Members
Stats
  • Total Posts: 28510
  • Total Topics: 8239
  • Online Today: 852
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: serious infection, please help  (Read 5799 times)

0 Members and 1 Guest are viewing this topic.

CheekyMoore

  • SCF Newbie
  • *
  • Posts: 6
  • KARMA: 1
serious infection, please help
« on: 27. December 2007., 18:43:03 »
Hello first i would like to give thanks that this website even exists for noobs like I who are unable to protect themselves. 

Secondly, my internet connection is broken, i'm assuming because of the infection so i was unable to use your online scans.  The best i could do was update my Spybot Search & Destroy, run it, and save the log which i have done here.

Command Service: System Service (Registry key, fixing failed)
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService

Command Service: Settings (Registry key, fixing failed)
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

Command Service: Settings (Registry key, fixing failed)
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Virtumonde: User settings (Registry key, fixed)
  HKEY_USERS\S-1-5-21-1801674531-688789844-1708537768-1004\Software\Microsoft\rdfa

Virtumonde: Settings (Registry key, fixed)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws

Virtumonde: Settings (Registry key, fixed)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DomainService

Virtumonde: System Service (Registry key, fixed)
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DomainService

Virtumonde: System Service (Registry key, fixed)
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DomainService

Virtumonde: Settings (Registry key, fixed)
  HKEY_USERS\S-1-5-21-1801674531-688789844-1708537768-1004\Software\Microsoft\aldd

Virtumonde.ddc:  Executable (File, fixed)
  C:\WINDOWS\system32\cclvyjxh.exe

Virtumonde.ddc:  Executable (File, fixed)
  C:\WINDOWS\system32\dhxkkjkq.exe

Virtumonde.ddc:  Executable (File, fixed)
  C:\WINDOWS\system32\fhfkjlmj.exe

Virtumonde.ddc:  Executable (File, fixed)
  C:\WINDOWS\system32\oxgxcpke.exe

Virtumonde.ddc:  Executable (File, fixed)
  C:\WINDOWS\system32\oxoodthd.exe

Virtumonde.ddc:  Executable (File, fixed)
  C:\WINDOWS\system32\pklbdtdr.exe

Virtumonde.ddc:  Executable (File, fixed)
  C:\WINDOWS\system32\plyooepm.exe

Virtumonde.ddc:  Executable (File, fixed)
  C:\WINDOWS\system32\syryxeow.exe

Virtumonde.ddc:  Executable (File, fixed)
  C:\WINDOWS\system32\winltjyj.exe

Virtumonde.generic: Class ID (Registry key, fixed)
  HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}

Virtumonde.generic: Class ID (Registry key, fixed)
  HKEY_CLASSES_ROOT\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}

Virtumonde.generic: Browser helper object (Registry key, fixed)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}

Smitfraud-C.CoreService: Settings (Registry key, fixing failed)
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\core

Smitfraud-C.CoreService: Settings (Registry key, fixed)
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\core

Smitfraud-C.CoreService:  Data (File, fixing failed)
  C:\WINDOWS\system32\drivers\core.cache.dsk

Smitfraud-C.CoreService:  System file (File, fixing failed)
  C:\WINDOWS\system32\drivers\core.sys

Virtumonde.Dll:  Library (File, fixing failed)
  C:\WINDOWS\system32\khhih.dll

Win32.Small.azl:  Executable (File, fixed)
  C:\WINDOWS\mrofinu572.exe.tmp

Win32.Small.azl:  Executable (File, fixed)
  C:\WINDOWS\b122.exe

Virtumonde: Tracking cookie (Internet Explorer: Mr. Moore) (Cookie, fixed)
 


--- Spybot - Search & Destroy version: 1.4  (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-07-02 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-07-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-12-26 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2007-12-26 Includes\DialerC.sbi (*)
2007-12-26 Includes\Hijackers.sbi (*)
2007-12-26 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2007-12-26 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-11-07 Includes\Malware.sbi (*)
2007-12-26 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2007-12-26 Includes\PUPSC.sbi (*)
2007-12-26 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-12-26 Includes\SecurityC.sbi (*)
2007-11-07 Includes\Spybots.sbi (*)
2007-12-26 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2007-12-12 Includes\Trojans.sbi (*)
2007-12-26 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll


Since some of the corrections are failing spybot asks if i would like to restart and fix them then, i did, and they were still unfixable.


