:47:17 C:\windows\tasks\Uniblue SpyEraser.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-09 13:57:00
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-09 13:57:35 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-09 13:57

--- E O F ---




My HiJackThis Log :

Logfile of HijackThis v1.99.1
Scan saved at 1:58:38 PM, on 7/9/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\LEXBCES.EXE
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\windows\system32\LEXPPS.EXE
C:\Program Files\Eset\nod32kui.exe
C:\windows\system32\notepad.exe
C:\Program Files\Eset\nod32krn.exe
C:\windows\System32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\Documents and Settings\Rongavilla\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {967AA597-278A-4297-AB47-D97C7F574418} - C:\windows\System32\vturq.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\RunServices: [NvCp1Do] C:\gs.exe
O4 - HKLM\..\RunServices: [NvCp1De] c:\windows\sass.exe
O4 - HKLM\..\RunServices: [NvCp1Da] d:\windows\sass.exe
O4 - HKLM\..\RunServices: [Rund] "c:\Program Files\sass.exe"
O4 - HKLM\..\RunServices: [Msnsgrst.exe] d:\Program Files\sass.exe
O4 - HKLM\..\RunServices: [Msnsgry.exe] d:\sass.exe
O4 - HKLM\..\RunServices: [Internet Security Servicexs] msqI23.exe
O4 - HKLM\..\RunServices: [PC Tilecomnu] Tilecomnu.com
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\windows\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe
O23 - Service: Windows Management Service (wms) - Unknown owner - C:\WINDOWS\System32\wms.exe (file missing)

#8 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:31 AM

Posted 10 July 2007 - 02:09 PM

You are currently using an unpatched version of Microsoft XP. It is CRITICAL that you update to Service Pack 1
Please visit this link:
Microsoft Service Pack 1

and install Service Pack 1. If you run into troubles, please post them here.

IMPORTANT: DO NOT update to Service pack 2. Doing so before your computer is clean can cause Windows to become unstable.
We will update to SP2 when you are clean.



Please post back with a HJT log and your computer running with Service pack 1, or with any problems you are having updating.

#9 TheComputerNoob

TheComputerNoob
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 10 July 2007 - 03:08 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:04:57 PM, on 7/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\LEXBCES.EXE
C:\windows\system32\spoolsv.exe
C:\windows\system32\LEXPPS.EXE
C:\windows\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\windows\System32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Ares\Ares.exe
C:\Documents and Settings\Rongavilla\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {967AA597-278A-4297-AB47-D97C7F574418} - C:\windows\System32\vturq.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\RunServices: [NvCp1Do] C:\gs.exe
O4 - HKLM\..\RunServices: [NvCp1De] c:\windows\sass.exe
O4 - HKLM\..\RunServices: [NvCp1Da] d:\windows\sass.exe
O4 - HKLM\..\RunServices: [Rund] "c:\Program Files\sass.exe"
O4 - HKLM\..\RunServices: [Msnsgrst.exe] d:\Program Files\sass.exe
O4 - HKLM\..\RunServices: [Msnsgry.exe] d:\sass.exe
O4 - HKLM\..\RunServices: [Internet Security Servicexs] msqI23.exe
O4 - HKLM\..\RunServices: [PC Tilecomnu] Tilecomnu.com
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\windows\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe
O23 - Service: Windows Management Service (wms) - Unknown owner - C:\WINDOWS\System32\wms.exe (file missing)

#10 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:31 AM

Posted 10 July 2007 - 03:11 PM

Copy/paste the following quote box into a new notepad (not wordpad) document. Make sure that wordwrap is turned off.

regedit /e reglook "HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa"
notepad.exe reglook
del /q /f reglook


Save it to your Desktop as search.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: search.bat

Locate search.bat on your Desktop and double-click it. A DOS window will open briefly and then close, this is normal

Once it has finished, anotepad window will open, copy & paste the contents of that window as a reply to this topic

#11 TheComputerNoob

TheComputerNoob
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 10 July 2007 - 03:12 PM

