Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91845 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Please help me remove the viruz on my computer..='/


  • This topic is locked This topic is locked
14 replies to this topic

#1 BuCkiba

BuCkiba

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 30 March 2008 - 07:44 AM

Hey guyz, im desperate... i know there's 2 or 3 viruses in my computer but i dont know what I'm looking for or what to delete using HiJackThis.. Im kind of an amateur when it comes to computers but i think i can easily catch up... so please help me! tanx oh so very much!!!=j

Here my logfile on HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 9:43:47 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Softwin\BITDEF~2\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\xampplite\apache\bin\apache.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\xampplite\apache\bin\apache.exe
C:\Documents and Settings\Joel yap\Desktop\Converters, Virus Busters & DAP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - C:\Program Files\ContextTool\ContextTool-1.dll
O2 - BHO: rightonads optimizer - {10F3E8BD-257A-4702-A2F5-DC02055B068C} - C:\WINDOWS\system32\gzmrt.dll (file missing)
O2 - BHO: trafficninja.biz extension - {266A3562-AB67-480E-9F09-D54604FD817B} - C:\WINDOWS\system32\ninjaext.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\ieso0.dll
O2 - BHO: IKatzu Class - {EA5159DF-E413-4878-8AE2-D921D41BB942} - C:\WINDOWS\system32\bkingsgm.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~2\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [postSetupCheck] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrt.dll" DllStart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [mswindws] mssql.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2E4A92AB-F2C0-456A-9935-B715439790D7} (Setup Class) - https://www.permissi..._hooking_xp.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {C298F7C6-958F-47AE-B811-C730070B5BD2} (EzWebView Control) - http://equity.dnsali...cab/Webview.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2.2 - Unknown owner - C:\Program Files\xampplite\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Tanx a many guys... please tell wether or what i need to delete here... please, please, please... I really beg you...=j tanx again!

    Advertisements

Register to Remove


#2 mschroe919

mschroe919

    basic

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,825 posts

Posted 30 March 2008 - 08:27 AM

Hi BuCkiba,

Welcome to the What the tech Forums
My name is mschroe919 and I am going to read your log.
I would like to help you So if you would....
Please be patient and I will be back as soon as possible.

Please while I am gone do these step:

Show hidden files, Here is how:

Windows XP

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

NEXT:

Please download ATF Cleaner by Atribune.

Download Here:
http://www.atribune..../click.php?id=1

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

NEXT:
Be sure not to delete anything intill said ok to. also don't run any other cleanup programs till we
get done it may goof ours up.
Also if you have any questions feel fre to ask first.

Please post another hjt log and let me know how your PC is behaving
mschroe919

Edited by mschroe919, 30 March 2008 - 12:11 PM.

"The most important thing about goals is having one."

"It is never too soon to be kind, for we never know how soon it will be too late. "

No Man Ever Stands So Tall As When He Stoops To Help A Child

If you wish to show your appreciation, please consider a donation to help keep us online
[url="http://"%20%20<a%20href="http://www.whatthetech.com/donate/""%20target="_blank">http://www.whatthetech.com/donate/"</a>"]Donate Here Please[/url]
Thank You

#3 mschroe919

mschroe919

    basic

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,825 posts

Posted 31 March 2008 - 08:31 AM

Hi BuCkiba, Do you still need help if so please follow the lat post I gave. Thank You mschroe919
"The most important thing about goals is having one."

"It is never too soon to be kind, for we never know how soon it will be too late. "

No Man Ever Stands So Tall As When He Stoops To Help A Child

If you wish to show your appreciation, please consider a donation to help keep us online
[url="http://"%20%20<a%20href="http://www.whatthetech.com/donate/""%20target="_blank">http://www.whatthetech.com/donate/"</a>"]Donate Here Please[/url]
Thank You

#4 mschroe919

mschroe919

    basic

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,825 posts

Posted 01 April 2008 - 10:07 AM

Hi BuCkiba,, Please as we are a few voulenteers/ And people need the room for us to help them, Do you still need help Please advise as to then I casn close it for someone else mschroe919
"The most important thing about goals is having one."