Next I used HiJackThis and saved the log,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:28 AM, on 12/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\TXIuIE1vb3Jl\command.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\?ymbols\n?lookup.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dhxkkjkq.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Mr. Moore\Desktop\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freewebportal.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\okcxarpq.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NvCplDaemon] -RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] -nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] -RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] -"C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [horycyp] C:\Program Files\Windows NT\horycyp77798.exe
O4 - HKLM\..\Run: [bc208952] rundll32.exe "C:\WINDOWS\System32\ksjqyfgm.dll",b
O4 - HKLM\..\RunOnce: [SpybotDeletingA5298] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7507] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1498] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5906] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1283] command /c del "C:\WINDOWS\system32\drivers\core.sys_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1835] cmd /c del "C:\WINDOWS\system32\drivers\core.sys_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7880] command /c del "C:\WINDOWS\system32\dhxkkjkq.exe_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9697] cmd /c del "C:\WINDOWS\system32\dhxkkjkq.exe_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5544] command /c del "C:\WINDOWS\system32\khhih.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9414] cmd /c del "C:\WINDOWS\system32\khhih.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4033] command /c del "C:\WINDOWS\b122.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC667] cmd /c del "C:\WINDOWS\b122.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] -"C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\System32\MANTEC~1\attrib.exe" -vt yazb
O4 - HKCU\..\Run: [Uqlcvy] C:\WINDOWS\system32\?ymbols\n?lookup.exe
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.6\webbuying.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1206] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5818] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3759] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5279] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4057] command /c del "C:\WINDOWS\system32\drivers\core.sys_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5007] cmd /c del "C:\WINDOWS\system32\drivers\core.sys_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8213] command /c del "C:\WINDOWS\system32\dhxkkjkq.exe_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5932] cmd /c del "C:\WINDOWS\system32\dhxkkjkq.exe_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4760] command /c del "C:\WINDOWS\system32\khhih.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3596] cmd /c del "C:\WINDOWS\system32\khhih.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2569] command /c del "C:\WINDOWS\b122.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2945] cmd /c del "C:\WINDOWS\b122.exe_tobedeleted"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: My_AutoWarkey_Script.lnk = C:\Program Files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
O4 - Startup: Warkeys Update.lnk = C:\Program Files\Warkeys\update\Warkeys Update.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\rlls.dll' missing
O15 - Trusted Zone: *.amaena.com
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TXIuIE1vb3Jl\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - -C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - -C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN Gaming Zone\profsyrt.html

--
End of file - 9480 bytes





The symptoms of this infection are as follows, when i first load the computer a process begins to run called IEXPLORER, several "internet explorer" windows open and continue to multiply unless i end it in the processes tab of the Task Manager. Firefox is unable to work, none of my IM services are able to connect. Other symptoms are it's telling me i have no mixer or sound device on my system when i try to up the volume. There are other symptoms but I simply cannot remember.

I know this is a long one so i assume it will be difficult to be rid of my infestation but any help given would be great, thank you

CheekyMoore



Samker's Computer Forum - SCforum.info

serious infection, please help
« on: 27. December 2007., 18:43:03 »




Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: serious infection, please help
« Reply #1 on: 27. December 2007., 19:18:00 »
Hi CheekyMoore & Welcome to SCF Community!

In the next few hours we will analyze your logs and provide you some solutions.

Regards,

Samker

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: serious infection, please help
« Reply #2 on: 27. December 2007., 22:59:23 »
Hi again CheekyMoore,

yes you have hard kind of infection but we will do our best to resolve this.

