Free Malware Removal Forum

[lei-zzz]

Hi newbie here,
I cant open programs in my pc such as: spybot, AVG and adaware..
Now its infested with spywares and many other nonsense. I gotta rename hijackthis file to something else in order for it to run.. So i scanned both my C and D drive just in case.


Logfile of HijackThis v1.99.1
Scan saved at 11:20:26 PM, on 8/24/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\Ati2evxx.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINNT\system32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINNT\system32\MSTask.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\Ati2evxx.exe
D:\WINNT\system32\chh.exe
D:\WINNT\Explorer.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINNT\system32\soundmax.exe
D:\WINNT\system32\rundll32.exe
C:\nwnmff_12.exe
C:\dfndrff_12.exe
C:\kybrdff_12.exe
D:\winnt\system32\stonedrv.exe
D:\winnt\system32\taskmgn.exe
D:\WINNT\system32\rpcc.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINNT\system32\cmd.exe
D:\WINNT\system32\cscript.exe
D:\Stupid.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - D:\Program Files\Deskbar\deskbar.dll
F2 - REG:system.ini: Shell=Explorer.exe chh.exe
F2 - REG:system.ini: UserInit=D:\WINNT\system32\userinit.exe,chh.exe
O1 - Hosts: 235.214.107.41 http://www.virustotal.com
O1 - Hosts: 33.3.169.44 virusscan.jotti.org
O1 - Hosts: 95.95.239.187 sandbox.norman.no
O1 - Hosts: 236.16.252.76 http://www.symantec.com
O1 - Hosts: 81.237.212.190 securityresponse.symantec.com
O1 - Hosts: 153.77.69.6 symantec.com
O1 - Hosts: 101.81.142.37 http://www.sophos.com
O1 - Hosts: 51.92.5.83 sophos.com
O1 - Hosts: 22.84.63.236 http://www.mcafee.com
O1 - Hosts: 204.205.34.167 mcafee.com
O1 - Hosts: 243.212.96.143 liveupdate.symantecliveupdate.com
O1 - Hosts: 61.96.74.78 http://www.viruslist.com
O1 - Hosts: 104.47.238.203 viruslist.com
O1 - Hosts: 109.147.117.22 f-secure.com
O1 - Hosts: 13.244.51.53 http://www.f-secure.com
O1 - Hosts: 57.5.230.76 kaspersky.com
O1 - Hosts: 17.115.16.33 http://www.avp.com
O1 - Hosts: 90.161.208.139 http://www.kaspersky.com
O1 - Hosts: 50.145.99.80 avp.com
O1 - Hosts: 233.168.246.216 http://www.networkassociates.com
O1 - Hosts: 64.114.128.249 http://www.ca.com
O1 - Hosts: 236.121.110.141 ca.com
O1 - Hosts: 54.114.43.161 mast.mcafee.com
O1 - Hosts: 118.182.103.146 my-etrust.com
O1 - Hosts: 221.234.42.53 http://www.my-etrust.com
O1 - Hosts: 78.49.5.243 download.mcafee.com
O1 - Hosts: 11.207.240.9 dispatch.mcafee.com
O1 - Hosts: 185.176.201.53 secure.nai.com
O1 - Hosts: 219.150.202.149 nai.com
O1 - Hosts: 192.252.18.2 http://www.nai.com
O1 - Hosts: 21.236.30.16 update.symantec.com
O1 - Hosts: 19.195.32.170 updates.symantec.com
O1 - Hosts: 130.65.67.206 us.mcafee.com
O1 - Hosts: 115.196.49.111 liveupdate.symantec.com
O1 - Hosts: 117.157.101.252 customer.symantec.com
O1 - Hosts: 183.213.47.157 rads.mcafee.com
O1 - Hosts: 68.79.239.155 trendmicro.com
O1 - Hosts: 211.47.228.251 http://www.trendmicro.com
O2 - BHO: (no name) - {61CD4101-FB0D-4316-8FFA-A1010BC677B3} - D:\WINNT\system32\awtqn.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\zh-sg\msntb.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - D:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - D:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Soundmax Audio Drivers] soundmax.exe
O4 - HKLM\..\Run: [WinDLL (nope.dll)] rundll32.exe D:\WINNT\system32\nope.dll,start
O4 - HKLM\..\Run: [newname] C:\\nwnmff_12.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_12.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_12.exe
O4 - HKLM\..\Run: [stonedrv] d:\winnt\system32\stonedrv.exe
O4 - HKLM\..\Run: [Windows Task Manager] d:\winnt\system32\taskmgn.exe
O4 - HKLM\..\RunServices: [Ms Java for Windows NT] 86541_netapi.exe
O4 - HKLM\..\RunServices: [Soundmax Audio Drivers] soundmax.exe
O4 - HKLM\..\RunServices: [stonedrv] d:\winnt\system32\stonedrv.exe
O4 - HKLM\..\RunServices: [Asus MotherBoard Utility] asus.exe
O4 - HKLM\..\RunServices: [Windows firewall manager] chh.exe
O4 - HKCU\..\Run: [Internet Explorer6.0] iexplore.exe
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Soundmax Audio Drivers] soundmax.exe
O4 - HKCU\..\Run: [stonedrv] d:\winnt\system32\stonedrv.exe
O4 - HKCU\..\Run: [shell] "D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00013.exe"
O4 - HKCU\..\RunServices: [Ms Java for Windows NT] 17751_netapi.exe
O4 - HKCU\..\RunServices: [Asus MotherBoard Utility] asus.exe
O4 - HKCU\..\RunServices: [Windows firewall manager] chh.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = D:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4774493781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5036379656
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://D:\TempEI4\EI40_\msxml4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{63237AC7-4347-480A-BEF0-A947B53D157E}: NameServer = 165.21.100.88 165.21.83.88
O20 - Winlogon Notify: awtqn - D:\WINNT\system32\awtqn.dll
O20 - Winlogon Notify: Installer - D:\WINNT\system32\l44q0eh5eh4.dll
O20 - Winlogon Notify: Internet Settings - D:\WINNT\system32\rwm.dll (file missing)
O20 - Winlogon Notify: IPConfMSP - D:\WINNT\system32\gppml3711.dll (file missing)
O20 - Winlogon Notify: Nls - D:\WINNT\system32\hwd.dll (file missing)
O20 - Winlogon Notify: policies - D:\WINNT\system32\iocvid.dll (file missing)
O20 - Winlogon Notify: Reliability - D:\WINNT\system32\mfdtcui.dll (file missing)
O20 - Winlogon Notify: Syncmgr - D:\WINNT\system32\k0lq0a35ed.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate - D:\WINNT\system32\k0lq0a35ed.dll (file missing)
O21 - SSODL: SysTray - {E61B5E20-DE35-11CF-9C87-1579005127ED} - D:\WINNT\system32\msc.cpl
O21 - SSODL: msp.cpl - {E21B5E20-DE35-11CF-9C87-157900512701} - D:\WINNT\system32\msp.cpl
O23 - Service: 62804 - Unknown owner - \\220.255.25.200\Admin$\eraseme_40880.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows Vista/NT Runtime Compatibility Service (ntrcs) - Unknown owner - D:\WINNT\system32\7.tmp (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Windows Genuine Advantage Registration Service (wgareg) - Unknown owner - D:\WINNT\system32\wgareg.exe
O23 - Service: Microsoft Windows Spooler Service (Windows Spooler Service) - Unknown owner - D:\WINNT\services.exe (file missing)

