Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

big infection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

big infection

Unread postby minime » October 13th, 2006, 12:56 am

hello everyone, hope you can help me with this.
I have tried whith many programs (nod32, spysweeper, avg, ad-aware, spybot and currently i`m using kaspersky aol version) (i didn't use them at the same time by the way).

I believe that the main virus is called dsmartload, wich has been erased, but now the alerts keep coming constantly and my computer it's running real slow. here it's my hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 0:54:23, on 13/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\pctspk.exe
C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe
C:\Archivos de programa\Ahead\InCD\InCD.exe
C:\Archivos de programa\D-Tools\daemon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Archivos de programa\WinZip\WZQKPICK.EXE
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\AOL\Active Virus Shield\avp.exe
C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\eiRecvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\lssc.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Administrador\Mis documentos\aplicaciones\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.cl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\ARCHIV~1\FlashGet\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\ARCHIV~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] "C:\Archivos de programa\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Archivos de programa\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows System32] winsys32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [aol] "C:\Archivos de programa\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [newname] c:\\nwnmff_e27.exe
O4 - HKLM\..\Run: [defender] c:\\dfndrff_e27.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_e27.exe
O4 - HKLM\..\RunServices: [Windows System32] winsys32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Windows System32] winsys32.exe
O4 - HKCU\..\RunServices: [Windows System32] winsys32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Archivos de programa\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Archivos de programa\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARCHIV~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARCHIV~1\FlashGet\flashget.exe
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Active Virus Shield (AVP) - AOL - C:\Archivos de programa\AOL\Active Virus Shield\avp.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Windows Windows Sheduler (Microsoft Windows Scheduled Tasker) - Unknown owner - C:\WINDOWS\eiRecvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Map Manager - Unknown owner - C:\WINDOWS\system32\lssc.exe

!!!please help me!!!!!
minime
Active Member
 
Posts: 7
Joined: October 13th, 2006, 12:44 am
Advertisement
Register to Remove

Unread postby waterfalls » October 13th, 2006, 4:06 am

Your system is badly infected which is compounded by the fact that you're running an unpatched version of Windows XP (XP1).

We can try to clean the infections, but there is no guarantee that we'll be successful. That's because there's been a lot of damage done to your system. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards.

So, you can either reformat and reinstall Windows, or we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

Let me know what you want to do.
User avatar
waterfalls
MRU Emeritus
MRU Emeritus
 
Posts: 70
Joined: December 23rd, 2005, 10:16 am

Unread postby minime » October 13th, 2006, 8:47 am

let's try to remove it if there's a chance

:?
minime
Active Member
 
Posts: 7
Joined: October 13th, 2006, 12:44 am

Unread postby waterfalls » October 13th, 2006, 2:26 pm

Okay. Do NOT use this computer for online banking, transactions, etc. because your computer's security has been compromised. You should change your passwords at any sensitive sites from another clean computer.

Please follow these directions exactly and in the order stated. You will need to print the instructions because, at one point, you will be working in Safe Mode without an Internet connection.

• Download Brute Force Uninstaller.
- Unzip it to a folder of its own (C:\BFU).
- Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompre ... ation.html
- Start the Brute Force Uninstaller by doubleclicking BFU.exe
- Next to the 'Scriptfile to execute'-window you'll see a small, blue icon: http://users.telenet.be/bluepatchy/miek ... fuicon.gif
- When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
[See: http://metallica.geekstogo.com/BFUonlinescript.jpg for a picture for reference]
- In the field, copy and paste this URL: http://metallica.geekstogo.com/alcanshorty.bfu
- Click Ok.
- Then click 'Execute".

Note: If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, manually download the script by going to: http://metallica.geekstogo.com/alcanshorty.bfu
- Click File, select 'Save As' and save it in your C:\BFU folder
- Then start BFU.exe again and click the icon of a folder next to the 'Scriptfile to execute'
- Navigate to alconshorty.bfu script you downloaded, select it by clicking onto it
- Click OK and then click 'Execute' in the Brute Force Uninstaller.


*Wait for the complete script execution box to popup and press OK.
*Press exit to terminate the BFU program.

• Download SDFix and save it to your Desktop.

• Reboot into SAFE MODE.
To get into the Windows XP Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times. Choose Safe Mode from the menu that will appear and press Enter.

• Extract SDFix and run the program.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.

• Download Superantispyware
  • Load Superantispyware and click the check for updates button.
  • Once the update is finished click the scan your computer button.
  • Check Perform Complete Scan and then next.
  • Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
  • Make sure that they all have a check next to them and press next.
  • Click finish and you will be taken back to the main interface.
  • Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  • Copy and paste the log onto the forum.