First We need to know do you have any possibility to use internet connection?

If you do, please:

1. Uninstal AVG AntiVirus (via Control Panel)
2. Download, Install, Update & Run Kaspersky AntiVirus FULL Scan: http://scforum.info/index.php/topic,16.0.html

If you doesn't have possibility to connect to Internet try to install Kaspersky AV (with latest updates) via USB Stick, CD ...


If nothing of this above is possible update your AVG AntiVirus and:

1. Turn of System Restore

Quote
Steps to turn off System Restore
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.

Do you want to turn off System Restore?
After a few moments, the System Properties dialog box closes.

2. Restart your PC and run again in Safe Mode. Instruction:

Quote
To start the computer in safe mode
1.
You should print these instructions before continuing. They will not be available after you shut your computer down in step 2.

2.
Click Start and then click Shut Down.

3.
In the drop-down list of the Shut Down Windows dialog box, click Restart, and then click OK.

4.
As your computer restarts but before Windows launches, press F8. 
On a computer that is configured for booting to multiple operating systems, you can press F8 when the boot menu appears.

5.
Use the arrow keys to highlight the appropriate safe mode option, and then press ENTER.

6.
If you have a dual-boot or multiple-boot system, choose the installation that you need to access using the arrow keys, and then press ENTER.


Note•
If Windows launches before you can choose a safe mode, restart your computer and try again.

In safe mode, you have access to only basic files and drivers (mouse, monitor, keyboard, mass storage, base video, default system services, and no network connections). You can choose the Safe Mode with Networking option, which loads all of the above files and drivers and the essential services and drivers to start networking, or you can choose the Safe Mode with Command Prompt option, which is exactly the same as safe mode except that a command prompt is started instead of the graphical user interface. You can also choose Last Known Good Configuration, which starts your computer using the registry information that was saved at the last shutdown.

Safe mode helps you diagnose problems. If a symptom does not reappear when you start in safe mode, you can eliminate the default settings and minimum device drivers as possible causes. If a newly added device or a changed driver is causing problems, you can use safe mode to remove the device or reverse the change.

There are circumstances where safe mode will not be able to help you, such as when Windows system files that are required to start the system are corrupted or damaged. In this case, the Recovery Console may help you.

NUM LOCK must be off before the arrow keys on the numeric keypad will function.

3. Run AVG Full Scan.


After all that, please provide us new HJT log (also try to run McAfee Online AV Scan and provide us results).

Anyway, We'll wait you next reply,

Regards,

Samker & SCF Team


CheekyMoore

  • SCF Newbie
  • *
  • Posts: 6
  • KARMA: 1
Re: serious infection, please help
« Reply #3 on: 29. December 2007., 18:15:24 »
hello thank you again Samker for your quick response, I uninstalled AVG, downloaded Kaspersky from the link you gave ( so i don't know if i have the Newest version ) installed on the computer and ran it.  It seemed to Clear off a lot of things! However twice it said there was something it could not fix.  I have also turned off system restore.  I understand the process in entering safemode but i am not quite sure what i should be looking for.  Should i enter safe mode to run HJT? or should i be looking for symptoms while in safe mode, i understand that it helps diagnose things because it restricts the computers usage, but if one of the main symptoms is a broken internet, how am i to test this in safe mode? Finally should i run HJT, and Kaspersky, while In safe mode? or Out?

Thanks,
CheekyMoore

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: serious infection, please help
« Reply #4 on: 29. December 2007., 19:54:18 »
Quote
I understand the process in entering safemode but i am not quite sure what i should be looking for.  Should i enter safe mode to run HJT? or should i be looking for symptoms while in safe mode, i understand that it helps diagnose things because it restricts the computers usage, but if one of the main symptoms is a broken internet, how am i to test this in safe mode? Finally should i run HJT, and Kaspersky, while In safe mode? or Out?

