8 replies to this topic

[cheetahman]

Logfile of HijackThis v1.99.1
Scan saved at 3:57:16 PM, on 5/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kris 2\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\kris\LOCALS~1\Temp\se.dll/space.html
F3 - REG:win.ini: load=C:\WINDOWS\system32\1.tmp
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\system32\1.tmp
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [SWOD] C:\WINDOWS\exe82.exe
O4 - HKLM\..\Run: [Intex1 Service Driver] msserv1.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdad_5.exe
O4 - HKLM\..\Run: [jnosrxxA] C:\WINDOWS\jnosrxxA.exe
O4 - HKLM\..\Run: [vsaitinA] C:\WINDOWS\vsaitinA.exe
O4 - HKLM\..\Run: [System Data Compliance] sdc.exe
O4 - HKLM\..\Run: [jseqhtiA] C:\WINDOWS\jseqhtiA.exe
O4 - HKLM\..\Run: [rriqxq] C:\WINDOWS\System32\saeyys.exe reg_run
O4 - HKLM\..\Run: [ms063801161214] C:\WINDOWS\ms063801161214.exe
O4 - HKLM\..\Run: [loaddr] C:\rtnudo.exe
O4 - HKLM\..\Run: [ktbrpml.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\ktbrpml.dll,lfembc
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [Microsoft Telecoms Center] expfix.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Intex1 Service Driver] msserv1.exe
O4 - HKLM\..\RunServices: [System Data Compliance] sdc.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] expfix.exe
O4 - HKCU\..\Run: [Microsoft Telecoms Center] winupn.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: *.searchmeup.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1178492519578
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\irrql5951.dll (file missing)
O20 - Winlogon Notify: gs - C:\WINDOWS\adsldpbd.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: st3 - c:\windows\system32\st3.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Windows Network Latency Controller (nlc) - Unknown owner - C:\WINDOWS\system32\1.tmp (file missing)
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Srv32 - Unknown owner - C:\WINDOWS\system32\srv32.exe (file missing)

[miekiemoes]

Hi,

I see mainly leftovers from malware here - although, I have to say that you were (and maybe still are) terribly infected.
Not sure what's still present, but scans should tell afterwards.
Not sure either what damage it already caused, because I know that some of the infections you are dealing with cause A LOT of damage and some damage cannot always be restored unfortunately... especially with this huge amount of malware present.
And, it looks like you are already dealing with this for over a year, because I see some leftovers of real old infections here...
Also keep in mind that ALL passwords need to get changed as well, because they are known.
Don't change them now, because as long as malware is still present, it will gather the new passwords again. Change them when I say this system is "clean" again.

Anyway, perform next steps in the right order..

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Download SDFix and save it to your Desktop.

* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

---------------------------

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
do not use the scan yet

--------------------------

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.

---------------------------

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\kris\LOCALS~1\Temp\se.dll/space.html
F3 - REG:win.ini: load=C:\WINDOWS\system32\1.tmp
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\system32\1.tmp
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [SWOD] C:\WINDOWS\exe82.exe
O4 - HKLM\..\Run: [Intex1 Service Driver] msserv1.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdad_5.exe
O4 - HKLM\..\Run: [jnosrxxA] C:\WINDOWS\jnosrxxA.exe
O4 - HKLM\..\Run: [vsaitinA] C:\WINDOWS\vsaitinA.exe
O4 - HKLM\..\Run: [System Data Compliance] sdc.exe
O4 - HKLM\..\Run: [jseqhtiA] C:\WINDOWS\jseqhtiA.exe
O4 - HKLM\..\Run: [rriqxq] C:\WINDOWS\System32\saeyys.exe reg_run
O4 - HKLM\..\Run: [ms063801161214] C:\WINDOWS\ms063801161214.exe
O4 - HKLM\..\Run: [loaddr] C:\rtnudo.exe
O4 - HKLM\..\Run: [ktbrpml.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\ktbrpml.dll,lfembc
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [Microsoft Telecoms Center] expfix.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Intex1 Service Driver] msserv1.exe
O4 - HKLM\..\RunServices: [System Data Compliance] sdc.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] expfix.exe
O4 - HKCU\..\Run: [Microsoft Telecoms Center] winupn.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: *.searchmeup.com
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\irrql5951.dll (file missing)
O20 - Winlogon Notify: gs - C:\WINDOWS\adsldpbd.dll (file missing)
O20 - Winlogon Notify: st3 - c:\windows\system32\st3.dll (file missing)
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Windows Network Latency Controller (nlc) - Unknown owner - C:\WINDOWS\system32\1.tmp (file missing)
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: Srv32 - Unknown owner - C:\WINDOWS\system32\srv32.exe (file missing)

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

--------------------------

• Doubleclick the drweb-cureit.exe, Click Start and Allow to run the express scan.
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• It could be possible it displays a popup to buy it in between, to buy or 50% discount. Just close that popup again.
• Once the short scan has finished, Click Options > Change settings
• Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
• Back at the main window, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Once the scan has finished, i will display a list of the files found and checked by default.
  If the file "process.exe" was found - uncheck it. This because this file is related with SDFix and SDFix needs it. Most scanners do flag this file as a bad tool, but there's nothing wrong with it.
• Then, Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.

-------------------------

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).

Post the following logs in your next reply:

* Log from DrWeb CureIt
* Log from SDFix
* New HijackThislog

[cheetahman]

This isn't my computer by the way its someone elses and I'll also post the updated logs and Thanks for the Help so Far

[miekiemoes]

Hi, Do you have this computer in front of you? Or are you sending these instructions via mail to that person with this infected computer? In case you are sending the instructions to that person, wouldn't it be better that this person just registers here and follow my instructions and perform the steps, posting the logs, instead of you sending the instructions all the time and then wait for the logs? I think this may be much easier for both of you.. this to avoid mistakes/confusion. Because this is what frequently happens when someone is posting logs for someone else. You'll have to wait longer, instructions are not performed properly and mistakes are being made.

[cheetahman]

I am working on the computer for them and posting this on a different computer

[miekiemoes]

That's ok. I'll read the logs later. If my replies are a bit slower, that's because email notifications here won't work for some reason... but I'll check this thread once in a while to see if there's a reply yet.

[miekiemoes]

Still with us?

[cheetahman]

Its Fixed reinstalled the Whole Operatiing System and Started from Scratch

[miekiemoes]

Ok, thanks for letting us know. Since this issue appears resolved ... this Topic is closed. If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.