[lei-zzz]

Anyone?
Its really getting on my nerves....
Thanks

[agrarianmonk]

Welcome !! Please take note of the following while we are working together:

• Your fix may take a couple posts so please be patient even if you don't see immediate results.
• I will working on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for the issues on this machine.
• Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know or understand something, please don't hesitate to say or ask!! It's definitely better to be sure and safe than sorry.

***************************************

Your log is in pretty rough shape

You have been infected by a variety of backdoors, remote access trojans, and at least one dangerous keylogger.

These types of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Your PC is very likely compromised and there is no way to be sure your computer can ever be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. I know that I would not hesitate to reformat. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

If, however, you decide that the computer is not used for any sensitive work, or if you do not have the resources to reinstall your computer and do not wish to reformat at this time, I can definitely help you clean your computer to the best of my abilities.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

[lei-zzz]

Hi thanks for the advise. I have decided to reformat my pc.

[agrarianmonk]

Sometimes the best solution is to format and reinstall Windows. You will have the reassurance that the system is clean after you do.

If you decide to go this route, start the format, and make sure you are not connected to the Internet (unplug dial-up, DSL, cable, wireless ) when you install the Operating System. After the OS is on board, install an Antivirus program and a Firewall (if you have a CD for them), reboot, then connect to the Internet, and install Service Pack 2.

If you do not have a CD, and need to download an AntiVirus program and a Firewall from the Internet, let that be the first step so that the system is protected right after the Operating System is installed.

There are free AntiVirus programs you can download:

Grisoft’s AVG Anti-virus Free Edition: http://free.grisoft.com/freeweb.php

avast! 4 Home: http://www.avast.com/eng/avast_4_home.html

AntiVir Personal Edition: http://www.free-av.com/


Some free Firewall choices are:

ZoneAlarm:
http://www.zonelabs.com/store/content/cata...lid=dbtopnav_za

Sunbelt Kerio:
http://www.sunbelt-software.com/Kerio.cfm

OutPost:
http://www.agnitum.com/products/outpostfree/download.php


Then, make sure that the AntiVirus program installed in your system is always kept up to date!

Last, install whatever other programs you wish after the computer has protection.

If data was backed up prior to the format, before placing that data back into a clean hard drive, have it scanned with AntiVirus programs. Use more than one program, since AntiVirus scanners use databases that are not identical, and one may find malware that another does not. If the data is reported as clean after running a few virus scans (IMO would use three or more), it should be safe to place it in the clean hard drive.

====
Some of the best suggestions and programs to remain malware free are contained in the following:
Tony Klein’s article 'How Did I Get Infected In The First Place'
http://castlecops.com/postlite7736-.html
Take a look at what the article has to offer and select the programs that suit your needs.

Also, the following is an excellent program that you may want to run on a regular basis:

AdAware SE:
http://www.majorgeeks.com/download506.html

Every so often, also perform an online virus scan.
AntiVirus scanners use databases which are not identical, and one may find malware that another does not.

Some online scanners:
TrendMicro HouseCall:
http://uk.trendmicro-europe.com/consumer/h...call_launch.php

Panda ActiveScan:
http://www.pandasoftware.com/products/activescan.htm

Kaspersky Online Scanner (using Internet Explorer):
http://www.kaspersky.com/virusscanner

BitDefender:
http://www.bitdefender.com/scan8/

If you have any questions or comments, do not hesitate to post back.

If you have no questions, please post back to let us know that we can archive the thread.

[lei-zzz]

Thanks for all the info. Really appreciate it.

[agrarianmonk]

Glad we could be of assistance.

This topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.