Ok Checky, I'll try to explain this part better:

1. Update Kaspersky AV, Run PC in Safe Mode and try to FULL Scan your PC with Kaspersky if this isn't possible run Kaspersky again in Normal Mode and provide me information what Kaspersky doesn't fix (write in reply all possible information).

2. After all, provide us NEW HJT log

Thats all for now,

cya later,

Samker





CheekyMoore

  • SCF Newbie
  • *
  • Posts: 6
  • KARMA: 1
Re: serious infection, please help
« Reply #5 on: 31. December 2007., 14:06:59 »
Hello again, updated Kaspersky and run a full check of My Computer in Safe Mode. The log was extremely long showing everything that was scanned so i only am posting what i thought was needed.

Protection : completed
----------------------
Total scanned:   104321
Detected:   65
Untreated:   0
Start time:   unknown
Duration:   unknown
Finish time:   unknown


Detected
--------
Status   Object
------   ------
detected: riskware Invader   Running process: C:\WINDOWS\Explorer.EXE
detected: riskware Invader   Running process: C:\WINDOWS\system32\services.exe
detected: riskware Invader   Running process: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
detected: riskware Invader   Running process: C:\WINDOWS\System32\svchost.exe
detected: riskware Invader   Running process: C:\WINDOWS\system32\winlogon.exe
deleted: adware not-a-virus:AdWare.Win32.CommAd.a   File: C:\WINDOWS\TXIUIE1VB3JL\ASAPPSRV.DLL//UPX
detected: riskware Invader   Running process: C:\WINDOWS\system32\svchost.exe
deleted: adware not-a-virus:AdWare.Win32.TTC.c   File: C:\Program Files\Windows NT\horycyp77798.exe
detected: riskware Invader   Running process: C:\Program Files\Windows NT\horycyp77798.exe
deleted: adware not-a-virus:AdWare.Win32.VB.ad   File: C:\WINDOWS\System32\wmsnms.dll
deleted: adware not-a-virus:AdWare.Win32.CommAd.a   File: C:\WINDOWS\TXIuIE1vb3Jl\command.exe//UPX
deleted: Trojan program Trojan-Downloader.Win32.Small.buy   File: C:\WINDOWS\b104.exe//stream//data0002//UPX
deleted: adware not-a-virus:AdWare.Win32.Mostofate.u   File: C:\WINDOWS\b104.exe//stream//data0004
deleted: adware not-a-virus:AdWare.Win32.BHO.ba   File: C:\WINDOWS\System32\1168172655.exe//stream//data0002
deleted: adware not-a-virus:AdWare.Win32.VB.y   File: C:\WINDOWS\System32\1168172655.exe//stream//data0003
deleted: adware not-a-virus:AdWare.Win32.VB.ad   File: C:\WINDOWS\System32\1170101079.exe//stream//data0002
deleted: adware not-a-virus:AdWare.Win32.VB.ad   File: C:\WINDOWS\System32\advuat.dll
deleted: adware not-a-virus:AdWare.Win32.VB.ad   File: C:\WINDOWS\System32\winstlr32.exe//stream//data0006
deleted: adware not-a-virus:AdWare.Win32.VB.y   File: C:\WINDOWS\System32\~fdgrr.tmp
deleted: adware not-a-virus:AdWare.Win32.BHO.ba   File: C:\WINDOWS\System32\~isdet.tmp
deleted: adware not-a-virus:AdWare.Win32.Mirar.i   File: C:\Documents and Settings\Mr. Moore\Local Settings\Temp\mitB9.tmp/NNBar_VCSetup_876923_LOG_IES_NoDMY_AFF.exe
disinfected: adware not-a-virus:AdWare.Win32.Mirar.i   File: C:\Documents and Settings\Mr. Moore\Local Settings\Temp\mitB9.tmp.cab
deleted: Trojan program Trojan-Downloader.Win32.Small.buy   File: C:\Documents and Settings\Mr. Moore\Local Settings\Temporary Internet Files\Content.IE5\7ZIJBCVW\718f466754402ac597de014577627f96[1].zip/b104.exe//stream//data0002//UPX
deleted: adware not-a-virus:AdWare.Win32.Mostofate.u   File: C:\Documents and Settings\Mr. Moore\Local Settings\Temporary Internet Files\Content.IE5\7ZIJBCVW\718f466754402ac597de014577627f96[1].zip/b104.exe//stream//data0004
deleted: Trojan program Trojan-Clicker.Win32.Small.jf   File: C:\Documents and Settings\Mr. Moore\Local Settings\Temporary Internet Files\Content.IE5\7ZIJBCVW\83122[1].exe//data0004
deleted: Trojan program Trojan-Clicker.HTML.IFrame.dn   File: C:\Documents and Settings\Mr. Moore\Local Settings\Temporary Internet Files\Content.IE5\7ZIJBCVW\83122[1].exe//data0005
deleted: Trojan program Trojan-Clicker.Win32.Small.jf   File: C:\Documents and Settings\Mr. Moore\Local Settings\Temporary Internet Files\Content.IE5\HLQEN1RY\acdt-pid70[1].exe//data0004
deleted: adware not-a-virus:AdWare.Win32.CommAd.a   File: C:\Documents and Settings\Mr. Moore\Local Settings\Temporary Internet Files\Content.IE5\HLQEN1RY\installer[1].exe//file1//UPX