• As your last step, download ComboFix and save to the Desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.

Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Do not proceed with the rest of the fix if you fail to run combofix
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100

• Post back with:
- the SDFix log
- the Superantispyware log
- the combofix.txt log
- and a new HijackThis log.
.
User avatar
waterfalls
MRU Emeritus
MRU Emeritus
 
Posts: 70
Joined: December 23rd, 2005, 10:16 am

Unread postby minime » October 14th, 2006, 1:39 am

sdfix couldn't be executed. after the restart there was a message that the system couldn't execute the program. here are the logs of superantispyware and combofix and the new hijack log:

SUPERAntiSpyware Scan Log
Generated 10/14/2006 at 02:01 AM

Core Rules Database Version : 2847
Trace Rules Database Version: 1028

Memory threats detected : 4
Registry threats detected : 36
File threats detected : 19

Adware.NicTech Networks
C:\WINDOWS\SYSTEM32\J02QLAF51D2.DLL
C:\WINDOWS\SYSTEM32\J02QLAF51D2.DLL
C:\WINDOWS\SYSTEM32\MMIMG32.DLL
C:\WINDOWS\SYSTEM32\MMIMG32.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\WebCheck
C:\WINDOWS\system32\ihnathlp.dll
C:\WINDOWS\system32\j62qlgf5162.dll
C:\WINDOWS\system32\l20ulcd91f0.dll
C:\WINDOWS\system32\svnsapi.dll

Adware.Adservs
C:\WINDOWS\CGM\ASAPPSRV.DLL
C:\WINDOWS\CGM\ASAPPSRV.DLL

Unclassified.Unknown Origin
C:\WINDOWS\CGM\COMMAND.EXE
C:\WINDOWS\CGM\COMMAND.EXE
HKLM\System\ControlSet002\Services\cmdService
HKLM\System\ControlSet003\Services\cmdService
HKLM\System\CurrentControlSet\Services\cmdService
C:\WINDOWS\Prefetch\COMMAND.EXE-3540F939.pf

Trojan.NetMon/DNSChange
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc
C:\Archivos de programa\Network Monitor\netmon.exe_tobedeleted
C:\Archivos de programa\Network Monitor

Trojan.cmdService
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#Type
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#Start
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000\Control#ActiveService
C:\Documents and Settings\LocalService.NT AUTHORITY\Configuración local\Archivos temporales de Internet\Content.IE5\SDEZ8PI7\MTE3NDI6ODoxNg[1].exe
C:\MTE3NDI6ODoxNg.exe
C:\WINDOWS\Prefetch\MTE3NDI6ODOXNG.EXE-0C5660D8.pf

Trojan.Unknown Origin
C:\Documents and Settings\LocalService.NT AUTHORITY\Configuración local\Archivos temporales de Internet\Content.IE5\8XYN0DE3\installer[1].exe
C:\WINDOWS\cGM\w3g.vbs
C:\WINDOWS\teller2.chk
C:\WINDOWS\Temp\cmdinst.exe
C:\WINDOWS\Prefetch\CMDINST.EXE-0C71A1C6.pf




Administrador - 06-10-14 2:16:24,48 Service Pack 1
ComboFix 06.10.14 - Running from: "C:\Documents and Settings\Administrador.UPG6GTHAHLDLC04\Escritorio"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{CE9B4A3F-4808-4CE9-8E32-F09D987D94E8}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\clsid\{CE9B4A3F-4808-4CE9-8E32-F09D987D94E8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{CE9B4A3F-4808-4CE9-8E32-F09D987D94E8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{CE9B4A3F-4808-4CE9-8E32-F09D987D94E8}\InprocServer32]
@="C:\\WINDOWS\\system32\\damap.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{0AE82DE6-DA16-46E6-B858-6B5D0243124D}]
@=""

[HKEY_CLASSES_ROOT\clsid\{0AE82DE6-DA16-46E6-B858-6B5D0243124D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{0AE82DE6-DA16-46E6-B858-6B5D0243124D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{0AE82DE6-DA16-46E6-B858-6B5D0243124D}\InprocServer32]
@="C:\\WINDOWS\\system32\\mncat32.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{C370D52A-8141-4206-AF5E-11F3264FA38E}]
@=""