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\
00
"LsaPid"=dword:0000024c
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000001
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"NvCp1Do"="C:\\gs.exe"
"NvCp1De"="c:\\windows\\sass.exe"
"NvCp1Da"="d:\\windows\\sass.exe"
"Rund"="c:\\Program Files\\sass.exe"
"Msnsgrst.exe"="d:\\Program Files\\sass.exe"
"Msnsgry.exe"="d:\\sass.exe"
"enabledcom"="y"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
00,69,00,64,00,65,00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Data]
"Pattern"=hex:5c,e8,ad,a5,5e,bf,5a,59,ec,3a,2a,32,b2,c0,7f,c7,63,35,61,63,38,\
62,36,34,00,68,07,00,01,00,00,00,dc,00,00,00,e0,00,00,00,48,fa,06,00,97,55,\
5a,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,8d,ba,5b,6f

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\GBG]
"GrafBlumGroup"=hex:ef,1f,f5,b7,2e,97,17,cf,39

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\JD]
"Lookup"=hex:26,bd,09,09,6a,15

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Kerberos]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\MSV1_0]
"Auth132"="IISSUBA"
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Skew1]
"SkewMatrix"=hex:49,40,67,f3,d8,82,25,be,20,7c,90,fe,10,25,e9,65

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SSO]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SspiCache]
"Time"=hex:7a,fe,06,e3,3d,c3,c7,01

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,e5,84,8a,48,4f,c2,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,20,7c,22,cb,2b,c1,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,4d,0e,94,48,4f,c2,01
"Type"=dword:00000031

#12 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:31 AM

Posted 10 July 2007 - 03:49 PM

  • Go to Start > My Computer
  • Go to Tools > Folder Options
  • Click on the View tab
  • Untick the following:
    • Hide extensions for known file types
    • Hide protected operating system files (Recommended)
  • You will get a message warning you about showing protected operating system files, click Yes
  • Make sure this option is selected:
    • Show hidden files and folders
  • Click Apply and then click OK
Then please upload this file:

C:\WINDOWS\System32\wms.exe

To either jotti or virustotal, and copy and paste the results as a reply to this topic
  • Open a new notepad window (Start>All programs>accessories>notepad)
  • Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
    File::
    C:\gs.exe
    C:\ntldx.exe
    C:\Program Files\sass.exe
    C:\WINDOWS\sass.exe
    C:\WINDOWS\system32\firewall.exe~
    C:\WINDOWS\tamer.bat
    C:\WINDOWS\system32\pmnlj.dll.vir
    C:\WINDOWS\system32\ytovxvro.ini.ren
    C:\WINDOWS\system32\qrutv.ini2.ren
    C:\WINDOWS\system32\qrutv.ini.ren
    C:\WINDOWS\system32\urdvxc.exe.ren
    C:\WINDOWS\system32\senktyef.exe
    C:\WINDOWS\system32\qrutv.bak2.ren
    C:\WINDOWS\system32\qrutv.bak1.ren
    C:\WINDOWS\system32\mljhhhg.dll.vir
    C:\windows\System32\vturq.dll
    C:\windows\System32\msqI23.exe
    C:\windows\System32\Tilecomnu.com
    C:\windows\System32\biqpkoaijmk.exe
    C:\windows\System32\NSecurity.exe
    C:\windows\System32\spool.exe
    C:\windows\System32\nex.exe
    d:\sass.exe
    d:\Program Files\sass.exe
    d:\windows\sass.exe
    C:\windows\System32\xuovqw.exe
    C:\windows\System32\kgvfkffc.dll
    C:\windows\System32\jgwyecca.dll
    C:\windows\System32\msq23.exe
    C:\windows\System32\alggg.exe
    C:\windows\System32\sslms.exe
    C:\WINDOWS\System32\firewall.exe
    C:\windows\System32\vwqecsmpogp.exe
    