"It is never too soon to be kind, for we never know how soon it will be too late. "

No Man Ever Stands So Tall As When He Stoops To Help A Child

If you wish to show your appreciation, please consider a donation to help keep us online
[url="http://"%20%20<a%20href="http://www.whatthetech.com/donate/""%20target="_blank">http://www.whatthetech.com/donate/"</a>"]Donate Here Please[/url]
Thank You

#5 BuCkiba

BuCkiba

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 01 April 2008 - 08:22 PM

hi mschroe919, thanx 4 helping me...=j im sorry for the late reply but im kind of bc at school... im still studying college... tanx again... yupz, i still need help with this problem on my computer...

#6 BuCkiba

BuCkiba

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 01 April 2008 - 08:25 PM

btw mschroe919, one effect of this problem on my computer is i cant open my hidden files. yupz, i know hot to open them=j) and another one is that when I open my drives using double click... an error comes out so for now, I only type the drives in the address bar... i hope this helps...=j thanx again so much mschroe919..=j ur the best!

#7 BuCkiba

BuCkiba

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 01 April 2008 - 08:45 PM

Hi again mschroe919..=j hehe...

I've done what you wanted me to do (ATF Cleaner)...

Here's the new logfile you asked:

Logfile of HijackThis v1.99.1
Scan saved at 10:55:34 AM, on 4/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Softwin\BITDEF~2\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\xampplite\apache\bin\apache.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\xampplite\apache\bin\apache.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Joel yap\Desktop\Converters, Virus Busters & DAP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - C:\Program Files\ContextTool\ContextTool-1.dll
O2 - BHO: rightonads optimizer - {10F3E8BD-257A-4702-A2F5-DC02055B068C} - C:\WINDOWS\system32\gzmrt.dll (file missing)
O2 - BHO: trafficninja.biz extension - {266A3562-AB67-480E-9F09-D54604FD817B} - C:\WINDOWS\system32\ninjaext.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\ieso0.dll
O2 - BHO: IKatzu Class - {EA5159DF-E413-4878-8AE2-D921D41BB942} - C:\WINDOWS\system32\bkingsgm.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~2\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [postSetupCheck] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrt.dll" DllStart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [mswindws] mssql.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2E4A92AB-F2C0-456A-9935-B715439790D7} (Setup Class) - https://www.permissi..._hooking_xp.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {C298F7C6-958F-47AE-B811-C730070B5BD2} (EzWebView Control) - http://equity.dnsali...cab/Webview.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2.2 - Unknown owner - C:\Program Files\xampplite\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Again.. thank you very much mschroe919... your a big help!=j btw, after you figure out whats wrong... could you please tell me how to prevent it from happening again?? thanx a many... hehe...

btw, my computer's still the same after doing what you told me...

a "W00g.exe", a ll.exe or a "kxvo.exe" (and there may be more...) error would still come out after i double click my drives... i think it has something to do with the registry...=j i know these .exe files are viruses but whenever i delete them... they would still come back after i double click my drives... i dont know where the source is coming from... it also prevents me from opening my Yahoo Messenger...

i really hope this helps... tanx...-_-

Edited by BuCkiba, 02 April 2008 - 07:30 AM.


#8 mschroe919

mschroe919

    basic

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,825 posts

Posted 02 April 2008 - 09:52 AM

hi BuCkiba,

I find some problems we may have to do more than one post.

FIRST:
You may want to print this out as so you can do them in order

NEXT:

as far as showing hidden files:

Windows XP

* Click Start.
* Open My Computer.
* Select the Tools menu] and click Folder Options.

We don't need to click od the drives just at the top menu bar


* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

also if you are using the double cliclk you can always
right click once the left click on open

NEXT:

Make sure Internet Explorer isn't open

Run hijackthis again. Hit None of the above,
Click Do a System Scan Only.
Put a Check in the box on the left side on these:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - C:\Program Files\ContextTool\ContextTool-1.dll
O2 - BHO: rightonads optimizer - {10F3E8BD-257A-4702-A2F5-DC02055B068C} - C:\WINDOWS\system32\gzmrt.dll (file missing)
O2 - BHO: trafficninja.biz extension - {266A3562-AB67-480E-9F09-D54604FD817B} - C:\WINDOWS\system32\ninjaext.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\ieso0.dll
O2 - BHO: IKatzu Class - {EA5159DF-E413-4878-8AE2-D921D41BB942} - C:\WINDOWS\system32\bkingsgm.dll
O4 - HKLM\..\Run: [postSetupCheck] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrt.dll" DllStart
O4 - HKCU\..\Run: [mswindws] mssql.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {2E4A92AB-F2C0-456A-9935-B715439790D7} (Setup Class) - https://www.permissi..._hooking_xp.cab


Close ALL windows and browsers except HijackThis and click []b]Fix checked


NEXT:
Open windows explorer and find these and delete the folders in RED

C:\WINDOWS\system32\gzmrt.dll


NEXT:

Do a earch for the following and if found delete them

gzmrt.dll
ninjaext.dll
ieso0.dll
bkingsgm.dll

Not to worry if not found or if it won't let you delete

NEXT:
some of these infections tend to hide when they see HijackThis.exe
I would like you to put the HijackThis.exe in a seperate folder and not on desktop.

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.

Download HijackThis into this folder.
once this is done we need to delete the othe one.
Then lets go to where you just put it and rename it scannthis.exe
when this is done run another log with the scannthis.exe
post the new log here and tell me how your PC is behaving

Good luck mschroe919

Edited by mschroe919, 02 April 2008 - 10:01 AM.

"The most important thing about goals is having one."

"It is never too soon to be kind, for we never know how soon it will be too late. "

No Man Ever Stands So Tall As When He Stoops To Help A Child

If you wish to show your appreciation, please consider a donation to help keep us online
[url="http://"%20%20<a%20href="http://www.whatthetech.com/donate/""%20target="_blank">http://www.whatthetech.com/donate/"</a>"]Donate Here Please[/url]
Thank You

#9 BuCkiba

BuCkiba

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 02 April 2008 - 09:06 PM

Hey mschroe919... Here the new logfile you asked:

Logfile of HijackThis v1.99.1
Scan saved at 11:15:20 AM, on 4/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Softwin\BITDEF~2\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\xampplite\apache\bin\apache.exe
C:\Program Files\xampplite\apache\bin\apache.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\HJT\scannthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\ieso0.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~2\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {C298F7C6-958F-47AE-B811-C730070B5BD2} (EzWebView Control) - http://equity.dnsali...cab/Webview.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2.2 - Unknown owner - C:\Program Files\xampplite\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

after doing this I tried double clicking my drives again and those .exe warning files returned so i deleted them again... in short, its still kind of the same...

btw, the one in red above always comes back after i delete it and double click my drives... thats the one im telling you about... its kind of annoying...=j

Tanx again for all your effort in helping me! thank you very much!=j :yeah:

Edited by BuCkiba, 02 April 2008 - 09:11 PM.


#10 mschroe919

mschroe919

    basic

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,825 posts

Posted 03 April 2008 - 05:48 AM

Hi BuCkiba,

after doing this I tried double clicking my drives again and those .exe warning files returned so i deleted them again... in short, its still kind of the same...

btw, the one in red above always comes back after i delete it and double click my drives... thats the one im telling you about... its kind of annoying...=j

Tanx again for all your effort in helping me! thank you very much!=

Solution:

Download TheKillbox from here:

http://www.atribune....ads/KillBox.exe

Save to your Desktop and double click it to open it up.

NEXT:

In the 'Enter Full Path and Filename to Delete' box, copy and paste these entries one by one,


C:\WINDOWS\system32\ieso0.dll
C:\WINDOWS\system32\kxvo.exe
NEXT:
Make sure Internet Explorer isn't open

Run hijackthis again. Hit None of the above,
Click Do a System Scan Only.
Put a Check in the box on the left side on these: (Not to worry if not there)
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\ieso0.dll
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe


Close ALL windows and browsers except HijackThis and click Fix checked

Then reboot and a new hijackthis log please.
let me know how your PCV is working
good luck
mschroe919
"The most important thing about goals is having one."

"It is never too soon to be kind, for we never know how soon it will be too late. "

No Man Ever Stands So Tall As When He Stoops To Help A Child

If you wish to show your appreciation, please consider a donation to help keep us online
[url="http://"%20%20<a%20href="http://www.whatthetech.com/donate/""%20target="_blank">http://www.whatthetech.com/donate/"</a>"]Donate Here Please[/url]
Thank You

#11 BuCkiba

BuCkiba

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 04 April 2008 - 04:48 AM

Man! This is one tough virus!!! I did what you told me and still... after double clicking my drives... there goes those warnings again... and when I scan using HijackThis again... ieso0.dll and kxvo.exe came back... (btw, i already have KillBox even before you told me...=j) I dont need to send another logfile right? its still the same anyway...=j sorry for the inconvinience... I really dont know what's with this virus... i dont even know ehre it came from... maybe the reason it can't be deleted is because it has already spread on my computer... i don't know what to do anymore... this is kind of annoying... Sorry! I must be taking a lot of your time on this... thank you so much... i dont know how to repay you for doing this... tanx!!!=j :wall: btw, do you know any specific viruses that's causing this? could you fill me up with what i need to watch out for?=j tanx again!

Edited by BuCkiba, 04 April 2008 - 04:49 AM.


#12 mschroe919

mschroe919

    basic

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,825 posts

Posted 04 April 2008 - 05:49 AM

hi BuCkiba,
tuff virus but e will master it.
Please read and fopllow these directions
Download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results"
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again afterwards before connecting to the net
--------------------------------------------------------------------
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
  • Please do not re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Good luck mschroe919
"The most important thing about goals is having one."

"It is never too soon to be kind, for we never know how soon it will be too late. "

No Man Ever Stands So Tall As When He Stoops To Help A Child

If you wish to show your appreciation, please consider a donation to help keep us online
[url="http://"%20%20<a%20href="http://www.whatthetech.com/donate/""%20target="_blank">http://www.whatthetech.com/donate/"</a>"]Donate Here Please[/url]
Thank You

#13 BuCkiba

BuCkiba

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 04 April 2008 - 09:50 PM

Hey mschroe919...=j it worked... i can see my hidden files now and no warnings came out when i double clicked my drives... tanx a lot! Wahoo! thank you! thank you! thank you! :woot:

here's the logfile you asked..=j: :woot: :woot: :woot: :woot: :woot:

Logfile of HijackThis v1.99.1
Scan saved at 11:52:39 AM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\xampplite\apache\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Softwin\BITDEF~2\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\xampplite\apache\bin\apache.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\scannthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~2\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {C298F7C6-958F-47AE-B811-C730070B5BD2} (EzWebView Control) - http://equity.dnsali...cab/Webview.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2.2 - Unknown owner - C:\Program Files\xampplite\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

And here the Combofix logfile:

ComboFix 08-04-04.1 - Joel yap 2008-04-06 11:37:45.1 - NTFSx86
Running from: C:\Documents and Settings\Joel yap\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\ContextTool
C:\Program Files\ContextTool\ContextHelper.dat
C:\Program Files\ContextTool\ContextTool-2.dll
C:\Program Files\ContextTool\pcre3.dll
C:\Program Files\ContextTool\uninstall.exe
C:\WINDOWS\system\_sv_CMD_
C:\WINDOWS\system32\gzmrot-uninst.exe
C:\WINDOWS\system32\ninjaext-uninstall.exe
C:\WINDOWS\system32\rightonadz-uninst.exe
C:\WINDOWS\ufdata2000.log

.
((((((((((((((((((((((((( Files Created from 2008-03-06 to 2008-04-06 )))))))))))))))))))))))))))))))
.

2008-04-04 11:07 . 2008-04-05 19:45 <DIR> d-------- C:\HJT
2008-04-03 11:02 . 2008-04-03 11:02 160,055 -r-hs---- C:\dhv2u8.cmd
2008-03-31 21:01 . 2008-03-31 21:00 155,662 -r-hs---- C:\w00g.exe
2008-03-31 19:08 . 2008-03-30 17:10 159,134 -r-hs---- C:\es.exe
2008-03-30 10:24 . 2008-03-30 11:25 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-30 07:13 . 2008-04-01 18:48 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-30 07:13 . 2008-03-30 07:13 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-27 20:01 . 2008-03-27 20:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Chessmaster Challenge
2008-03-23 15:44 . 2008-04-05 18:40 92,160 -r-hs---- C:\WINDOWS\system32\fool0.dll
2008-03-23 15:20 . 2008-03-23 15:19 154,818 -r-hs---- C:\p.bat
2008-03-23 15:15 . 2008-03-23 15:14 737,280 --a------ C:\WINDOWS\iun6002.exe
2008-03-20 05:53 . 2008-03-21 09:33 153,899 -r-hs---- C:\ojbss9gv.com
2008-03-20 03:53 . 2008-03-20 03:53 <DIR> d-------- C:\WebSite2
2008-03-19 12:17 . 2008-03-19 12:16 152,093 -r-hs---- C:\lqxo8w.cmd
2008-03-16 07:47 . 2008-03-16 07:46 149,214 -r-hs---- C:\uulaqvl.cmd
2008-03-15 15:47 . 1997-11-05 12:28 576,000 --a------ C:\WINDOWS\system32\ww_cu232.dll
2008-03-15 15:47 . 1997-11-05 12:28 215,552 --a------ C:\WINDOWS\system32\ww_mc232.dll
2008-03-15 15:47 . 1997-11-05 12:28 215,204 --a------ C:\WINDOWS\system32\saxbasic.hlp
2008-03-15 15:47 . 1997-11-05 12:28 168,960 --a------ C:\WINDOWS\system32\ww_oa232.dll
2008-03-15 15:47 . 1997-11-05 12:26 87,552 --a------ C:\WINDOWS\system32\sbpro_42.ocx
2008-03-15 15:46 . 1997-11-20 11:33 5,705 --a------ C:\WINDOWS\emcgm2.ini
2008-03-15 15:46 . 1997-11-20 11:36 4,338 --a------ C:\WINDOWS\isgdi32.ini
2008-03-15 15:46 . 1997-12-15 21:43 4,001 --a------ C:\WINDOWS\emps_2.ini
2008-03-15 15:46 . 1997-12-20 16:22 1,052 --a------ C:\WINDOWS\emwmf2.ini
2008-03-15 15:46 . 1997-12-15 21:43 382 --a------ C:\WINDOWS\ebtif2.ini
2008-03-15 15:46 . 1999-08-19 14:47 377 --a------ C:\WINDOWS\ebpng2.ini
2008-03-15 15:46 . 1997-12-15 21:44 344 --a------ C:\WINDOWS\ebbmp2.ini
2008-03-15 15:46 . 1997-12-15 21:42 341 --a------ C:\WINDOWS\ebjpg2.ini
2008-03-15 15:46 . 1997-11-20 11:33 245 --a------ C:\WINDOWS\empct2.ini
2008-03-15 15:45 . 2008-03-18 08:39 <DIR> d-------- C:\Program Files\SPSS
2008-03-14 20:17 . 2008-03-19 23:42 <DIR> d-------- C:\Project in DBMS
2008-03-13 06:50 . 2008-03-13 06:50 146,194 -r-hs---- C:\vuts0e.cmd
2008-03-12 22:19 . 2008-03-12 22:19 148,550 -r-hs---- C:\3g.com
2008-03-12 22:19 . 2008-03-31 21:00 92,160 -r-hs---- C:\WINDOWS\system32\fool1.dll
2008-03-12 22:19 . 2008-04-05 18:42 505 -r-hs---- C:\autorun.inf
2008-03-12 11:40 . 2008-03-12 11:40 8,192 --ahs---- C:\WINDOWS\Thumbs.db
2008-03-11 01:02 . 2008-03-11 01:02 <DIR> d-------- C:\Documents and Settings\Joel yap\Application Data\IDMComp
2008-03-11 00:05 . 2008-03-11 00:05 0 -ra------ C:\logwmemory.bin
2008-03-09 12:31 . 2008-03-09 12:31 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-08 15:54 . 1997-11-20 11:36 232 --a------ C:\WINDOWS\imwmf2.ini
2008-03-08 15:49 . 2001-09-12 15:32 1,335,584 --a------ C:\WINDOWS\system32\sbe6_32.dll
2008-03-08 15:49 . 2001-09-12 15:32 558,656 --a------ C:\WINDOWS\system32\sb6ent.ocx
2008-03-08 15:49 . 1998-05-19 15:33 396,800 --a------ C:\WINDOWS\system32\msfrt40.dll
2008-03-08 15:49 . 2001-05-23 03:02 329,423 --a------ C:\WINDOWS\system32\sbe6_000.hlp
2008-03-08 15:49 . 2001-05-23 03:02 6,255 --a------ C:\WINDOWS\system32\sbe6_000.cnt
2008-03-08 15:48 . 1996-01-12 01:00 722,192 --a------ C:\WINDOWS\system32\vb40032.dll
2008-03-08 15:48 . 1995-07-26 00:00 200,704 --a------ C:\WINDOWS\system32\threed32.ocx
2008-03-08 15:48 . 1996-08-05 05:00 92,160 --a------ C:\WINDOWS\system32\grid32.ocx
2008-03-08 15:41 . 1996-10-23 18:26 298,496 --a------ C:\WINDOWS\uninst.exe
2008-03-07 21:17 . 2008-03-07 21:22 <DIR> d-------- C:\Program Files\Microsoft SQL Server

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-06 03:39 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-04-04 12:45 56,536 ----a-w C:\Documents and Settings\Joel yap\Application Data\GDIPFONTCACHEV1.DAT
2008-04-03 16:07 --------- d-----w C:\Program Files\LimeWire
2008-04-02 09:36 --------- d-----w C:\Documents and Settings\Joel yap\Application Data\AdobeUM
2008-03-30 03:56 --------- d-----w C:\Documents and Settings\Joel yap\Application Data\Chessmaster Challenge
2008-03-29 23:15 --------- d-----w C:\Program Files\mIRC
2008-03-17 16:41 --------- d-----w C:\Program Files\FBrowsingAdvisor
2008-03-13 14:57 --------- d-----w C:\Documents and Settings\Joel yap\Application Data\MySQL
2008-03-12 14:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-07 13:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-07 13:39 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-03-07 13:19 --------- d-----w C:\Program Files\Microsoft.NET
2008-03-01 00:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-01 00:36 --------- d-----w C:\Documents and Settings\Joel yap\Application Data\Dev-Cpp
2008-02-22 04:50 --------- d-----w C:\Program Files\FBrowserAdvisor
2008-02-20 16:49 --------- d-----w C:\Documents and Settings\Joel yap\Application Data\Azureus
2008-02-18 14:12 --------- d-----w C:\Program Files\Shockwave.com
2008-02-17 11:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-02-12 16:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\WeatherStudio348
2008-02-09 09:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 22:59 224248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 04:32 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 04:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 04:32 455168]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 09:10 409600]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~2\bdmcon.exe" [2007-08-28 09:38 290816]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-08-28 09:37 69632]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 22:59 224248]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-07-11 20:20:15 278528]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"D:\\Games\\Quake III Arena\\quake3.exe"=
"D:\\Games\\warcraft\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\xampplite\\apache\\bin\\apache.exe"=
"C:\\Program Files\\xampplite\\mysql\\bin\\mysqld.exe"=
"D:\\Games\\Beach Head 2002\\BH2Game\\BH2.exe"=
"D:\\Games\\Warcraft\\Warcraft III\\War3.exe"=

R2 Apache2.2;Apache2.2;"C:\Program Files\xampplite\apache\bin\apache.exe" -k runservice []
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 03:53]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10aab997-5ad0-11dc-9a03-00167699fe34}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe TTMS1017.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{45f008f2-fbcc-11dc-9d5a-00167699fe34}]
\Shell\AutoRun\command - F:\es.exe
\Shell\explore\Command - F:\es.exe
\Shell\open\Command - F:\es.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7661483c-f571-11dc-9d39-00167699fe34}]
\Shell\AutoRun\command - F:\6krxwx.cmd
\Shell\explore\Command - F:\6krxwx.cmd
\Shell\open\Command - F:\6krxwx.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80774ac7-2fa2-11dc-992e-00167699fe34}]
\Shell\AutoRun\command - F:\
\Shell\explore\Command - WScript.exe .\imgkulot.vbs
\Shell\open\Command - WScript.exe .\imgkulot.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96b35770-2fa4-11dc-9932-00167699fe34}]
\Shell\AutoRun\command - F:\
\Shell\explore\Command - WScript.exe .\imgkulot.vbs
\Shell\open\Command - WScript.exe .\imgkulot.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9db04fe8-4b28-11dc-99bb-00167699fe34}]
\Shell\Autoplay\Command - F:\smss.exe
\Shell\AutoRun\command - F:\smss.exe
\Shell\Explore\Command - F:\smss.exe
\Shell\Open\Command - F:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9db04fe9-4b28-11dc-99bb-00167699fe34}]
\Shell\Auto\command - printer.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL printer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f58ccba-9a2d-11dc-9b6a-00167699fe34}]
\Shell\Auto\command - F:\printer.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL printer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fc05fa7-7ea8-11dc-9ac4-00167699fe34}]
\Shell\Auto\command - F:\printer.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL printer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf71db16-3118-11dc-993b-00167699fe34}]
\Shell\AutoRun\command - lqxo8w.cmd
\Shell\explore\Command - lqxo8w.cmd
\Shell\open\Command - lqxo8w.cmd

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-06 11:42:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-06 11:44:32
ComboFix-quarantined-files.txt 2008-04-06 03:44:27
Pre-Run: 15,650,897,920 bytes free
Post-Run: 15,637,991,424 bytes free
.
2008-03-14 02:01:12 --- E O F ---

Thanx Again mschroe919! You The Best! Hehe!=j :woot:
I Just Have Two More Question... What Does The Red Phrase Mean? and How Can I Avoid This From Happening Again? Thanx!

Edited by BuCkiba, 04 April 2008 - 09:54 PM.


#14 mschroe919

mschroe919

    basic

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,825 posts

Posted 05 April 2008 - 10:15 PM

Hi BuCkiba,
Sorry it took so long yours was a more difficult log.
and the wife had some plans
Please do the next steps exactly.
This fix is for your paticular problem, don't use on any other pc.
Please follow these in order.


1. Please open Notepad (Not Wordpad]
Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:


KillAll::

File::
C:\dhv2u8.cmd
C:\w00g.exe
C:\WINDOWS\system32\fool0.dll
C:\p.bat
C:\WINDOWS\iun6002.exe
C:\ojbss9gv.com
C:\lqxo8w.cmd
C:\uulaqvl.cmd
C:\vuts0e.cmd
C:\WINDOWS\system32\fool1.dll
C:\autorun.inf

Folder::

C:\w00g.exe
C:\WINDOWS\system32\bdod.bin

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

6. ComboFix will automatically REBOOT your machine when the KillAll:: switch is used..

7. Next, re-enable all the programs that you disabled prior to running ComboFix.

8. Post the following logs/Reports:
ComboFix.txt
Fresh HijackThis log
run after all the other tools have performed their cleanup.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Good luck mschroe919
"The most important thing about goals is having one."

"It is never too soon to be kind, for we never know how soon it will be too late. "

No Man Ever Stands So Tall As When He Stoops To Help A Child

If you wish to show your appreciation, please consider a donation to help keep us online
[url="http://"%20%20&lt;a%20href="http://www.whatthetech.com/donate/""%20target="_blank"&gt;http://www.whatthetech.com/donate/"&lt;/a&gt;"]Donate Here Please[/url]
Thank You

#15 BuCkiba

BuCkiba

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 07 April 2008 - 04:10 AM

Hey mschroe919... s0we for the l8 reply but... sadly, my computer broke down the last time i logged in to this web...='/ after i rebooted my computer... it said, "NTLDR is missing" and all my files got corrupted so i had to reformat my computer... well, thanx for your help mschroe919... i really appreciated it!=j

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users