[HKEY_CLASSES_ROOT\clsid\{C370D52A-8141-4206-AF5E-11F3264FA38E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{C370D52A-8141-4206-AF5E-11F3264FA38E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{C370D52A-8141-4206-AF5E-11F3264FA38E}\InprocServer32]
@="C:\\WINDOWS\\system32\\mmimg32.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\system32\i8jq0i15e8.dll


Granting sedebugprivilege to Administradores ... successful


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))




* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\dfndrff_e28.exe
C:\drsmartload.exe
C:\kybrdff_e28.exe
C:\Archivos de programa\Deskbar


((((((((((((((((((((((((((((((( Files Created from 2006-09-14 to 2006-10-14 ))))))))))))))))))))))))))))))))))


2006-10-14 01:06 69,165 --a------ C:\pp4ico.exe
2006-10-14 01:06 40,973 ---hs---- C:\WINDOWS\system32\hggdcba.dll
2006-10-14 01:06 133,561 --a------ C:\wacky32.exe
2006-10-14 00:29 40,973 ---hs---- C:\WINDOWS\system32\khfgfgg.dll
2006-10-13 23:57 40,973 ---hs---- C:\WINDOWS\system32\opnnonn.dll
2006-10-13 17:58 41,452 --a------ C:\WINDOWS\system32\eraseme_86658.exe
2006-10-13 14:28 76,800 -r-hs---- C:\WINDOWS\system32\lsscs.exe
2006-10-13 00:39 80,384 -r-hs---- C:\WINDOWS\eiRecvr.exe
2006-10-12 17:39 795,136 ---hs---- C:\WINDOWS\system32\winsys32.exe
2006-10-04 13:28 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-10-04 13:28 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-14 02:07 -------- d-------- C:\Archivos de programa\Mozilla Firefox
2006-10-14 01:43 -------- d-------- C:\Documents and Settings\Administrador.UPG6GTHAHLDLC04\Datos de programa\SUPERAntiSpyware.com
2006-10-14 01:43 -------- d-------- C:\Archivos de programa\SUPERAntiSpyware
2006-10-14 01:43 -------- d-------- C:\Archivos de programa\Archivos comunes\Wise Installation Wizard
2006-10-14 01:43 -------- d-------- C:\Archivos de programa\Archivos comunes
2006-10-13 21:20 -------- d-------- C:\Documents and Settings\Administrador.UPG6GTHAHLDLC04\Datos de programa\Lavasoft
2006-10-13 21:13 -------- d-------- C:\Archivos de programa\DelPSGuard
2006-10-13 20:26 -------- d-------- C:\Documents and Settings\Administrador.UPG6GTHAHLDLC04\Datos de programa\Macromedia
2006-10-13 18:01 -------- d-------- C:\Archivos de programa\FlashGet
2006-10-13 18:00 -------- d-------- C:\Documents and Settings\Administrador.UPG6GTHAHLDLC04\Datos de programa\vlc
2006-10-13 17:58 -------- d-------- C:\Documents and Settings\Administrador.UPG6GTHAHLDLC04\Datos de programa\Talkback
2006-10-13 17:58 -------- d-------- C:\Documents and Settings\Administrador.UPG6GTHAHLDLC04\Datos de programa\Mozilla
2006-10-13 17:48 -------- d-------- C:\Documents and Settings\Administrador.UPG6GTHAHLDLC04\Datos de programa\Real
2006-10-13 17:47 -------- d-------- C:\Documents and Settings\Administrador.UPG6GTHAHLDLC04\Datos de programa\Identities
2006-10-13 17:47 -------- d-------- C:\Archivos de programa\Windows Media Player
2006-10-13 17:46 -------- d---s---- C:\Documents and Settings\Administrador.UPG6GTHAHLDLC04\Datos de programa\Microsoft
2006-10-12 20:03 61072 --a------ C:\WINDOWS\system32\drivers\klick.sys
2006-10-12 20:03 59536 --a------ C:\WINDOWS\system32\drivers\klin.sys
2006-10-12 19:52 -------- d-------- C:\Archivos de programa\AOL
2006-10-12 00:54 -------- d-------- C:\Archivos de programa\Ashampoo
2006-10-11 20:12 -------- d-------- C:\Archivos de programa\Soulseek
2006-10-11 19:15 -------- d-------- C:\Archivos de programa\Archivos comunes\xing shared
2006-10-11 19:15 -------- d-------- C:\Archivos de programa\Archivos comunes\Real
2006-10-11 19:14 -------- d-------- C:\Archivos de programa\Real
2006-10-10 20:07 -------- d-------- C:\Archivos de programa\mIRC
2006-10-04 14:04 -------- d-------- C:\Archivos de programa\Accessdiver
2006-10-04 13:28 -------- d-------- C:\Archivos de programa\Grisoft
2006-10-04 12:30 -------- d-------- C:\Archivos de programa\ESET
2006-09-29 01:17 -------- d-------- C:\Archivos de programa\Yahoo!
2006-09-23 23:16 -------- d-------- C:\Archivos de programa\Conquer 2.0
2006-09-23 23:03 -------- d-------- C:\Archivos de programa\MSN
2006-09-09 17:27 33856 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2006-09-04 01:51 -------- d-------- C:\Archivos de programa\MSN Messenger
2006-08-31 14:27 -------- d-------- C:\Archivos de programa\Disk Cleaner
2006-08-31 00:14 -------- d-------- C:\Archivos de programa\Lavasoft
2006-08-30 21:22 -------- d-------- C:\Archivos de programa\Webroot
2006-08-30 14:08 -------- d--h----- C:\Archivos de programa\InstallShield Installation Information
2006-08-30 14:08 -------- d-------- C:\Archivos de programa\Gravity
2006-08-29 18:56 -------- d-------- C:\Archivos de programa\Network Associates
2006-08-29 18:24 -------- d--h----- C:\Archivos de programa\WindowsUpdate
2006-07-29 20:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"SUPERAntiSpyware"="C:\\Archivos de programa\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="\"nwiz.exe\" /install"
"PCTVOICE"="pctspk.exe"
"McAfeeUpdaterUI"="\"C:\\Archivos de programa\\Network Associates\\Common Framework\\UpdaterUI.exe\""
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"InCD"="\"C:\\Archivos de programa\\Ahead\\InCD\\InCD.exe\""
"DAEMON Tools-1033"="\"C:\\Archivos de programa\\D-Tools\\daemon.exe\" -lang 1033"
"QuickTime Task"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"KernelFaultCheck"="%systemroot%\\system32\\dumprep 0 -k"
"TkBellExe"="\"C:\\Archivos de programa\\Archivos comunes\\Real\\Update_OB\\realsched.exe\" -osboot"
"aol"="\"C:\\Archivos de programa\\AOL\\Active Virus Shield\\avp.exe\""
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Mi página de inicio actual"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,b9,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"MDM"="MDN.exe"
"Windows System32"="winsys32.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"MDM"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"Windows System32"="winsys32.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"MDM"="MDN.exe"
"Windows System32"="winsys32.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"MDM"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runservices]
"Windows System32"="winsys32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Precargador Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Demonio de caché de las categorías de componente"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{7D00738B-6974-4794-98D4-DE79A07ECD81}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnliig
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnonn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-14 2:25:38.39
C:\ComboFix.txt ... 06-10-14 02:25