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{967AA597-278A-4297-AB47-D97C7F574418}]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
    "NvCp1Do"=-
    "NvCp1De"=-
    "NvCp1Da"=-
    "Rund"=-
    "Msnsgrst.exe"=-
    "Msnsgry.exe"=-
    "Internet Security Servicexs"=-
    "PC Tilecomnu"=-
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "Network Security"=-
    "Windows Service Network"=-
    "WindowsXp Security"=-
    "Internet Security Service"=-
    "Nex"=-
    "Internet Security Servicexs"=-
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "NvCp1Do"=-
    "NvCp1De"=-
    "NvCp1Da"=-
    "Rund"=-
    "Msnsgrst.exe"=-
    "Msnsgry.exe"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Edzy AntiVirus]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Security Service]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Security Servicexs]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Msnsgrst.exe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Msnsgry.exe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Security]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nex]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCp1Da]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCp1De]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCp1Do]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Tilecomnu]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rund]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Service Update]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDLL (sslms.exe)]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Network Firewall]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Service Network]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsXp Security]
  • Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
  • Save it to the desktop as ComboFix-Do.txt
  • Now drag and drop ComboFix-Do.txt onto combofix.exe as in the picture below and follow the prompts:
    Posted Image
  • When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall


#13 TheComputerNoob

TheComputerNoob
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 10 July 2007 - 04:37 PM

ComboFix

"Rongavilla" - 2007-07-10 16:29:47 - ComboFix 07-07-09.3 - Service Pack 1
Command switches used :: C:\Documents and Settings\Rongavilla\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\gs.exe
C:\ntldx.exe
C:\Program Files\sass.exe
C:\WINDOWS\sass.exe
C:\WINDOWS\system32\mljhhhg.dll.vir
C:\WINDOWS\system32\pmnlj.dll.vir
C:\WINDOWS\system32\qrutv.bak1.ren
C:\WINDOWS\system32\qrutv.bak2.ren
C:\WINDOWS\system32\qrutv.ini.ren
C:\WINDOWS\system32\qrutv.ini2.ren
C:\WINDOWS\system32\senktyef.exe
C:\WINDOWS\system32\urdvxc.exe.ren
C:\WINDOWS\system32\ytovxvro.ini.ren
C:\WINDOWS\tamer.bat


((((((((((((((((((((((((( Files Created from 2007-06-10 to 2007-07-10 )))))))))))))))))))))))))))))))


2007-07-10 15:01 <DIR> d-------- C:\WINDOWS\Prefetch
2007-07-10 14:53 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-07-10 14:53 <DIR> d-------- C:\WINDOWS\ehome
2007-07-10 14:40 9,216 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-07-10 14:40 86,528 --a------ C:\WINDOWS\system32\wlnotify.dll
2007-07-10 14:40 86,016 --a------ C:\WINDOWS\system32\xactsrv.dll
2007-07-10 14:40 77,824 --a------ C:\WINDOWS\system32\wmpstub.exe
2007-07-10 14:40 77,824 --a------ C:\WINDOWS\system32\wmpshell.dll
2007-07-10 14:40 61,952 --a------ C:\WINDOWS\system32\webclnt.dll
2007-07-10 14:40 60,416 --a------ C:\WINDOWS\system32\wextract.exe
2007-07-10 14:40 56,832 --a------ C:\WINDOWS\system32\wzcdlg.dll
2007-07-10 14:40 51,200 --a------ C:\WINDOWS\system32\wmerrenu.dll
2007-07-10 14:40 48,128 --a------ C:\WINDOWS\system32\winsta.dll
2007-07-10 14:40 446,464 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2007-07-10 14:40 442,398 --a------ C:\WINDOWS\system32\wmadmoe.dll
2007-07-10 14:40 38,912 --a------ C:\WINDOWS\system32\wsnmp32.dll
2007-07-10 14:40 316,416 --a------ C:\WINDOWS\system32\zipfldr.dll
2007-07-10 14:40 311,327 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-07-10 14:40 296,448 --a------ C:\WINDOWS\system32\wmstream.dll
2007-07-10 14:40 294,912 --a------ C:\WINDOWS\system32\wmvdmod.dll
2007-07-10 14:40 274,432 --a------ C:\WINDOWS\system32\wmasf.dll
2007-07-10 14:40 266,752 --a------ C:\WINDOWS\winhlp32.exe
2007-07-10 14:40 264,704 --a------ C:\WINDOWS\system32\wzcsvc.dll
2007-07-10 14:40 253,952 --a------ C:\WINDOWS\system32\wmpcd.dll
2007-07-10 14:40 253,952 --a------ C:\WINDOWS\system32\wmnetmgr.dll
2007-07-10 14:40 247,808 --a------ C:\WINDOWS\system32\wow32.dll
2007-07-10 14:40 23,552 --a------ C:\WINDOWS\system32\wzcsapi.dll
2007-07-10 14:40 189,440 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-10 14:40 184,320 --a------ C:\WINDOWS\system32\wmadmod.dll
2007-07-10 14:40 172,664 --a------ C:\WINDOWS\system32\xenroll.dll
2007-07-10 14:40 171,520 --a------ C:\WINDOWS\system32\winmm.dll
2007-07-10 14:40 17,408 --a------ C:\WINDOWS\system32\wtsapi32.dll
2007-07-10 14:40 168,448 --a------ C:\WINDOWS\system32\wldap32.dll
2007-07-10 14:40 16,384 --a------ C:\WINDOWS\system32\watchdog.sys
2007-07-10 14:40 139,776 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-10 14:40 13,312 --a------ C:\WINDOWS\system32\wship6.dll
2007-07-10 14:40 124,928 --a------ C:\WINDOWS\system32\webvw.dll
2007-07-10 14:40 119,808 --a------ C:\WINDOWS\system32\wiadss.dll
2007-07-10 14:40 118,784 --a------ C:\WINDOWS\system32\wmsdmoe.dll
2007-07-10 14:40 110,592 --a------ C:\WINDOWS\system32\wmsdmod.dll
2007-07-10 14:40 1,998,848 --a------ C:\WINDOWS\system32\wmploc.dll
2007-07-10 14:40 1,404,928 --a------ C:\WINDOWS\system32\wmpui.dll
2007-07-10 14:40 1,298,432 --a------ C:\WINDOWS\system32\wmpcore.dll
2007-07-10 14:39 98,304 --a------ C:\WINDOWS\system32\oleprn.dll
2007-07-10 14:39 94,208 --a------ C:\WINDOWS\system32\odbccp32.dll
2007-07-10 14:39 91,136 --a------ C:\WINDOWS\system32\rastls.dll
2007-07-10 14:39 9,856 --------- C:\WINDOWS\system32\drivers\tunmp.sys
2007-07-10 14:39 88,064 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2007-07-10 14:39 87,304 --a------ C:\WINDOWS\system32\rdpdd.dll
2007-07-10 14:39 82,944 --a------ C:\WINDOWS\system32\smlogsvc.exe
2007-07-10 14:39 82,944 --a------ C:\WINDOWS\system32\psbase.dll
2007-07-10 14:39 81,920 --a------ C:\WINDOWS\system32\trkwks.dll
2007-07-10 14:39 8,192 --a------ C:\WINDOWS\system32\scrnsave.scr
2007-07-10 14:39 75,912 --a------ C:\WINDOWS\system32\rdpwsx.dll
2007-07-10 14:39 74,240 --a------ C:\WINDOWS\system32\rtcshare.exe
2007-07-10 14:39 71,168 --a------ C:\WINDOWS\system32\telnet.exe
2007-07-10 14:39 71,168 --a------ C:\WINDOWS\system32\storprop.dll
2007-07-10 14:39 71,168 --a------ C:\WINDOWS\system32\sdbinst.exe
2007-07-10 14:39 686,080 --a------ C:\WINDOWS\system32\opengl32.dll
2007-07-10 14:39 674,816 --a------ C:\WINDOWS\system32\sxs.dll
2007-07-10 14:39 667,648 --a------ C:\WINDOWS\system32\ss3dfo.scr
2007-07-10 14:39 66,560 --a------ C:\WINDOWS\system32\spoolss.dll
2007-07-10 14:39 66,048 --a------ C:\WINDOWS\system32\sigverif.exe
2007-07-10 14:39 638,976 --a------ C:\WINDOWS\system32\sstext3d.scr
2007-07-10 14:39 63,488 --a------ C:\WINDOWS\system32\srclient.dll
2007-07-10 14:39 62,976 --a------ C:\WINDOWS\system32\shgina.dll
2007-07-10 14:39 61,952 --a------ C:\WINDOWS\system32\sti.dll
2007-07-10 14:39 61,440 --a------ C:\WINDOWS\system32\odbccu32.dll
2007-07-10 14:39 61,440 --a------ C:\WINDOWS\system32\odbccr32.dll
2007-07-10 14:39 60,416 --a------ C:\WINDOWS\system32\shimeng.dll
2007-07-10 14:39 6,144 --a------ C:\WINDOWS\system32\sensapi.dll
2007-07-10 14:39 58,880 --a------ C:\WINDOWS\system32\pautoenr.dll
2007-07-10 14:39 57,856 --a------ C:\WINDOWS\system32\raschap.dll
2007-07-10 14:39 569,344 --a------ C:\WINDOWS\system32\sspipes.scr
2007-07-10 14:39 56,320 --a------ C:\WINDOWS\system32\remotepg.dll
2007-07-10 14:39 548,864 --a------ C:\WINDOWS\system32\rtcdll.dll
2007-07-10 14:39 534,016 --a------ C:\WINDOWS\system32\spider.exe
2007-07-10 14:39 530,432 --a------ C:\WINDOWS\system32\rpcrt4.dll
2007-07-10 14:39 53,248 --a------ C:\WINDOWS\system32\packager.exe
2007-07-10 14:39 53,248 --a------ C:\WINDOWS\system32\odbcconf.exe
2007-07-10 14:39 52,224 --a------ C:\WINDOWS\system32\secur32.dll
2007-07-10 14:39 511,488 --a------ C:\WINDOWS\system32\qedit.dll
2007-07-10 14:39 5,504 --------- C:\WINDOWS\system32\drivers\smbali.sys
2007-07-10 14:39 48,640 --a------ C:\WINDOWS\system32\vdmredir.dll
2007-07-10 14:39 48,128 --a------ C:\WINDOWS\system32\reg.exe
2007-07-10 14:39 479,261 --a------ C:\WINDOWS\system32\vbscript.dll
2007-07-10 14:39 47,616 --a------ C:\WINDOWS\system32\utilman.exe
2007-07-10 14:39 44,032 --a------ C:\WINDOWS\system32\regapi.dll
2007-07-10 14:39 44,032 --a------ C:\WINDOWS\system32\rdpclip.exe
2007-07-10 14:39 43,008 --a------ C:\WINDOWS\system32\ssdpsrv.dll
2007-07-10 14:39 420,864 --a------ C:\WINDOWS\system32\shimgvw.dll
2007-07-10 14:39 409,088 --a------ C:\WINDOWS\system32\vssapi.dll
2007-07-10 14:39 40,960 --a------ C:\WINDOWS\system32\tscupgrd.exe
2007-07-10 14:39 385,024 --a------ C:\WINDOWS\system32\sqlsrv32.dll
2007-07-10 14:39 384,000 --a------ C:\WINDOWS\system32\themeui.dll
2007-07-10 14:39 364,544 --a------ C:\WINDOWS\system32\ssflwbox.scr
2007-07-10 14:39 36,352 --a------ C:\WINDOWS\system32\sens.dll
2007-07-10 14:39 357,376 --a------ C:\WINDOWS\system32\qdvd.dll
2007-07-10 14:39 34,304 --a------ C:\WINDOWS\system32\rcimlby.exe
2007-07-10 14:39 339,456 --a------ C:\WINDOWS\system32\usp10.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-02 19:41:11 2,560 ------w C:\windows\system32\drivers\cdralw2k.sys
2007-07-02 19:41:10 2,432 ------w C:\windows\system32\drivers\cdr4_xp.sys
2007-06-16 21:28:16 66,048 ----a-w C:\windows\system32\notepad.exe
2007-06-16 19:42:02 118,784 ----a-w C:\windows\system32\wscript.exe
2007-06-16 19:41:47 1,135,616 ----a-w C:\windows\system32\ntbackup.exe
2007-06-16 19:41:43 24,064 ----a-w C:\windows\system32\mshta.exe
2007-06-16 19:41:40 8,192 ----a-w C:\windows\system32\lpr.exe
2007-06-16 19:41:40 6,144 ----a-w C:\windows\system32\lpq.exe
2007-06-16 19:41:40 55,296 ----a-w C:\windows\system32\logman.exe
2007-06-16 19:41:39 9,728 ----a-w C:\windows\system32\label.exe
2007-06-16 19:41:39 68,096 ----a-w C:\windows\system32\locator.exe
2007-06-16 19:41:39 5,120 ----a-w C:\windows\system32\lodctr.exe
2007-06-16 19:41:39 29,696 ----a-w C:\windows\system32\lights.exe
2007-06-16 19:41:39 25,088 ----a-w C:\windows\system32\lnkstub.exe
2007-06-16 19:41:37 44,032 ----a-w C:\windows\system32\ipsec6.exe
2007-06-16 19:41:37 22,016 ----a-w C:\windows\system32\ipxroute.exe
2007-06-16 19:41:36 192,512 ----a-w C:\windows\system32\ImapiRox.exe
2007-06-16 19:41:35 99,840 ----a-w C:\windows\system32\iexpress.exe
2007-06-16 19:41:34 7,680 ----a-w C:\windows\system32\hostname.exe
2007-06-16 19:41:34 57,344 ----a-w C:\windows\system32\gpupdate.exe
2007-06-16 19:41:34 37,888 ----a-w C:\windows\system32\grpconv.exe
2007-06-16 19:41:34 14,848 ----a-w C:\windows\system32\help.exe
2007-06-16 19:41:33 55,296 ----a-w C:\windows\system32\getmac.exe
2007-06-16 19:41:12 4,096 ----a-w C:\windows\system32\actmovie.exe
2007-06-13 21:44:14 45,056 ----a-w C:\windows\system32\cdrtc.dll
2007-06-13 21:44:14 45,056 ----a-w C:\windows\system32\cdral.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-06-12 18:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-05-14 15:37]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON]
C:\windows\System32\LXSUPMON.EXE RUN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxOne]
"C:\Program Files\Prevx1\PXConsole.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoveIT Pro XT]
C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]



Contents of the 'Scheduled Tasks' folder
2007-06-27 01:47:21 C:\windows\tasks\Uniblue SpyEraser Nag.job
2007-06-27 01:47:17 C:\windows\tasks\Uniblue SpyEraser.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-10 16:31:17
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-10 16:31:45
C:\ComboFix-quarantined-files.txt ... 2007-07-10 16:31
C:\ComboFix2.txt ... 2007-07-09 13:57

--- E O F ---


HiJackThis

Logfile of HijackThis v1.99.1
Scan saved at 4:32:28 PM, on 7/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\LEXBCES.EXE
C:\windows\system32\spoolsv.exe
C:\windows\system32\LEXPPS.EXE
C:\Program Files\Eset\nod32krn.exe
C:\windows\System32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Ares\Ares.exe
C:\windows\explorer.exe
C:\windows\system32\notepad.exe
C:\Documents and Settings\Rongavilla\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\windows\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe
O23 - Service: Windows Management Service (wms) - Unknown owner - C:\WINDOWS\System32\wms.exe (file missing)


I am not getting any results for C:\WINDOWS\System32\wms.exe, it is probably due to the Service Load being high.

#14 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:31 AM

Posted 11 July 2007 - 11:15 AM

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 .
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
You are running a P2P filesharing programme.
  • Many of these programmes come with unwanted components bundled with them.
  • If you wish to find out whether the one you're using does click here.

Please note: Even if you are using a "safe" P2P programme, it is only the programme that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.


My recommendation is you uninstall it.
  • Some of out experts would like to examine the files you are infected with
  • Go to the upload page here
  • Click Browse
  • Find this file:
    • C:\WINDOWS\System32\wms.exe
  • Select the file, then click Open
  • Click Send File
Then post a new HijackThis log

Also, is your NOD32 antivirus up to date?

#15 TheComputerNoob

TheComputerNoob
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 11 July 2007 - 03:22 PM

Yes, my NOD32 is up to date.

Logfile of HijackThis v1.99.1
Scan saved at 3:19:55 PM, on 7/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\LEXBCES.EXE
C:\windows\system32\spoolsv.exe
C:\windows\system32\LEXPPS.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Eset\nod32krn.exe
C:\windows\System32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Rongavilla\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\windows\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe
O23 - Service: Windows Management Service (wms) - Unknown owner - C:\WINDOWS\System32\wms.exe (file missing)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users