deleted: adware not-a-virus:AdWare.Win32.CommAd.a   File: C:\Documents and Settings\Mr. Moore\Local Settings\Temporary Internet Files\Content.IE5\HLQEN1RY\installer[1].exe//file2//UPX
deleted: adware not-a-virus:AdWare.Win32.TTC.a   File: C:\Documents and Settings\Mr. Moore\Local Settings\Temporary Internet Files\Content.IE5\HRAK3VEX\TTC-4444[1].exe//data0002
not found: adware not-a-virus:AdWare.Win32.TTC.a   File: C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\HOKEMORYD4444.DLL
deleted: adware not-a-virus:AdWare.Win32.TTC.a   File: C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\HOKEMORYD83122.DLL
deleted: adware not-a-virus:AdWare.Win32.NewDotNet   File: C:\Program Files\filesubmit\NNWDAC638.EXE
deleted: Trojan program Trojan-Downloader.Win32.Small.gll   File: C:\WINDOWS\system32\g2\bemwdll3.exe//PE_Patch.Upolyx//PE_Patch.UPX//UPX
deleted: adware not-a-virus:AdWare.Win32.TTC.a   File: C:\WINDOWS\system32\i2\mper83122.exe//data0002
will be deleted when the computer is restarted: adware not-a-virus:AdWare.Win32.SecToolBar.k   File: C:\WINDOWS\system32\okcxarpq.dll
will be deleted when the computer is restarted: adware not-a-virus:AdWare.Win32.Virtumonde.art   File: C:\WINDOWS\system32\urqqolj.dll
will be deleted when the computer is restarted: adware not-a-virus:AdWare.Win32.Virtumonde.ayw   File: C:\WINDOWS\System32\khhih.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.aps   File: c:\windows\system32\lbxgruom.dll
deleted: Trojan program Trojan-Downloader.Win32.PurityScan.ez   File: c:\windows\system32\mantec~1\attrib.exe//PE_Patch.UPX//UPX
deleted: adware not-a-virus:AdWare.Win32.PurityScan.gq   File: c:\windows\system32\?ymbols\n?lookup.exe//PE_Patch.PECompact//PecBundle//PECompact
deleted: adware not-a-virus:AdWare.Win32.Insider.a   File: c:\program files\insider\insider.exe
deleted: Trojan program Rootkit.Win32.Agent.sg   File: c:\windows\system32\drivers\core.sys
deleted: adware not-a-virus:AdWare.Win32.PurityScan.gl   File: c:\windows\system32\zerksh.dll//PE_Patch.PECompact//PecBundle//PECompact
deleted: adware not-a-virus:AdWare.Win32.Agent.wx   File: c:\windows\system32\eykgxny.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.ath   File: C:\Documents and Settings\Mr. Moore\Local Settings\Temporary Internet Files\Content.IE5\HLQEN1RY\rasesnet[1].exe
deleted: Trojan program Trojan-Downloader.Win32.Agent.fhv   File: C:\Documents and Settings\Mr. Moore\Local Settings\Temporary Internet Files\Content.IE5\HRAK3VEX\17PHolmes[1].cmt//PE_Patch.Upolyx//PE_Patch.UPX//UPX
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.aps   File: C:\Documents and Settings\Mr. Moore\Local Settings\Temporary Internet Files\Content.IE5\HRAK3VEX\hctp[1]
deleted: Trojan program Trojan.Win32.Obfuscated.kp   File: C:\Documents and Settings\Mr. Moore\Local Settings\Temporary Internet Files\Content.IE5\OPZI1KCD\pochki20071106[1]
deleted: adware not-a-virus:AdWare.Win32.ZenoSearch.ad   File: C:\Program Files\Outerinfo\FF\components\FF.dll
deleted: Trojan program Trojan-Downloader.Win32.Agent.fjv   File: C:\WINDOWS\b111.exe
deleted: Trojan program Trojan-Downloader.Win32.Agent.fjn   File: C:\WINDOWS\b147.exe
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.ath   File: C:\WINDOWS\system32\cbxutqr.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.art   File: C:\WINDOWS\system32\hggdcaa.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.ath   File: C:\WINDOWS\system32\hgghgge.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.aps   File: C:\WINDOWS\system32\ioclwwpu.dll
deleted: adware not-a-virus:AdWare.Win32.SecToolBar.k   File: C:\WINDOWS\system32\jdudanir.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.art   File: C:\WINDOWS\system32\khfgggh.dll
deleted: Trojan program Trojan.Win32.BHO.zo   File: C:\WINDOWS\system32\lqxfgdvo.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.aps   File: C:\WINDOWS\system32\mrptjhdc.dll
deleted: adware not-a-virus:AdWare.Win32.RK.q   File: C:\WINDOWS\system32\rlvknlg.exe
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.aps   File: C:\WINDOWS\system32\tkkfyjov.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.aps   File: C:\WINDOWS\system32\tnisoqju.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.aps   File: C:\WINDOWS\system32\udrcaolv.dll
deleted: Trojan program Trojan.Win32.Pakes.bvs   File: C:\WINDOWS\system32\n8\ensts2dll.exe//PE_Patch.UPX//UPX