Logfile of HijackThis v1.99.1
Scan saved at 2:37:52, on 14/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\pctspk.exe
C:\Archivos de programa\Ahead\InCD\InCD.exe
C:\Archivos de programa\D-Tools\daemon.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\eiRecvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\lsscs.exe
C:\Archivos de programa\WinZip\WZQKPICK.EXE
C:\ARCHIV~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Archivos de programa\AOL\Active Virus Shield\avp.exe
C:\Archivos de programa\AOL\Active Virus Shield\avp.exe
C:\Documents and Settings\Administrador\Mis documentos\aplicaciones\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.forospyware.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://deskbar.worldtostart.com/deskbar/bye.asp?id=%toolbar_id
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {7D00738B-6974-4794-98D4-DE79A07ECD81} - C:\WINDOWS\System32\opnnonn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\ARCHIV~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] "C:\Archivos de programa\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Archivos de programa\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [aol] "C:\Archivos de programa\AOL\Active Virus Shield\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Archivos de programa\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Archivos de programa\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARCHIV~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARCHIV~1\FlashGet\flashget.exe
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O20 - Winlogon Notify: nnnliig - nnnliig.dll (file missing)
O20 - Winlogon Notify: opnnonn - C:\WINDOWS\SYSTEM32\opnnonn.dll
O20 - Winlogon Notify: SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Active Virus Shield (AVP) - AOL - C:\Archivos de programa\AOL\Active Virus Shield\avp.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Windows Windows Sheduler (Microsoft Windows Scheduled Tasker) - Unknown owner - C:\WINDOWS\eiRecvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Window Plugin Service - Unknown owner - C:\WINDOWS\system32\lsscs.exe

that's it............ it's getting any better???
minime
Active Member
 
Posts: 7
Joined: October 13th, 2006, 12:44 am

Unread postby waterfalls » October 14th, 2006, 2:01 pm

Well, like I said previously, we have a lot of work to do.

Go to Start > Run and copy/paste: C:\Documents and Settings\Administrador.UPG6GTHAHLDLC04\Escritorio\combofix.exe /v hggdcba khfgfgg opnnonn

After reboot, post back with the new combofix log and a new HijackThis lgo.
User avatar
waterfalls
MRU Emeritus
MRU Emeritus
 
Posts: 70
Joined: December 23rd, 2005, 10:16 am

Unread postby minime » October 14th, 2006, 7:54 pm

i couldn't execute combofix because of the last part of de command (/v hggdcba khfgfgg opnnonn) so i execute it with out it. i hope it's usefull anyways.

Administrador - 06-10-14 20:42:13,20 Service Pack 1
ComboFix 06.10.14 - Running from: "C:\Documents and Settings\Administrador.UPG6GTHAHLDLC04\Escritorio"

((((((((((((((((((((((((((((((( Files Created from 2006-09-14 to 2006-10-14 ))))))))))))))))))))))))))))))))))


2006-10-14 20:29 0 --a------ C:\WINDOWS\system32\eraseme_16784.exe
2006-10-14 16:12 40,973 ---hs---- C:\WINDOWS\system32\xxywuvv.dll
2006-10-14 16:11 193,536 --a------ C:\WINDOWS\system32\cpstorage.exe
2006-10-14 16:09 778,656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-10-14 16:09 4,288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-10-14 16:09 27,904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-10-14 16:09 23,104 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-10-14 13:47 40,973 ---hs---- C:\WINDOWS\system32\hggddcy.dll
2006-10-14 13:37 40,973 ---hs---- C:\WINDOWS\system32\jkkjhhi.dll
2006-10-14 13:16 143,380 --a------ C:\WINDOWS\system32\pwebnsci.exe
2006-10-14 13:15 377,665 ---hs---- C:\WINDOWS\system32\orqss.bak1
2006-10-14 13:14 684,084 ---hs---- C:\WINDOWS\system32\ssqro.dll
2006-10-14 12:54 1,259 --a------ C:\WINDOWS\system32\slrce5a9.sys
2006-10-14 12:50 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2006-10-14 12:46 40,973 ---hs---- C:\WINDOWS\system32\ljjhedb.dll
2006-10-14 02:39 40,973 ---hs---- C:\WINDOWS\system32\hgghige.dll
2006-10-14 01:06 40,973 ---hs---- C:\WINDOWS\system32\hggdcba.dll
2006-10-14 00:29 40,973 ---hs---- C:\WINDOWS\system32\khfgfgg.dll
2006-10-13 23:57 40,973 ---hs---- C:\WINDOWS\system32\opnnonn.dll
2006-10-13 17:58 41,452 --a------ C:\WINDOWS\system32\eraseme_86658.exe
2006-10-12 17:39 795,136 ---hs---- C:\WINDOWS\system32\winsys32.exe
2006-10-04 13:28 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-10-04 13:28 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-14 20:40 -------- d-------- C:\Archivos de programa\Mozilla Firefox
2006-10-14 16:09 -------- d-------- C:\Documents and Settings\Administrador.UPG6GTHAHLDLC04\Datos de programa\AVG7
2006-10-14 16:08 -------- d---s---- C:\Documents and Settings\Administrador.UPG6GTHAHLDLC04\Datos de programa\Microsoft
2006-10-14 16:07 -------- d--h----- C:\Archivos de programa\InstallShield Installation Information
2006-10-14 16:07 -------- d-------- C:\Archivos de programa\SUPERAntiSpyware
2006-10-14 16:07 -------- d-------- C:\Archivos de programa\Archivos comunes
2006-10-13 21:20 -------- d-------- C:\Documents and Settings\Administrador.UPG6GTHAHLDLC04\Datos de programa\Lavasoft
2006-10-13 21:13 -------- d-------- C:\Archivos de programa\DelPSGuard
2006-10-13 20:26 -------- d-------- C:\Documents and Settings\Administrador.UPG6GTHAHLDLC04\Datos de programa\Macromedia
2006-10-13 18:01 -------- d-------- C:\Archivos de programa\FlashGet
2006-10-13 18:00 -------- d-------- C:\Documents and Settings\Administrador.UPG6GTHAHLDLC04\Datos de programa\vlc
2006-10-13 17:58 -------- d-------- C:\Documents and Settings\Administrador.UPG6GTHAHLDLC04\Datos de programa\Talkback
2006-10-13 17:58 -------- d-------- C:\Documents and Settings\Administrador.UPG6GTHAHLDLC04\Datos de programa\Mozilla
2006-10-13 17:48 -------- d-------- C:\Documents and Settings\Administrador.UPG6GTHAHLDLC04\Datos de programa\Real
2006-10-13 17:47 -------- d-------- C:\Documents and Settings\Administrador.UPG6GTHAHLDLC04\Datos de programa\Identities
2006-10-13 17:47 -------- d-------- C:\Archivos de programa\Windows Media Player
2006-10-12 00:54 -------- d-------- C:\Archivos de programa\Ashampoo
2006-10-11 20:12 -------- d-------- C:\Archivos de programa\Soulseek
2006-10-11 19:15 -------- d-------- C:\Archivos de programa\Archivos comunes\xing shared
2006-10-11 19:15 -------- d-------- C:\Archivos de programa\Archivos comunes\Real
2006-10-11 19:14 -------- d-------- C:\Archivos de programa\Real
2006-10-10 20:07 -------- d-------- C:\Archivos de programa\mIRC
2006-10-04 14:04 -------- d-------- C:\Archivos de programa\Accessdiver
2006-10-04 13:28 -------- d-------- C:\Archivos de programa\Grisoft
2006-10-04 12:30 -------- d-------- C:\Archivos de programa\ESET
2006-09-29 01:17 -------- d-------- C:\Archivos de programa\Yahoo!
2006-09-23 23:16 -------- d-------- C:\Archivos de programa\Conquer 2.0
2006-09-23 23:03 -------- d-------- C:\Archivos de programa\MSN
2006-09-09 17:27 33856 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2006-09-04 01:51 -------- d-------- C:\Archivos de programa\MSN Messenger
2006-08-31 14:27 -------- d-------- C:\Archivos de programa\Disk Cleaner
2006-08-31 00:14 -------- d-------- C:\Archivos de programa\Lavasoft
2006-08-30 21:22 -------- d-------- C:\Archivos de programa\Webroot
2006-08-30 14:08 -------- d-------- C:\Archivos de programa\Gravity
2006-08-29 18:56 -------- d-------- C:\Archivos de programa\Network Associates
2006-08-29 18:24 -------- d--h----- C:\Archivos de programa\WindowsUpdate
2006-07-29 20:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"Windows System32"="winsys32.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
"Windows System32"="winsys32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="\"nwiz.exe\" /install"
"PCTVOICE"="pctspk.exe"
"McAfeeUpdaterUI"="\"C:\\Archivos de programa\\Network Associates\\Common Framework\\UpdaterUI.exe\""
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"InCD"="\"C:\\Archivos de programa\\Ahead\\InCD\\InCD.exe\""
"DAEMON Tools-1033"="\"C:\\Archivos de programa\\D-Tools\\daemon.exe\" -lang 1033"
"QuickTime Task"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"KernelFaultCheck"="%systemroot%\\system32\\dumprep 0 -k"
"TkBellExe"="\"C:\\Archivos de programa\\Archivos comunes\\Real\\Update_OB\\realsched.exe\" -osboot"
"Windows System32"="winsys32.exe"
"AVG7_CC"="C:\\ARCHIV~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Windows System32"="winsys32.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Mi página de inicio actual"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,b9,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"MDM"="MDN.exe"
"Windows System32"="winsys32.exe"
"AVG7_Run"="C:\\ARCHIV~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"MDM"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"Windows System32"="winsys32.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"MDM"="MDN.exe"
"Windows System32"="winsys32.exe"
"AVG7_Run"="C:\\ARCHIV~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"MDM"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runservices]
"Windows System32"="winsys32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Precargador Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Demonio de caché de las categorías de componente"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{7D00738B-6974-4794-98D4-DE79A07ECD81}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjhhi
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnliig
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqro

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-14 20:42:49.14
C:\ComboFix.txt ... 06-10-14 20:42
C:\ComboFix2.txt ... 06-10-14 20:25
C:\ComboFix3.txt ... 06-10-14 02:25

Logfile of HijackThis v1.99.1
Scan saved at 20:52:04, on 14/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\pctspk.exe
C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe
C:\Archivos de programa\Ahead\InCD\InCD.exe
C:\Archivos de programa\D-Tools\daemon.exe
C:\WINDOWS\System32\winsys32.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Archivos de programa\WinZip\WZQKPICK.EXE
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cpstorage.exe
C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Documents and Settings\Administrador\Mis documentos\aplicaciones\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.forospyware.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://deskbar.worldtostart.com/deskbar/bye.asp?id=%toolbar_id
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\ARCHIV~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] "C:\Archivos de programa\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Archivos de programa\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows System32] winsys32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [Windows System32] winsys32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Windows System32] winsys32.exe
O4 - HKCU\..\RunServices: [Windows System32] winsys32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Archivos de programa\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Archivos de programa\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARCHIV~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARCHIV~1\FlashGet\flashget.exe
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0840938671
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Windows Windows Sheduler (Microsoft Windows Scheduled Tasker) - Unknown owner - C:\WINDOWS\eiRecvr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Plugin Service - Unknown owner - C:\WINDOWS\system32\lsyss.exe (file missing)
O23 - Service: Window Plugin Service - Unknown owner - C:\WINDOWS\system32\lsscs.exe (file missing)


:(
minime
Active Member
 
Posts: 7
Joined: October 13th, 2006, 12:44 am

Unread postby waterfalls » October 14th, 2006, 8:37 pm

We can try one more thing.

• Please download VundoFix.exe and save it to your Desktop.
- Double-click VundoFix.exe to run it
- Click the Scan for Vundo button
- Once it is done scanning, click the Remove Vundo button
- You will receive a prompt asking if you want to remove the files
- Click YES
- Once you click YES, your Desktop will go blank as it starts removing Vundo
- When completed, it will prompt that it will reboot your computer
- Click OK

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, so simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Once VundoFix has completed scanning, please do not run it again.
If you run it more than one time, you will overwrite the original log generated when it was run the first time.

• Please post the contents of C:\vundofix.txt and a new HiJackThis log.
User avatar
waterfalls
MRU Emeritus
MRU Emeritus
 
Posts: 70
Joined: December 23rd, 2005, 10:16 am

Unread postby minime » October 15th, 2006, 4:23 pm

Vundo fix detected 5 objects and were removed but i didn't got a log file.
I have changed antivir to avg and scaned my computer on safe mode with avg free, avg antispyware, spybot, superantispyware, ad-aware and combofix and a lot of stuff has been neutralized (!!!aparently dsmartload also!!!)

here's the log of hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 17:16:45, on 15/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\pctspk.exe
C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe
C:\Archivos de programa\Ahead\InCD\InCD.exe
C:\Archivos de programa\D-Tools\daemon.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cpstorage.exe
C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Archivos de programa\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrador\Mis documentos\aplicaciones\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.forospyware.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://deskbar.worldtostart.com/deskbar/bye.asp?id=%toolbar_id
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {7D00738B-6974-4794-98D4-DE79A07ECD81} - C:\WINDOWS\System32\jkkjhhi.dll (file missing)
O2 - BHO: (no name) - {E60095D5-102A-4FC2-8B7B-D3B59ADB22B8} - C:\WINDOWS\System32\ssqro.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\ARCHIV~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] "C:\Archivos de programa\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Archivos de programa\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Archivos de programa\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Archivos de programa\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARCHIV~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARCHIV~1\FlashGet\flashget.exe
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0840938671
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: jkkjhhi - jkkjhhi.dll (file missing)
O20 - Winlogon Notify: nnnliig - nnnliig.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

what do you think????
minime
Active Member
 
Posts: 7
Joined: October 13th, 2006, 12:44 am

Unread postby minime » October 15th, 2006, 4:27 pm

here's the vundofix log :lol: :lol: :lol:
VundoFix V6.2.2

Checking Java version...

Sun Java not detected
Scan started at 16:53:45 15/10/2006

Listing files found while scanning....

C:\WINDOWS\system32\pwebnsci.exe
C:\WINDOWS\System32\ssqro.dll
C:\WINDOWS\System32\orqss.ini
C:\WINDOWS\System32\orqss.bak1
C:\WINDOWS\System32\orqss.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\pwebnsci.exe
C:\WINDOWS\system32\pwebnsci.exe Has been deleted!

Attempting to delete C:\WINDOWS\System32\ssqro.dll
C:\WINDOWS\System32\ssqro.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\orqss.ini
C:\WINDOWS\System32\orqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\orqss.bak1
C:\WINDOWS\System32\orqss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\orqss.bak2
C:\WINDOWS\System32\orqss.bak2 Has been deleted!

Performing Repairs to the registry.
Done!
minime
Active Member
 
Posts: 7
Joined: October 13th, 2006, 12:44 am

Unread postby waterfalls » October 15th, 2006, 4:42 pm

Hi,

Yes, things are looking better.

Try running SDFix now (see instructions above) and post back with the Report.txt and a new HijackThis log.
User avatar
waterfalls
MRU Emeritus
MRU Emeritus
 
Posts: 70
Joined: December 23rd, 2005, 10:16 am

Unread postby minime » October 16th, 2006, 6:33 pm

sdfix still doesn't run

It give's me yhis message: the system couldn't execute the specified program
minime
Active Member
 
Posts: 7
Joined: October 13th, 2006, 12:44 am

Unread postby waterfalls » October 16th, 2006, 7:23 pm

Hi,

• I note in your log that you have FlashGet the download manager.
Be aware that the trial copy bundles Cydoor adware but, when you register, the advertisements disappear.
So, if you are using the trial version, I strongly suggest you remove it.
To remove the program:
- Go to Start -> Control Panel -> Add/Remove Programs
- Select FlashGet
- Click Remove
- Exit.

• Reboot your computer.

• Open Notepad and copy and paste the text inside the codebox into Notepad:

Code: Select all
REGEDIT4

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MDM"=-
"Windows System32"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"MDM"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"Windows System32"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"MDM"=-
"Windows System32"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"MDM"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runservices]
"Windows System32"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7D00738B-6974-4794-98D4-DE79A07ECD81}"=-


- Save this as fix.reg -> choose to save as *all files -> and place it on your desktop.
- It should look like this: Image
- Double-click on it and, when you are asked if you want to merge the contents to the registry, click YES/OK.

• Please set your system to show all files.
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab. Under the Hidden files and folders heading, select Show hidden files
and folders.
- Uncheck: Hide file extensions for known file types
- Uncheck the Hide protected operating system files (recommended) option.
- Click Yes to confirm.
- Click OK.

• Reboot into SAFE MODE.
To get into the Windows XP Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times. Choose Safe Mode from the menu that will appear and press Enter.

• Start HijackThis, click System Scan Only and place a checkmark next to the following items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://deskbar.worldtostart.com/deskbar/bye.asp?id=%toolbar_id
O2 - BHO: (no name) - {7D00738B-6974-4794-98D4-DE79A07ECD81} - C:\WINDOWS\System32\jkkjhhi.dll (file missing)
O2 - BHO: (no name) - {E60095D5-102A-4FC2-8B7B-D3B59ADB22B8} - C:\WINDOWS\System32\ssqro.dll (file missing)


If you uninstalled FlashGet, then also check:
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\ARCHIV~1\FlashGet\fgiebar.dll
O8 - Extra context menu item: Download All by FlashGet - C:\Archivos de programa\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Archivos de programa\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARCHIV~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARCHIV~1\FlashGet\flashget.exe
O20 - Winlogon Notify: jkkjhhi - jkkjhhi.dll (file missing)
O20 - Winlogon Notify: nnnliig - nnnliig.dll (file missing)


Close ALL browsers and open windows/programs except HijackThis and click 'Fix Checked'.

• Navigate to and delete the following folder if present:
C:\Program Files\FlashGet

• Navigate to and delete the following files if present:
C:\pp4ico.exe
C:\wacky32.exe
C:\WINDOWS\eiRecvr.exe
C:\WINDOWS\system32\hggdcba.dll
C:\WINDOWS\system32\khfgfgg.dll
C:\WINDOWS\system32\opnnonn.dll
C:\WINDOWS\system32\lsscs.exe
C:\WINDOWS\system32\winsys32.exe
mdn.exe - look for this file and delete it.

• Reboot your computer.

• Please upload this file to Jotti's Online Virus Scan
C:\WINDOWS\system32\cpstorage.exe
- Click "Browse" at the top of the page
- Navigate to C:\WINDOWS\system32\cpstorage.exe
- Click "Open" and let the scan finish
- Copy/paste the results in your next reply.

• Perform an onlinescan with Panda Online. Please use this scanner instead of any other scanner! You have to use Internet Explorer for this scan.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component, allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the "See Report" button, then "Save Report" and save it to a convenient location.

• Post back with the results of the Jotti Scan, the Panda Online Scan and a new HijackThis log.
User avatar
waterfalls
MRU Emeritus
MRU Emeritus
 
Posts: 70
Joined: December 23rd, 2005, 10:16 am

Unread postby Nellie2 » November 5th, 2006, 2:56 pm

This topic is now closed due to inactivity. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Nellie2
Administrator Emeritus
 
Posts: 8737
Joined: December 16th, 2004, 5:01 pm
Location: UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 289 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware