[Resolved] Computer completely taken over

Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

What the Tech > Spyware / Malware / Virus Removal > HijackThis™ Logs and Infections Removal

2 Pages

1 2 >

[Resolved] Computer completely taken over, spyware/malware...Hijackthis log attached

Options

stryvn View Member Profile	Jul 10 2008, 07:24 PM Post #1
Authentic Member Group: Authentic Member Posts: 23 Joined: 31-March 04 Member No.: 3,557	My computer is overrun by spyware and cannot be used at the moment. I cannot even identify the virus/spyware as it is commandered nearly as soon as I start it up. Thank You for your help! Hijackthis log is below... Logfile of HijackThis v1.99.1 Scan saved at 8:00:10 PM, on 7/10/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\U2NvdHQ\command.exe C:\WINDOWS\System32\CTSvcCDA.EXE C:\WINDOWS\444.470 C:\Program Files\Network Monitor\netmon.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\portsv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\iftuyszv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\WINDOWS\mHotkey.exe C:\WINDOWS\GWMDMMSG.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\webHancer\Programs\whagent.exe C:\WINDOWS\mrofinu1000106.exe C:\windows\system32\jkwnw64o.exe C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\MBOLS~1\winlogon.exe C:\Documents and Settings\Scott\My Documents\F?nts\w?nspool.exe C:\Documents and Settings\Scott\Application Data\Microsoft\dtsc\28872.exe C:\Program Files\Svconr\Svconr.exe C:\Documents and Settings\Scott\Application Data\SpeedRunner\SpeedRunner.exe C:\Documents and Settings\Scott\Application Data\Microsoft\Windows\dnqmm.exe C:\PROGRA~1\COMMON~1\fzzi\fzzim.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\uTorrent\uTorrent.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\PROGRA~1\COMMON~1\fzzi\fzzia.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Documents and Settings\Scott\Application Data\Microsoft\dtsc\28872.exe C:\Documents and Settings\Scott\Application Data\Microsoft\dtsc\28872.exe C:\Documents and Settings\Scott\Application Data\Microsoft\dtsc\28872.exe C:\Documents and Settings\Scott\Application Data\Microsoft\dtsc\28872.exe C:\WINDOWS\TEMP\133.tmp C:\WINDOWS\system32\pcntlkdm.exe C:\Program Files\GetModule\GetModule19.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\GetPack\GetPack19.exe C:\WINDOWS\b152.exe C:\Program Files\mjc\mjc.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Hijackthis\HijackThis.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\SoftwareDistribution\Download\8bc3857eb47e63856dbb1de3a6a2f2ee\update\update.exe C:\WINDOWS\system32\HPZipm12.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = file://c:/windows/homepage.html F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe, O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file) O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file) O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\Spcron\Spc.dll O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file) O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file) O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file) O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file) O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file) O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file) O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file) O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file) O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file) O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file) O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file) O2 - BHO: gooochi browser optimizer - {97682207-7e67-45ac-8501-3901bb97aa81} - C:\WINDOWS\system32\{89efd5a1-47bf-9a28-47f8-2a59398bc363}.dll O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file) O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file) O2 - BHO: (no name) - {AD3CE830-51DF-7607-F84D-0BA2ECED42C1} - C:\WINDOWS\system32\wgnk.dll O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file) O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file) O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file) O2 - BHO: 0 - {CFF18206-8CB3-46D9-88B4-76C6BD88E525} - C:\Program Files\Intel\qubapi517.dll O2 - BHO: (no name) - {DCCAD0B3-068F-4970-BE48-9CF4465AEA95} - C:\Program Files\Movie Maker\mepovy66225.dll O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file) O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file) O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file) O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file) O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file) O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file) O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [CHotkey] mHotkey.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3 D1DC7E4638E8323A15806F97BDE4417E6FD967002BA754E2C2832213329D26033AAC O4 - HKLM\..\Run: [{0E-EB-B0-09-DW}] C:\windows\system32\jkwnw64o.exe DWram O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\pcntlkdm.exe DWram O4 - HKLM\..\Run: [{75b436c4-a6db-c851-eaea-9c1b9e59dae8}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{89efd5a1-47bf-9a28-47f8-2a59398bc363}.dll" DllStart O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\Scott\LOCALS~1\Temp\IXP000.TMP\" O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Rcsh] "C:\PROGRA~1\MBOLS~1\winlogon.exe" -vt yazb O4 - HKCU\..\Run: [Rlx] "C:\Documents and Settings\Scott\My Documents\F?nts\w?nspool.exe" O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\Scott\Application Data\Microsoft\dtsc\28872.exe O4 - HKCU\..\Run: [Svconr] C:\Program Files\Svconr\Svconr.exe O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\Scott\Application Data\SpeedRunner\SpeedRunner.exe O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\Scott\Application Data\Microsoft\Windows\dnqmm.exe O4 - HKCU\..\Run: [fzzi] C:\PROGRA~1\COMMON~1\fzzi\fzzim.exe O4 - HKCU\..\Run: [GetModule19] "C:\Program Files\GetModule\GetModule19.exe" O4 - HKCU\..\Run: [GetPack19] "C:\Program Files\GetPack\GetPack19.exe" O4 - HKCU\..\Run: [mjc] C:\Program Files\mjc\mjc.exe O4 - Startup: BJ Status Monitor Canon S520.lnk = ? O4 - Startup: Deewoo.lnk = C:\WINDOWS\SYSTEM32\pcntlkdm.exe O4 - Startup: DW_Start.lnk = C:\WINDOWS\SYSTEM32\jkwnw64o.exe O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O11 - Options group: [INTERNATIONAL] International* O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188962678274 O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tri...uginstaller.cab O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing) O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U2NvdHQ\command.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.470.exe (file missing) O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: ptssvc - Unknown owner - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe (file missing) O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

FencerGirl View Member Profile	Jul 17 2008, 07:04 AM Post #2
Authentic Member Group: MRU Students Posts: 128 Joined: 28-August 06 From: Ohio Member No.: 60,742 Operating System: Windows XP and ME	Hello! I go by FencerGirl. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research. Please be patient and I'd be grateful if you would note the following: I will working be on your Malware issues, this may or may not, solve other issues you have with your machine. The fixes are specific to your problem and should only be used for this issue on this machine. Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear. It's often worth reading through these instructions and printing them for ease of reference. If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry. Finally, please reply to this thread. Do not start a new topic. It may take me a while to reply to you as all of my fixes are being checked by experts to ensure that you are getting a good fix. And remember, like you I have a real life, so I may not be at my computer when you are! FencerGirl

stryvn View Member Profile	Jul 17 2008, 07:11 AM Post #3
Authentic Member Group: Authentic Member Posts: 23 Joined: 31-March 04 Member No.: 3,557	Thank you, Fencer! Patience and you have a real life too....got it. I am grateful for your help! This post has been edited by stryvn: Jul 17 2008, 07:12 AM

FencerGirl View Member Profile	Jul 17 2008, 11:16 AM Post #4
Authentic Member Group: MRU Students Posts: 128 Joined: 28-August 06 From: Ohio Member No.: 60,742 Operating System: Windows XP and ME	Hi stryvn, I am sorry to be the bearer of bad news but unfortunately, you have multiple trojans, including one password stealer and several with backdoor capabilities. This gives intruders complete control of your computer, logging key strokes, stealing information, etc. You are strongly advised to do the following immediately!: Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers. *From a clean computer, change all* of your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information. Because of its backdoor functionality, your PC is very likely compromised and there is no way to be sure it can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so. To help you make a more informed decision, please read the following articles: Danger: Remote Access Trojans. When should I re-format? How should I reinstall? How Do I Handle Possible Identify Theft, Internet Fraud and Credit Card Fraud? Should you have any questions, please feel free to ask. You also have a worm that spreads itself via e-mail. So, if you have any e-mail addresses stored on your computer, please notify their owners that they may be infected as well**. Please post back and let me know if you'd like me to try and clean your computer. Thanks, FencerGirl

stryvn View Member Profile	Jul 17 2008, 12:26 PM Post #5
Authentic Member Group: Authentic Member Posts: 23 Joined: 31-March 04 Member No.: 3,557	Thanks, Fencer. I was afraid of this. I will follow your advice re: calling banks etc. The machine is older and used exclusively by my children to play games. When the problem was discovered, (about a month ago) the machine was immediately taken offline and only turned on by myself once to try to identify the problem. The machine has not been used to access any bank accounts/financial accounts for over a year....out of curiosity, can they still gain this info if it has not been used for this in over a year? And, yes, I would like to go ahead and try to clean the machine.

FencerGirl View Member Profile	Jul 17 2008, 01:41 PM Post #6
Authentic Member Group: MRU Students Posts: 128 Joined: 28-August 06 From: Ohio Member No.: 60,742 Operating System: Windows XP and ME	Hi stryvn, Although unlikely, it is possible for a hacker to obtain your banking information from your computer if it was still stored on the hard drive somewhere. An example might be a really ancient cookie or a document where you stored various on-line passwords. Also, you'll want to refrain from doing any future banking on this computer. While I'll do my best to ensure it's clean, there are no guarantees when backdoors are involved. Now to the cleaning. Since you have so many infections, we are going to try to take care of the backdoors first. Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, the Advanced Options Menu should appear; Select the first option, to run Windows in Safe Mode, then press Enter. Choose your usual account. Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). Finally paste the contents of the Report.txt back on the forum with a new HijackThis log Thanks, FencerGirl

stryvn View Member Profile	Jul 17 2008, 04:15 PM Post #7
Authentic Member Group: Authentic Member Posts: 23 Joined: 31-March 04 Member No.: 3,557	I've downloaded the sdfix to a flash drive and transferred over to the infected machine's desktop. When I double click the icon, the file will not self extract. I cannot get it to run.

FencerGirl View Member Profile	Jul 18 2008, 07:11 AM Post #8
Authentic Member Group: MRU Students Posts: 128 Joined: 28-August 06 From: Ohio Member No.: 60,742 Operating System: Windows XP and ME	Hi stryvn, Try double clicking on SDFix.exe while it's still on your flash drive to see if it will extract to your C:/ drive. If not, try renaming the file on your uninfected computer to extract.exe, copy it to your flash drive, then copy extract.exe to the infected computer and try to extract it. It is important the file be renamed before it gets anywhere near the infected computer. Let me know if either of these work. If not, we'll try a different tactic. Thanks, FencerGirl

stryvn View Member Profile	Jul 18 2008, 05:12 PM Post #9
Authentic Member Group: Authentic Member Posts: 23 Joined: 31-March 04 Member No.: 3,557	Hi Fencer, Trying to run the .exe from the flash drive did not work either but renaming it then moving to the desktop did. I've attached the logs below. Thank you. SDFix: Version 1.206 Run by Administrator on Fri 07/18/2008 at 05:53 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Name : clbdriver cmdService MsSecurity1.209.4 Network Monitor Path : \??\globalroot\systemroot\system32\drivers\vmdesched.sys C:\WINDOWS\U2NvdHQ\command.exe C:\WINDOWS\444.470 service C:\Program Files\Network Monitor\netmon.exe service clbdriver - Deleted cmdService - Deleted MsSecurity1.209.4 - Deleted Network Monitor - Deleted Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\U2NvdHQ\asappsrv.dll - Deleted C:\WINDOWS\U2NvdHQ\command.exe - Deleted C:\WINDOWS\U2NvdHQ\oZhSxJk.vbs - Deleted C:\PROGRA~1\INTEL\QUBAPI.DLL - Deleted C:\PROGRA~1\INTEL\QUBAPI~1.DLL - Deleted C:\PROGRA~1\INTEL\QUBAPI~2.DLL - Deleted C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt - Deleted C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt - Deleted C:\Temp\1cb\syscheck.log - Deleted C:\Temp\vtmp2\ktnv33.log - Deleted C:\WINDOWS\system32\vntiho06\vntiho061083.exe - Deleted C:\Program Files\GetModule\dicik.gz - Deleted C:\Program Files\GetModule\GetModule18.exe - Deleted C:\Program Files\GetModule\GetModule19.exe - Deleted C:\Program Files\GetModule\kwdik.gz - Deleted C:\Program Files\GetModule\pckik.dat - Deleted C:\Program Files\GetModule\sonetupd.exe - Deleted C:\Program Files\GetPack\dictame.gz - Deleted C:\Program Files\GetPack\GetPack19.exe - Deleted C:\Program Files\GetPack\trgtame.gz - Deleted C:\Program Files\iCheck\Uninstall.exe - Deleted C:\Program Files\ISM\ism.exe - Deleted C:\Program Files\ISM\Uninstall.exe - Deleted C:\Program Files\mjc\mjc.exe - Deleted C:\Program Files\QdrModule\dicer.gz - Deleted C:\Program Files\QdrModule\kwder.gz - Deleted C:\Program Files\QdrModule\pckrer.dat - Deleted C:\Program Files\QdrModule\QdrModule17.exe - Deleted C:\Program Files\QdrModule\ventureupd.exe - Deleted C:\Program Files\Sakora\Sakora.exe - Deleted C:\Program Files\Spcron\Spc.dll - Deleted C:\Program Files\Webtools\webtools.dll - Deleted C:\Program Files\Common Files\Yazzle1552OinAdmin.exe - Deleted C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe - Deleted C:\WINDOWS\x.exe - Deleted C:\WINDOWS\y.exe - Deleted C:\WINDOWS\b103.exe - Deleted C:\WINDOWS\b104.exe - Deleted C:\WINDOWS\b116.exe - Deleted C:\WINDOWS\b148.exe - Deleted C:\WINDOWS\b152.exe - Deleted C:\WINDOWS\b155.exe - Deleted C:\WINDOWS\b156.exe - Deleted C:\WINDOWS\b157.exe - Deleted C:\WINDOWS\mrofinu1000106.exe - Deleted C:\WINDOWS\mrofinu72.exe - Deleted C:\WINDOWS\promo1.html - Deleted C:\WINDOWS\promo2.html - Deleted C:\WINDOWS\promo3.html - Deleted C:\WINDOWS\promo4.html - Deleted C:\WINDOWS\promo5.html - Deleted C:\WINDOWS\promo6.html - Deleted C:\WINDOWS\promogif1.gif - Deleted C:\WINDOWS\promogif2.gif - Deleted C:\WINDOWS\promogif3.gif - Deleted C:\WINDOWS\system32\000050.exe - Deleted C:\WINDOWS\system32\000060.exe - Deleted C:\WINDOWS\system32\000090.exe - Deleted C:\Program Files\Network Monitor\netmon.exe - Deleted C:\WINDOWS\accesss.exe - Deleted C:\WINDOWS\astctl32.ocx - Deleted C:\WINDOWS\avpcc.dll - Deleted C:\WINDOWS\clrssn.exe - Deleted C:\WINDOWS\cpan.dll - Deleted C:\WINDOWS\ctfmon32.exe - Deleted C:\WINDOWS\ctrlpan.dll - Deleted C:\WINDOWS\default.htm - Deleted C:\WINDOWS\directx32.exe - Deleted C:\WINDOWS\dnsrelay.dll - Deleted C:\WINDOWS\editpad.exe - Deleted C:\WINDOWS\explore.exe - Deleted C:\WINDOWS\explorer32.exe - Deleted C:\WINDOWS\funniest.exe - Deleted C:\WINDOWS\funny.exe - Deleted C:\WINDOWS\gfmnaaa.dll - Deleted C:\WINDOWS\helpcvs.exe - Deleted C:\WINDOWS\homepage.html - Deleted C:\WINDOWS\iedll.exe - Deleted C:\WINDOWS\iexplorer.exe - Deleted C:\WINDOWS\index.html - Deleted C:\WINDOWS\inetinf.exe - Deleted C:\WINDOWS\internet.exe - Deleted C:\WINDOWS\loader.exe - Deleted C:\WINDOWS\megavid.cdt - Deleted C:\WINDOWS\msconfd.dll - Deleted C:\WINDOWS\msspi.dll - Deleted C:\WINDOWS\mssys.exe - Deleted C:\WINDOWS\msupdate.exe - Deleted C:\WINDOWS\mswsc10.dll - Deleted C:\WINDOWS\mswsc20.dll - Deleted C:\WINDOWS\mtwirl32.dll - Deleted C:\WINDOWS\muotr.so - Deleted C:\WINDOWS\notepad32.exe - Deleted C:\WINDOWS\olehelp.exe - Deleted C:\WINDOWS\qttasks.exe - Deleted C:\WINDOWS\quicken.exe - Deleted C:\WINDOWS\rundll16.exe - Deleted C:\WINDOWS\rundll32.vbe - Deleted C:\WINDOWS\searchword.dll - Deleted C:\WINDOWS\sistem.exe - Deleted C:\WINDOWS\svchost32.exe - Deleted C:\WINDOWS\svcinit.exe - Deleted C:\WINDOWS\systeem.exe - Deleted C:\WINDOWS\systemcritical.exe - Deleted C:\WINDOWS\system32\adult.txt - Deleted C:\WINDOWS\system32\atmtd.dll - Deleted C:\WINDOWS\system32\atmtd.dll._ - Deleted C:\WINDOWS\system32\crypts.dll - Deleted C:\WINDOWS\system32\finance.txt - Deleted C:\WINDOWS\system32\hljwugsf.bin - Deleted C:\WINDOWS\system32\lt.res - Deleted C:\WINDOWS\system32\msnav32.ax - Deleted C:\WINDOWS\system32\other.txt - Deleted C:\WINDOWS\system32\pac.txt - Deleted C:\WINDOWS\system32\pharma.txt - Deleted C:\WINDOWS\system32\rwwnw64d.exe - Deleted C:\WINDOWS\system32\sft.res - Deleted C:\WINDOWS\system32\sn.txt - Deleted C:\WINDOWS\system32\sockins32.dll - Deleted C:\WINDOWS\system32\zxdnt3d.cfg - Deleted C:\WINDOWS\time.exe - Deleted C:\WINDOWS\uninstall_nmon.vbs - Deleted C:\WINDOWS\users32.exe - Deleted C:\WINDOWS\waol.exe - Deleted C:\WINDOWS\win32e.exe - Deleted C:\WINDOWS\win64.exe - Deleted C:\WINDOWS\winajbm.dll - Deleted C:\WINDOWS\window.exe - Deleted C:\WINDOWS\winmgnt.exe - Deleted C:\WINDOWS\xplugin.dll - Deleted C:\WINDOWS\xxxvideo.hta - Deleted Could Not Remove C:\WINDOWS\system32\drivers\core.cache.dsk Folder C:\Documents and Settings\Scott\Application Data\SpeedRunner - Removed Folder C:\Program Files\GetModule - Removed Folder C:\Program Files\GetPack - Removed Folder C:\Program Files\iCheck - Removed Folder C:\Program Files\InetGet2 - Removed Folder C:\Program Files\ISM - Removed Folder C:\Program Files\mjc - Removed Folder C:\Program Files\Network Monitor - Removed Folder C:\Program Files\QdrModule - Removed Folder C:\Program Files\Sakora - Removed Folder C:\Program Files\Spcron - Removed Folder C:\Program Files\Temporary - Removed Folder C:\Program Files\Webtools - Removed Folder C:\Documents and Settings\LocalService\Application Data\NetMon - Removed Folder C:\Temp\1cb - Removed Folder C:\Temp\tn3 - Removed Folder C:\Temp\vtmp2 - Removed Folder C:\WINDOWS\system32\vntiho06 - Removed Removing Temp Files ADS Check : Final Check : Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\iMesh\\Client\\iMeshClient.exe"="C:\\Program Files\\iMesh\\Client\\iMeshClient.exe::Disabled:iMesh Client for PC platforms" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe::Enabled:Messenger" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe::Enabled:Windows Messenger" "C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe::Disabled:Internet Explorer" "C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe::Enabled:btdownloadgui" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe::Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe::Enabled:AOL" "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe::Enabled:AOL" "C:\\Program Files\\ProENGINEER Student Edition\\i486_nt\\obj\\xtop.exe"="C:\\Program Files\\ProENGINEER Student Edition\\i486_nt\\obj\\xtop.exe::Enabled:xtop" "C:\\Program Files\\ProENGINEER Student Edition\\i486_nt\\nms\\nmsd.exe"="C:\\Program Files\\ProENGINEER Student Edition\\i486_nt\\nms\\nmsd.exe::Enabled:nmsd" "C:\\Program Files\\ProENGINEER Student Edition\\i486_nt\\obj\\pro_comm_msg.exe"="C:\\Program Files\\ProENGINEER Student Edition\\i486_nt\\obj\\pro_comm_msg.exe::Enabled:pro_comm_msg" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe::Enabled:hpqtra08.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe::Enabled:hpqste08.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe::Enabled:hpofxm08.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe::Enabled:hposfx08.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe::Enabled:hposid01.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe::Enabled:hpqscnvw.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe::Enabled:hpqkygrp.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe::Enabled:hpqcopy.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe::Enabled:hpfccopy.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe::Enabled:hpzwiz01.exe" "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe::Enabled:hpqphunl.exe" "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe::Enabled:hpqdia.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe::Enabled:hpoews01.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe::Enabled:hpqnrs08.exe" "C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe::Enabled:æTorrent" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe::Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe::Enabled:AOL" "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe::Enabled:AOL" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" Remaining Files* : C:\WINDOWS\system32\drivers\core.cache.dsk Found File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Sat 7 Jun 2008 89,088 ..SHR --- "C:\Program Files\??mbols\winlogon.exe" Sun 10 Jul 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Sun 14 Mar 2004 400 A.SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak" Sun 14 Mar 2004 48 A.SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak" Sun 14 Mar 2004 400 A.SH. --- "C:\Documents and Settings\All Users\DRM\v3ks.bla.bak" Wed 22 Dec 2004 76,568 ..SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe" Thu 13 Jan 2005 11,360 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll" Sun 18 May 2008 582 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti5.tmp" Sun 18 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Sun 18 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp" Thu 29 May 2008 230,400 ..SHR --- "C:\Documents and Settings\Scott\My Documents\F?nts\w?nspool.exe" Sat 28 Feb 2004 24,576 ...H. --- "C:\Documents and Settings\Scott\Application Data\Microsoft\Word\~WRL0005.tmp" Thu 31 Mar 2005 38,400 ...H. --- "C:\Documents and Settings\Scott\Application Data\Microsoft\Word\~WRL0006.tmp" Finished! Logfile of HijackThis v1.99.1 Scan saved at 6:05:30 PM, on 7/18/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTSvcCDA.EXE C:\WINDOWS\System32\NMSSvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\portsv.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\mHotkey.exe C:\WINDOWS\GWMDMMSG.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\webHancer\Programs\whagent.exe C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\MBOLS~1\winlogon.exe C:\Documents and Settings\Scott\My Documents\F?nts\w?nspool.exe C:\Documents and Settings\Scott\Application Data\Microsoft\dtsc\28872.exe C:\PROGRA~1\COMMON~1\fzzi\fzzim.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\WINDOWS\SYSTEM32\pcntlkdm.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\uTorrent\uTorrent.exe C:\PROGRA~1\COMMON~1\fzzi\fzzia.exe C:\Documents and Settings\Scott\Application Data\Microsoft\dtsc\28872.exe c:\windows\system32\rwwnw64d.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\PROGRA~1\COMMON~1\fzzi\fzzil.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = file://c:/windows/homepage.html O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: gooochi browser optimizer - {97682207-7e67-45ac-8501-3901bb97aa81} - C:\WINDOWS\system32\{89efd5a1-47bf-9a28-47f8-2a59398bc363}.dll O2 - BHO: (no name) - {9C11D839-7C9E-4630-D50C-488FD5DF6FF5} - C:\WINDOWS\system32\wgnk.dll O2 - BHO: (no name) - {AD3CE830-51DF-7607-F84D-0BA2ECED42C1} - C:\WINDOWS\system32\wgnk.dll O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll O2 - BHO: 0 - {CFF18206-8CB3-46D9-88B4-76C6BD88E525} - C:\Program Files\Intel\qubapi517.dll (file missing) O2 - BHO: (no name) - {DCCAD0B3-068F-4970-BE48-9CF4465AEA95} - C:\Program Files\Movie Maker\mepovy66225.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [CHotkey] mHotkey.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe O4 - HKLM\..\Run: [{0E-EB-B0-09-DW}] c:\windows\system32\rwwnw64d.exe DWram O4 - HKLM\..\Run: [{75b436c4-a6db-c851-eaea-9c1b9e59dae8}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{89efd5a1-47bf-9a28-47f8-2a59398bc363}.dll" DllStart O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\SYSTEM32\pcntlkdm.exe DWram O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Rcsh] "C:\PROGRA~1\MBOLS~1\winlogon.exe" -vt yazb O4 - HKCU\..\Run: [Rlx] "C:\Documents and Settings\Scott\My Documents\F?nts\w?nspool.exe" O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\Scott\Application Data\Microsoft\dtsc\28872.exe O4 - HKCU\..\Run: [fzzi] C:\PROGRA~1\COMMON~1\fzzi\fzzim.exe O4 - HKCU\..\Run: [GetModule19] "C:\Program Files\GetModule\GetModule19.exe" O4 - HKCU\..\Run: [GetPack19] "C:\Program Files\GetPack\GetPack19.exe" O4 - Startup: BJ Status Monitor Canon S520.lnk = ? O4 - Startup: Deewoo.lnk = C:\WINDOWS\SYSTEM32\pcntlkdm.exe O4 - Startup: DW_Start.lnk = C:\WINDOWS\SYSTEM32\rwwnw64d.exe O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O11 - Options group: [INTERNATIONAL] International* O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188962678274 O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tri...uginstaller.cab O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: ptssvc - Unknown owner - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe (file missing) O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

FencerGirl View Member Profile	Jul 19 2008, 10:30 AM Post #10
Authentic Member Group: MRU Students Posts: 128 Joined: 28-August 06 From: Ohio Member No.: 60,742 Operating System: Windows XP and ME	Hi stryvn, Nice job getting SDFix to run. It removed a lot of trojans, but you are still heavily infected. Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : http://www.bleepingcomputer.com/combofix/how-to-use-combofix Important! You'll need to rename ComboFix.exe like we did SDFix. So, before you transfer ComboFix.exe to the infected computer, rename it to Combo-Fix.exe After you've renamed it, you can transfer it to the infected computer and follow the instructions from Bleeping Computer, paying special attention to those regarding Recovery Console. Please ensure you read this guide carefully and install the Recovery Console first. Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once installed, you should see a blue screen prompt that says: The Recovery Console was successfully installed. After you've installed Recovery Console run ComboFix as detailed in the instructions at the webpage listed above. When the tool is finished, it will produce a report for you. Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system. Thanks, FencerGirl

stryvn

Jul 19 2008, 01:43 PM

Post #11

Authentic Member

Group: Authentic Member
Posts: 23
Joined: 31-March 04
Member No.: 3,557

Fencer,

Moving along nicely here. I did rename the combofix before placing on infected desktop. No problems, and everything ran smoothly. Logs below...

ComboFix 08-07-18.5 - Scott 2008-07-19 14:24:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.244 [GMT -5:00]
Running from: C:\Documents and Settings\Scott\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Scott\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\Scott\Application Data\Microsoft\dtsc
C:\Documents and Settings\Scott\Application Data\Microsoft\dtsc\28872.exe
C:\Documents and Settings\Scott\Application Data\Microsoft\dtsc\BricsCad Architecturals for AutoCAD v3.3.0009 by RENEGADE.torrent
C:\Documents and Settings\Scott\Application Data\Microsoft\dtsc\BricsCad Architecturals for AutoCAD v3.3.0009 by RENEGADE.zip
C:\Documents and Settings\Scott\Application Data\Microsoft\dtsc\Crack Hidden Expedition Titanic (game of popgamers) - by LovePascal.zip~
C:\Documents and Settings\Scott\Application Data\Microsoft\dtsc\QuarkXPress Passport V7.3 Multilingual.torrent
C:\Documents and Settings\Scott\Application Data\Microsoft\dtsc\QuarkXPress Passport V7.3 Multilingual.zip
C:\Documents and Settings\Scott\Application Data\Microsoft\dtsc\s
C:\Documents and Settings\Scott\Local Settings\Temporary Internet Files\bestwiner.stt
C:\Documents and Settings\Scott\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\Scott\My Documents\FNTS~1
C:\Documents and Settings\Scott\My Documents\FNTS~1\w?nspool.exe
C:\Documents and Settings\Scott\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Scott\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Scott\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Scott\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Scott\Start Menu\Programs\Startup\DW_Start.lnk
C:\Program Files\Common Files\fzzi
C:\Program Files\Common Files\fzzi\fzzia.exe
C:\Program Files\Common Files\fzzi\fzzia.lck
C:\Program Files\Common Files\fzzi\fzzid\class-barrel
C:\Program Files\Common Files\fzzi\fzzid\fzzic.dll
C:\Program Files\Common Files\fzzi\fzzid\vocabulary
C:\Program Files\Common Files\fzzi\fzzih
C:\Program Files\Common Files\fzzi\fzzil.exe
C:\Program Files\Common Files\fzzi\fzzil.lck
C:\Program Files\Common Files\fzzi\fzzim.exe
C:\Program Files\Common Files\fzzi\fzzim.lck
C:\Program Files\Common Files\fzzi\fzzip.exe
C:\Program Files\mbols~1
C:\Program Files\mbols~1\??mbols\
C:\Program Files\mbols~1\winlogon.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\license.txt
C:\Program Files\webhancer\Programs\readme.txt
C:\Program Files\webhancer\Programs\sporder.dll
C:\Program Files\webhancer\Programs\webhdll.dll
C:\Program Files\webhancer\Programs\whagent.exe
C:\Program Files\webhancer\Programs\whagent.ini
C:\Program Files\webhancer\Programs\whiehlpr.dll
C:\Program Files\webhancer\Programs\whinstaller.exe
C:\temp\tn3
C:\WINDOWS\444.470
C:\WINDOWS\fzzi
C:\WINDOWS\fzzi\fzzi.dat
C:\WINDOWS\fzzi\wu
C:\WINDOWS\lfn.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\NDNuninstall4_34.exe
C:\WINDOWS\NDNuninstall4_50.exe
C:\WINDOWS\NDNuninstall4_80.exe
C:\WINDOWS\NDNuninstall4_88.exe
C:\WINDOWS\NDNuninstall4_94.exe
C:\WINDOWS\NDNuninstall5_20.exe
C:\WINDOWS\NDNuninstall5_40.exe
C:\WINDOWS\NDNuninstall5_48.exe
C:\WINDOWS\NDNuninstall5_64.exe
C:\WINDOWS\NDNuninstall6_10.exe
C:\WINDOWS\NDNuninstall6_22.exe
C:\WINDOWS\NDNuninstall6_30.exe
C:\WINDOWS\portsv.exe
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\serenumm.sys
C:\WINDOWS\system32\g74.exe
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\pcntlkdm.exe
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\wgnk.dll
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\zxdnt3d.cfg

Infected copy of C:\WINDOWS\system32\userinit.exe was found & disinfected
Restored copy from - C:\WINDOWS\ServicePackFiles\i386\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER
-------\Legacy_SERENUMM
-------\Service_serenumm
-------\Legacy_PlugPlayRPC
-------\Service_PlugPlayRPC

((((((((((((((((((((((((( Files Created from 2008-06-19 to 2008-07-19 )))))))))))))))))))))))))))))))
.

2008-07-18 17:42 . 2008-07-18 17:42 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-18 17:40 . 2002-05-28 23:27 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-07-18 17:40 . 2008-07-18 17:40 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-18 17:29 . 2008-07-18 17:29 <DIR> d--hs---- C:\found.000
2008-07-18 17:04 . 2008-07-18 18:04 <DIR> d-------- C:\SDFix
2008-07-10 20:07 . 2001-08-18 06:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys
2008-07-10 20:07 . 2008-07-10 20:07 118 --a------ C:\WINDOWS\SYSTEM32\MRT.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))