After this i closed Kaspersky and ran HJT



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:55:41 AM, on 12/31/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Mr. Moore\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freewebportal.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\okcxarpq.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NvCplDaemon] -RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] -nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] -RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] -"C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] -"C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: My_AutoWarkey_Script.lnk = C:\Program Files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
O4 - Startup: Warkeys Update.lnk = C:\Program Files\Warkeys\update\Warkeys Update.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\rlls.dll' missing
O15 - Trusted Zone: *.amaena.com
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - -C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - -C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN Gaming Zone\profsyrt.html

--
End of file - 5084 bytes





Both of these were done in safemode, if you would like them done in normal just let me know.

Thank you for your help,

CheekyMoore

CheekyMoore

  • SCF Newbie
  • *
  • Posts: 6
  • KARMA: 1
Re: serious infection, please help
« Reply #6 on: 01. January 2008., 19:31:50 »
Until i hear from you again i am going to repeat the steps, i am unable to update Kaspersky because i do not have a Key so i am going to uninstall and then reinstall, update, and then create anotehr log.  I will provide another HJT log, and since the Online McAfee scan is unavailable i got the actual McAfee. I will use the McAfee between the reinstallations of Kaspersky

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: serious infection, please help
« Reply #7 on: 01. January 2008., 21:10:16 »
Hi again CheekyMoore, sorry for delay ... (reason New Year and related things :)).

I wish you also Happy New Year and all the Best. :)

Now I'll wait your next logs and after that analyze them, also I think that I find reason (inside of latest HJT log) for your broken Internet connection:

Quote
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\rlls.dll' missing

This is difficult to fix, but we will try with this:

- visit this site: http://www.cexx.org/lspfix.htm download, install and run tool designed for this type of issue that would probably be best to use, called LSPFix

- after that try your connection, if connection still doesn't work try to make another one trough connection wizard

Thats all for now, I'll wait your next reports.

Regards,

S.

CheekyMoore

  • SCF Newbie
  • *
  • Posts: 6
  • KARMA: 1
Re: serious infection, please help
« Reply #8 on: 02. January 2008., 15:26:06 »
hello, the delay was no trouble I am just happy that you had a nice New Year! i am still recovering from new years eve myself, haha so excuse me if i am not thinking absolutely clear.  Firstly, i uninstalled Kaspersky to install McAfee but McAfee wouldn't install because SpybotS&D was installed, and i was unable to remove SpybotS&D.  Upon reinstallation of Kaspersky the program Still would not let me update until a had an activation code.  So... i ran the full scan again and this time it came back with nothing! Here is my HJT log from after the scan.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:51:40 AM, on 1/2/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Documents and Settings\Mr. Moore\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freewebportal.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3771D520-29C3-4A1A-9C8A-C13CD7CDAFCD} - C:\WINDOWS\System32\khhih.dll (file missing)
O2 - BHO: (no name) - {4A54500A-65FE-4F4A-B860-20EAE2F577F9} - C:\WINDOWS\system32\urqqolj.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54698A2F-2247-4538-82FC-2B5443D66945} - (no file)
O2 - BHO: {5ec48c00-7f7d-cbd9-1ee4-dc2ef2c9e5b6} - {6b5e9c2f-e2cd-4ee1-9dbc-d7f700c84ce5} - C:\WINDOWS\System32\voaocmfu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NvCplDaemon] -RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] -nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] -RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] -"C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] -"C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: My_AutoWarkey_Script.lnk = C:\Program Files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\rlls.dll' missing
O15 - Trusted Zone: *.amaena.com
O20 - Winlogon Notify: okcxarpq - okcxarpq.dll (file missing)
O20 - Winlogon Notify: urqqolj - C:\WINDOWS\
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - -C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - -C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN Gaming Zone\profsyrt.html

--
End of file - 6207 bytes


Afterwards i rebooted in SafeMode and ran another Full Scan.  Here is the HJT Log from after that scan.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3771D520-29C3-4A1A-9C8A-C13CD7CDAFCD} - C:\WINDOWS\System32\khhih.dll (file missing)
O2 - BHO: (no name) - {4A54500A-65FE-4F4A-B860-20EAE2F577F9} - C:\WINDOWS\system32\urqqolj.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54698A2F-2247-4538-82FC-2B5443D66945} - (no file)
O2 - BHO: {5ec48c00-7f7d-cbd9-1ee4-dc2ef2c9e5b6} - {6b5e9c2f-e2cd-4ee1-9dbc-d7f700c84ce5} - C:\WINDOWS\System32\voaocmfu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NvCplDaemon] -RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] -nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] -RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] -"C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] -"C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: My_AutoWarkey_Script.lnk = C:\Program Files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\rlls.dll' missing
O15 - Trusted Zone: *.amaena.com
O20 - Winlogon Notify: okcxarpq - okcxarpq.dll (file missing)
O20 - Winlogon Notify: urqqolj - C:\WINDOWS\
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - -C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - -C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN Gaming Zone\profsyrt.html

--
End of file - 5923 bytes


And i will start work on your newest instructions, thank you for your help





CheekyMoore

  • SCF Newbie
  • *
  • Posts: 6
  • KARMA: 1
Re: serious infection, please help
« Reply #9 on: 02. January 2008., 15:58:32 »
The program worked like a charm! I am sending this from the infected computer!

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising