sciekad.dll asappsrv.dll [Archive] - Safer-Networking Forums

View Full Version : sciekad.dll asappsrv.dll

stacked_deck

2006-12-31, 18:05

i tried to avoid makin a duplicate post, but after reading several posts about my similiar topic it appears as tho no matter how similiar, the situations are still unique. i have been fighting this command control thing for awhile. i've managed to delete alot of registry files that found there way onto my pc thru this exploit. however i cannot delete sciekad.dll or asappsrv.dll because i cannot locate them. i have my hijackthis log and am awaiting further instruction. i'm not exactly a newbie at this...i've managed to thwart off many invasions but this particular one is driving me nuts. i cant find it on my pc anywhere no matter how i choose to word my search. here is my hijackthis log. but first i attained this error almost immediatly after starting hijackthis
-------------------------
An unexpected error has occurred at procedure: modRegistry_IniGetString(sFile=win.ini, sSection=windows, sValue=load)
Error #5 - Invalid procedure call or argument

Please email me at merijn(@)spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 7.0.5730.11
HijackThis version: 1.99.1
---------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:52:18 AM, on 12/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\ASKS~1\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\derek\Desktop\hjt\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe,brmfyab.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2D86128A-F318-A748-A871-09AFA0430634} - C:\WINDOWS\system32\sciekad.dll (file missing)
O2 - BHO: (no name) - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {F1F4C1D9-054E-0AB3-1C77-5BF07FCD3C90} - (no file)
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AWMON] C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Pinnacle WebUpdater] "C:\Program Files\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" -s -f=UpdateMMC.xml -url=http://cdn.pinnaclesys.com/SupportFiles
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eepp] "C:\PROGRA~1\COMMON~1\ASKS~1\taskmgr.exe" -vt yazb
O4 - Global Startup: Pinnacle Mobile Media Converter Updatecheck.lnk = C:\Program Files\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\nmnsp.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.elitemediagroup.net
O20 - AppInit_DLLs: C:\WINDOWS\system32\svch3ig.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)
O21 - SSODL: ccpELABoDLeeW - {489EB93E-E234-1394-07FA-70DC6DE55F71} - C:\WINDOWS\system32\qfl.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000245 (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\system32\tccpip.exe (file missing)
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

Mr_JAk3

2007-01-01, 09:49

Hi stacked_deck and welcome to the Forums :)

One or more of the identified infections is a backdoor trojan :sick:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

I can help you in the cleaning if you don't want to reformat but I can't promise that we get you 100% clean.

Please let us know what you have decided to do in your next post:bigthumb:

tashi

2007-01-08, 18:56

This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.

tashi

2007-01-19, 07:28

Re-opened upon request. :)

stacked_deck

2007-01-19, 07:41

omg she is fast, i dont believe more than 15 seconds elapsed b4 thread was opened.

i do not have a copy of xp pro or i woulda reformatted, i dont believe i will be able to reformat my drive again until i get vista. hopefully that'll be soon but then again it's prolly not any time in the near future. i would greatly appreciate some help on getting most of this off my pc.... on another note i found a thread here that a guy said svchost.exe was a virus...(i have like 4 of those processes in my registry) was that a true statement?
and i did a search on a file that pinnacle video converter wants to use on start up but claims another app is using the same process. i did a search for the file name updatemmc.xml and the only location on the entire web is in the hijackthis log i put up on this site.....weird....this site was the ONLY result. i figure since its been a couple weeks i might have a new friendly malware so i will post a new hijackthis log....and to make matters worse i believe this virus is messing up my itunes because now all itunes wants to do is wipe my ipod... i spoke to a man at the mall of america at apple's genius bar, and he reassured me that my ipod is not corrupt at all but either i have corrupt itunes or virus...i have eliminated the possibility of itunes or my ipod being corrupt...so untill this malware is gone.....no more ipod

Logfile of HijackThis v1.99.1
Scan saved at 12:37:06 AM, on 1/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\ASKS~1\taskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\derek\Desktop\hjt\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe,brmfyab.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2D86128A-F318-A748-A871-09AFA0430634} - C:\WINDOWS\system32\sciekad.dll (file missing)
O2 - BHO: (no name) - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {F1F4C1D9-054E-0AB3-1C77-5BF07FCD3C90} - (no file)
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AWMON] C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pinnacle WebUpdater] "C:\Program Files\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" -s -f=UpdateMMC.xml -url=http://cdn.pinnaclesys.com/SupportFiles
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eepp] "C:\PROGRA~1\COMMON~1\ASKS~1\taskmgr.exe" -vt yazb
O4 - Global Startup: Pinnacle Mobile Media Converter Updatecheck.lnk = C:\Program Files\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\nmnsp.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O20 - AppInit_DLLs: C:\WINDOWS\system32\win_l6v.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: ccpELABoDLeeW - {489EB93E-E234-1394-07FA-70DC6DE55F71} - C:\WINDOWS\system32\qfl.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000245 (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\system32\tccpip.exe (file missing)
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

Mr_JAk3

2007-01-19, 07:49

Hi again :)

You're still badly infected, well begin the cleaning.

C:\WINDOWS\System32\svchost.exe is a legitimate windows component.

You should print these instructions or save these to a text file. Follow these instructions carefully.

First install MVPS HOSTS:

Download and unzip hosts.zip from HERE (http://www.mvps.org/winhelp2002/hosts.zip) to a folder (hosts).
When you get a chance please read more about what we are doing HERE (http://www.mvps.org/winhelp2002/hosts.htm).
Here's a Tutorial (http://www.mvps.org/winhelp2002/hosts2.htm) on how to install it, but it's installed like this:

Open up the hosts folder and double-click on the mvps.bat file, it will rename your present HOSTS file to HOSTS.MVP, then it will copy the new HOSTS file to the correct location on your machine. It happens very quickly so don't blink!

You're done with this step.

Next....

Look in your control panels add/remove programs for any of these and uninstall them:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin or Outerinfo in it.
Zolero
Tizzletalk
MediaTickets
Cowabanga
and any other programs you didn't install or don't recognize - if your not sure please ask first

Download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe
Tutorial for the uninstaller if needed (http://www.outerinfo.com/howto.html)

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

stacked_deck

2007-01-19, 08:26

ok i totally follow everything you're saying. there is only one problem when i turn on the computer and rapidly tap F8 i never get the option to go into safe mode. and i've actually tried to enter safe mode before when i first got the virus...didnt there used to be a way to boot into safe mode by telling windows to do so b4 u rebooted it?

stacked_deck

2007-01-19, 09:35

also i've noticed that whatever is controlling my pc has deleted or corrupted but basically rendered my VirusScan On-Access Scanner useless. it has been disabled and has locked me out of the privileges needed to re-enable that. it also disabled Mcafee and disabled my windows firewall as well as turning off auto updates basically it rendered my entire windows security center absolutely useless. i tried reinstalling mcafee i think i succeeded one time but success was short lived because it was back to its unworking status ten minutes later.

stacked_deck

2007-01-19, 16:38

F8 deal is impossible...i cant pull it off...google show'd me how to use msconfig to pull it off

SDfix report shows

SDFix: Version 1.59

Fri 01/19/2007 - 9:29:15.10

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:

Checking Services:

Name:

COM+ Messages
TCP and UDP Supp0rt

Path:

"C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000245
C:\WINDOWS\system32\tccpip.exe /winnt

COM+ Messages Deleted
TCP and UDP Supp0rt Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File
Killing PID 152 'smss.exe'
Killing PID 224 'winlogon.exe'

Rebooting

Normal Mode:

Checking Files:

Files will be copied to Backups folder then removed:

C:\WINDOWS\system32\game0.exe.exe - Deleted
C:\WINDOWS\system32\google.png.exe - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\alkdfjaavu.exe.exe - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td14.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td16.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td18.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td19.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td1A.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td1B.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td1C.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td1E.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td1F.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td20.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td21.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td22.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td23.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td24.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td25.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td26.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td27.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td28.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td29.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td2A.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td2B.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td2D.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td2E.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td2F.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td30.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td31.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td32.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td33.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td34.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td35.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td36.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\_td37.tmp - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\temp_184171.bat - Deleted
C:\DOCUME~1\derek\LOCALS~1\Temp\uninstall.exe - Deleted
C:\WINDOWS\emdat.tm - Deleted
C:\WINDOWS\emdat.tmp - Deleted
C:\WINDOWS\PART0100.DAT - Deleted
C:\WINDOWS\system32\dlh9jkd1q8.exe - Deleted
C:\WINDOWS\system32\nordsys.exe - Deleted
C:\WINDOWS\system32\ppl.exe - Deleted
C:\WINDOWS\system32\rpcc.dll - Deleted
C:\WINDOWS\system32\w.exe - Deleted
C:\WINDOWS\ws386.ini - Deleted

Alternate Stream Check:

C:\WINDOWS\system32
:lzx32.sys 65568
Total size: 65568 bytes.

Removing ADS...

system32: deleted 65568 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32
No streams found.
Final Check:

Remaining Services:
------------------

Rootkit PE386 Found!

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\vxga5me3.exe"="C:\\WINDOWS\\system32\\vxga5me3.exe:*:ENABLED:0"
"C:\\WINDOWS\\type32w.exe"="C:\\WINDOWS\\type32w.exe:*:Enabled:Server"
"%windir%\\system32\\tcpip.exe"="%windir%\\system32\\tcpip.exe:*:Enabled:TCP and UDP Support"
"C:\\Documents and Settings\\derek\\Local Settings\\Temporary Internet Files\\Content.IE5\\GHIJKLMN\\p[1].exe"="C:\\Documents and Settings\\derek\\Local Settings\\Temporary Internet Files\\Content.IE5\\GHIJKLMN\\p[1].exe:*:Enabled:Enabled"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\type32w.exe"="C:\\WINDOWS\\type32w.exe:*:Enabled:Server"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\NTDETECT.COM
C:\Program Files\Common Files\Yazzle1438OinUninstaller.exe
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\WINDOWS\system32\tmp_8cs.exe
C:\WINDOWS\system32\win_6.exe
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\WINDOWS\system32\8102ED4CF1.sys
C:\WINDOWS\system32\AC7578082D.sys
C:\WINDOWS\system32\B4874969DF.sys
C:\Documents and Settings\derek\Local Settings\Temp\$b17a2e8.tmp
C:\WINDOWS\Temp\$_2341235.TMP

Finished

stacked_deck

2007-01-19, 16:40

after completing all the steps u listed hijackthis file shows

Logfile of HijackThis v1.99.1
Scan saved at 9:39:27 AM, on 1/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\derek\Desktop\hjt\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2D86128A-F318-A748-A871-09AFA0430634} - C:\WINDOWS\system32\sciekad.dll (file missing)
O2 - BHO: (no name) - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {F1F4C1D9-054E-0AB3-1C77-5BF07FCD3C90} - (no file)
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AWMON] C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pinnacle WebUpdater] "C:\Program Files\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" -s -f=UpdateMMC.xml -url=http://cdn.pinnaclesys.com/SupportFiles
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\nmnsp.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O20 - AppInit_DLLs: C:\WINDOWS\system32\win_l6v.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: ccpELABoDLeeW - {489EB93E-E234-1394-07FA-70DC6DE55F71} - C:\WINDOWS\system32\qfl.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

tashi

2007-01-19, 17:42

Do you wish for this topic to be closed?

TSounds to me, Stacked, like you probably need to reinstal your Windows.

i do indeed.....this crap is horrible....in the future i'll have to remember never ever search for serials...i think that'll be the biggest way to steer clear. stupidity....i searched for serials and caught a virus and ended up buying the software anyway...next time i'll dish up the cash...because the amount of hours spent fixing this vastly outweighs the cash i coulda paid upfront

http://forums.spybot.info/showthread.php?p=64879#post64879

stacked_deck

2007-01-19, 17:50

uhhhh....i will wait for a response here....that other thread i didnt start

tashi

2007-01-19, 18:06

The reason I asked was because after:
you probably need to reinstal your Windows

The response was:
i do indeed That needed to be clarified to make sure that our volunteer's time is not wasted.

Mr_JAk3 will continue to assist you in the cleanup when back on-line. :)

stacked_deck

2007-01-19, 18:07

sorry i was typing that post while you posted your post and did not know that you had posted your post

stacked_deck

2007-01-19, 18:09

i meant that i did indeed have a nightmare occurring on my pc

Mr_JAk3

2007-01-19, 19:55

Hi again :)

You also have a rootkit infection there :sick:

Download RustBFix from one of the following locations...

http://www.uploads.ejvindh.net/rustbfix.exe

http://uploads.ejvindh.andymanchesta.com/Rustbfix.exe

...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.

:bigthumb:

stacked_deck

2007-01-19, 23:47

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\favmaujg

*******************

Script file located at: \??\C:\Documents and Settings\bfoibkau.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

************************* Rustock.b-fix -- By ejvindh *************************
Fri 01/19/2007 16:40:38.67

******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
No streams found.

Looking for Rustock.b-files in the System32-folder:
system32\lzx32.sys FOUND!
attempting to delete lzx32.sys from system32-folder

******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32

******************************* End of Logfile ********************************

stacked_deck

2007-01-19, 23:48

Logfile of HijackThis v1.99.1
Scan saved at 4:48:32 PM, on 1/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\derek\Desktop\hjt\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2D86128A-F318-A748-A871-09AFA0430634} - C:\WINDOWS\system32\sciekad.dll (file missing)
O2 - BHO: (no name) - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {F1F4C1D9-054E-0AB3-1C77-5BF07FCD3C90} - (no file)
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AWMON] C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pinnacle WebUpdater] "C:\Program Files\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" -s -f=UpdateMMC.xml -url=http://cdn.pinnaclesys.com/SupportFiles
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\nmnsp.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O20 - AppInit_DLLs: C:\WINDOWS\system32\win_l6v.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: ccpELABoDLeeW - {489EB93E-E234-1394-07FA-70DC6DE55F71} - C:\WINDOWS\system32\qfl.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

Mr_JAk3

2007-01-20, 09:47

Ok good :)

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

stacked_deck

2007-01-20, 17:28

"derek" - 07-01-20 10:15:40 Service Pack 2
ComboFix 07-01-18 - Running from: "C:\Program Files\Mozilla Firefox"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\Yazzle1438OinUninstaller.exe
C:\DOCUME~1\derek\Application Data\Dxcknwrd.dll
C:\DOCUME~1\derek\Application Data\Dxcuknwrd.dll
C:\DOCUME~1\derek\Application Data\Microsoft\2236.dat
C:\WINDOWS\system32\dxclib~1.dll
C:\WINDOWS\system32\se.exe
C:\WINDOWS\system32\ss.exe
C:\WINDOWS\system32\WinNB58.dll
C:\WINDOWS\dembat.tm
C:\WINDOWS\SmVmZiBXZWJiZXI
C:\Program Files\Common Files\{389EB~1
C:\Program Files\Common Files\{489EB~1
C:\Program Files\Common Files\{489EB~2
C:\Documents and Settings\All Users\Documents\Settings
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\WINDOWS\SYSTM3~1

((((((((((((((((((((((((((((((( Files Created from 2006-12-20 to 2007-01-20 ))))))))))))))))))))))))))))))))))

2007-01-19 17:31 <DIR> d-------- C:\Program Files\Safer Networking
2007-01-19 16:43 <DIR> d-------- C:\avenger
2007-01-19 16:40 <DIR> d-------- C:\Rustbfix
2007-01-19 15:26 <DIR> d-------- C:\Program Files\Advanced PDF to HTML converter
2007-01-19 09:28 <DIR> d-------- C:\SDFix
2007-01-19 09:25 <DIR> d-------- C:\WINDOWS\pss
2007-01-18 21:10 <DIR> d-------- C:\Program Files\iTunes
2007-01-18 21:10 <DIR> d-------- C:\Program Files\iPod
2007-01-18 21:10 <DIR> d-------- C:\Program Files\Apple Software Update
2007-01-13 16:19 10,773 -r-h----- C:\WINDOWS\system32\win_6.exe
2007-01-13 16:18 10,773 --a------ C:\WINDOWS\system32\18595462ld.exe
2006-12-31 10:15 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-31 10:15 <DIR> d-------- C:\Program Files\Grisoft
2006-12-31 08:47 <DIR> d-------- C:\QUARANTINE
2006-12-28 13:25 84,992 --------- C:\WINDOWS\system32\ATL70.DLL
2006-12-28 13:25 54,784 --------- C:\WINDOWS\system32\MSVCI70.DLL
2006-12-28 13:25 487,424 --------- C:\WINDOWS\system32\MSVCP70.DLL
2006-12-28 13:25 471,040 --------- C:\WINDOWS\system32\HHActiveX.dll
2006-12-28 13:25 344,064 --------- C:\WINDOWS\system32\MSVCR70.DLL
2006-12-28 13:25 162,304 --------- C:\WINDOWS\system32\lame_enc.dll
2006-12-28 13:24 <DIR> d-------- C:\Program Files\Pinnacle
2006-12-28 13:20 <DIR> d-------- C:\Program Files\Common Files\çasks
2006-12-28 13:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Pinnacle
2006-12-28 10:44 <DIR> d-------- C:\Program Files\Common Files\wuuw
2006-12-27 11:19 66,267 --a------ C:\WINDOWS\10-47488c40c3cddfee98fc3b173f6d7beb.exe
2006-12-27 11:19 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2006-12-27 11:19 139,264 --a------ C:\WINDOWS\mirar_distro_876088.exe
2006-12-27 11:19 116,138 --a------ C:\WINDOWS\18-979cccfcc7622e89302a49c23b6fa37a.exe
2006-12-27 11:18 356,663 --a------ C:\WINDOWS\12-b101c483c2fe3ac4a2bd5fae3377ef4f.exe
2006-12-27 11:18 <DIR> d-------- C:\WINDOWS\system32\SmartShopper
2006-12-27 11:18 <DIR> d-------- C:\WINDOWS\system32\SearchTool
2006-12-27 10:08 395,776 --a------ C:\WINDOWS\system32\libmplayer.dll
2006-12-27 10:08 34,820 --a------ C:\WINDOWS\system32\ffdshow.reg
2006-12-27 10:08 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2006-12-27 10:08 2,255,360 --a------ C:\WINDOWS\system32\libavcodec.dll
2006-12-27 10:08 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2006-12-27 10:08 <DIR> d-------- C:\Program Files\Cucusoft
2006-12-27 10:08 <DIR> d-------- C:\ConverterOutput
2006-12-27 10:03 <DIR> d-------- C:\DOCUME~1\derek\Application Data\DivX
2006-12-27 10:00 109,568 --------- C:\WINDOWS\system32\pxinsi64.exe
2006-12-27 10:00 108,544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2006-12-26 14:13 30,720 --a------ C:\WINDOWS\system32\13471402ld.exe
2006-12-26 14:05 30,720 --a------ C:\WINDOWS\system32\5358592ld.exe
2006-12-25 21:19 30,720 --a------ C:\WINDOWS\system32\19257652ld.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-01-20 10:17 -------- d---s---- C:\DOCUME~1\derek\Application Data\microsoft
2007-01-20 10:13 -------- d-------- C:\Program Files\mozilla firefox
2007-01-19 01:14 -------- d-------- C:\Program Files\atomixmp3
2007-01-18 23:26 -------- d--h----- C:\Program Files\bho plugin
2007-01-18 21:10 -------- d-------- C:\DOCUME~1\derek\Application Data\apple computer
2007-01-13 15:05 -------- d-------- C:\DOCUME~1\derek\Application Data\limewire
2006-12-31 12:28 -------- d-------- C:\Program Files\mozilla thunderbird
2006-12-31 10:18 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-12-28 13:24 -------- d--h----- C:\Program Files\installshield installation information
2006-12-27 11:18 299 --a------ C:\DOCUME~1\derek\Application Data\internaldb1942.dat
2006-12-27 11:18 23 --a------ C:\DOCUME~1\derek\Application Data\inifile41.ini
2006-12-27 10:00 -------- d-------- C:\Program Files\divx
2006-12-25 21:28 -------- d-------- C:\Program Files\quicktime
2006-12-16 21:48 30720 --a------ C:\WINDOWS\system32\4836562ld.exe
2006-12-12 10:30 520192 --a------ C:\WINDOWS\system32\divxsm.exe
2006-12-12 10:30 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-12-12 10:30 20640 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2006-12-12 10:30 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-12-12 10:30 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-12-12 10:25 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-12-12 10:25 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-12-12 10:25 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-12-12 10:25 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-12-12 10:25 635486 --a------ C:\WINDOWS\system32\divx.dll
2006-12-12 10:25 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2006-12-12 10:25 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-12-12 10:25 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2006-12-12 10:25 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-12-12 10:25 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-12-12 10:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-12-12 10:25 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-12-12 10:24 12288 --a------ C:\WINDOWS\system32\divxwmpexttype.dll
2006-12-12 10:24 118784 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2006-12-04 19:33 10577 -r-h----- C:\WINDOWS\system32\tmp_8cs.exe
2006-12-03 00:56 10609 --a------ C:\WINDOWS\system32\560622ld.exe
2006-11-22 07:46 94720 --a------ C:\WINDOWS\system32\pdvyeng.dll
2006-11-18 15:40 94720 --a------ C:\WINDOWS\system32\hfhkiog.dll
2006-11-18 15:40 71168 --a------ C:\WINDOWS\system32\hqimrnf.dll
2006-10-27 15:09 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-27 15:09 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-27 15:09 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-27 15:09 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-27 15:09 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-27 15:09 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-27 15:09 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-27 02:44 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-27 02:44 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-27 02:44 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-27 02:44 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-27 02:44 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-27 02:44 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-27 02:44 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-27 02:44 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-27 02:44 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-27 02:42 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-26 05:17 78848 --a------ C:\WINDOWS\system32\nsdbc.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Jet Detection"="\"C:\\Program Files\\Creative\\SBLive\\PROGRAM\\ADGJDet.exe\""
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\TBMon.exe\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"AWMON"="C:\\Program Files\\Lavasoft\\Ad-Aware SE Professional\\Ad-Watch.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Pinnacle WebUpdater"="\"C:\\Program Files\\Pinnacle\\Shared Files\\Programs\\WebUpdater\\WebUpdater.exe\" -s -f=UpdateMMC.xml -url=http://cdn.pinnaclesys.com/SupportFiles"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotSnD"="\"C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe\" /autocheck"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\control panel\load]
"pstincl"=hex:f5,ab,8e,90,60,78,57,42,7b,21,17,0e,ab,c5,ab,86,69,4f,7f,08,f3,\
da,8b,64,2e,05,9f,ac,63,2c,f6,fa,75,32,ed,ad,2b,29,c5,83,2f,fd,81,02,e0,9a,\
37,d6,72,05
"uincl"=hex:99,f5,b2,32,78,6d,50,41,33,6b,4b,56,f9,cb,a5,8f,6b,0f,26,08,e2,da,\
88,70,39,02,8a,ba,7f,67,f1,aa,2f,6b,ab,a5,7f,3e,cd,9f,2d,f4,89,5b,f5,9b,6a,\
c5,6f,5a,ac,5d,e4,89,17,eb,6f,9e,4d,fb,71,e7,6f,af,61,ef,66,fc,63,f0,4a,d4,\
33,a2,4a,9a,ff,44,eb,4b,2f,cd,2b,8e,ff,57,97,f4,32,87,c8,3c,64,f2,ec,35,74,\
b1,f7,73,3f,f6,cb,1d,22,23,ca,d7,f1,1d,2d,4e,6e,84,b0,87,f3,16,09,6a,28,45,\
50,69,63,33,2b,2e,6d,78,2a,60,76,37,47,5e,2d,7e,4e,56,f6,c6,b6,8c,73,4d,2b,\
0e,f9,d7,ca,70,33,01,9f,b1,64,3d,f4,b2,3a,6e,ab,be,75,35,c7,9e,2d,f4,ce,17,\
f3,86,69,ce,70,04,b6,48,e4,90,12,b4,22,d0,4a,f2,3e,ea,6b,af,75,ea,2b,a3,3f,\
ea,50,d0,32,a5,4a,9d
"timU"=dword:4513f95d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\WINDOWS\system32\win_l6v.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{CDEFEE3D-EDCB-4226-931B-90E184C11CAC}"="rjgoitr"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"ccpELABoDLeeW"="{489EB93E-E234-1394-07FA-70DC6DE55F71}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ENTDRV51

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 07-01-20 10:17:28

Mr_JAk3

2007-01-20, 20:36

Hi again, we'll continue :)

Have you installed this Covenant Eyes "internet accountability" software. Surveillance software that tracks all activities, logs keystrokes, etc. ?

You should print these instructions or save these to a text file. Follow these instructions carefully.

Open AVG Anti-Spyware:
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

Create a new folder for HijackThis and move HijackThis.exe into it.

Please download the Killbox (http://www.downloads.subratam.org/KillBox.zip).
Unzip it to the desktop but do NOT run it yet.

Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

==================

Backup your registry:
Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window

Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\control panel\load]
"pstincl"=-
"uincl"=-
"timU"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{CDEFEE3D-EDCB-4226-931B-90E184C11CAC}"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"ccpELABoDLeeW"="-

Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: (no name) - {2D86128A-F318-A748-A871-09AFA0430634} - C:\WINDOWS\system32\sciekad.dll (file missing)
O2 - BHO: (no name) - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - (no file)
O2 - BHO: (no name) - {F1F4C1D9-054E-0AB3-1C77-5BF07FCD3C90} - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\system32\win_l6v.dll
O21 - SSODL: ccpELABoDLeeW - {489EB93E-E234-1394-07FA-70DC6DE55F71} - C:\WINDOWS\system32\qfl.dll (file missing)

Please run Killbox.

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\win_6.exe
C:\WINDOWS\system32\18595462ld.exe
C:\WINDOWS\system32\win_l6v.dll
C:\WINDOWS\10-47488c40c3cddfee98fc3b173f6d7beb.exe
C:\WINDOWS\mirar_distro_876088.exe
C:\WINDOWS\18-979cccfcc7622e89302a49c23b6fa37a.exe
C:\WINDOWS\12-b101c483c2fe3ac4a2bd5fae3377ef4f.exe
C:\WINDOWS\system32\13471402ld.exe
C:\WINDOWS\system32\5358592ld.exe
C:\WINDOWS\system32\19257652ld.exe
C:\WINDOWS\system32\4836562ld.exe
C:\WINDOWS\system32\tmp_8cs.exe
C:\WINDOWS\system32\560622ld.exe
C:\WINDOWS\system32\pdvyeng.dll
C:\WINDOWS\system32\hfhkiog.dll
C:\WINDOWS\system32\hqimrnf.dll
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Select "All Files".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following folders (if present):
C:\WINDOWS\system32\SmartShopper
C:\WINDOWS\system32\SearchTool
C:\Program Files\bho plugin
C:\Program Files\Common Files\çasks
C:\Program Files\Common Files\wuuw

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log

stacked_deck

2007-01-23, 23:23

Logfile of HijackThis v1.99.1
Scan saved at 4:14:00 PM, on 1/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\derek\Desktop\hjt\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Pinnacle WebUpdater] "C:\Program Files\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" -s -f=UpdateMMC.xml -url=http://cdn.pinnaclesys.com/SupportFiles
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AWMON] C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\nmnsp.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

i forgot to save avg's report....:oops:

stacked_deck

2007-01-23, 23:29

i guess i missed the stuff after the ====== marks. does avg have/keep a txt.file of the objects it quarantines anywhere?

stacked_deck

2007-01-24, 00:52

this log is from right after the first one that i quarantined all the stuff and forgot to save

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:50:46 PM 1/23/2007

+ Scan result:

C:\System Volume Information\_restore{0426FF6C-A01A-4C54-86BF-5CA8BDB6C52F}\RP1\A0003040.dll -> Adware.BitLocker : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0426FF6C-A01A-4C54-86BF-5CA8BDB6C52F}\RP1\A0003039.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0426FF6C-A01A-4C54-86BF-5CA8BDB6C52F}\RP1\A0003038.exe -> Adware.SearchTool : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0426FF6C-A01A-4C54-86BF-5CA8BDB6C52F}\RP1\A0003029.exe -> Downloader.Age.c : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0426FF6C-A01A-4C54-86BF-5CA8BDB6C52F}\RP1\A0003037.dll -> Downloader.Busky : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0426FF6C-A01A-4C54-86BF-5CA8BDB6C52F}\RP1\A0003034.exe -> Downloader.Small.cyn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0426FF6C-A01A-4C54-86BF-5CA8BDB6C52F}\RP1\A0003035.exe -> Downloader.Small.cyn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0426FF6C-A01A-4C54-86BF-5CA8BDB6C52F}\RP1\A0003036.exe -> Downloader.Small.cyn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0426FF6C-A01A-4C54-86BF-5CA8BDB6C52F}\RP1\A0003030.exe -> Proxy.Dlena.bd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0426FF6C-A01A-4C54-86BF-5CA8BDB6C52F}\RP1\A0003031.exe -> Proxy.Dlena.bd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0426FF6C-A01A-4C54-86BF-5CA8BDB6C52F}\RP1\A0003032.exe -> Proxy.Dlena.bd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0426FF6C-A01A-4C54-86BF-5CA8BDB6C52F}\RP1\A0003033.exe -> Proxy.Dlena.bd : Cleaned with backup (quarantined).

::Report end

Mr_JAk3

2007-01-24, 20:30

Hi looks good :)

You forgot to answer this:

Have you installed this Covenant Eyes "internet accountability" software. Surveillance software that tracks all activities, logs keystrokes, etc. ?

Let me know :bigthumb:

stacked_deck

2007-01-24, 20:44

hello again

at one point that covenant eyes was installed but i believe its not anymore, my stepmom wanted to monitor everyone's use even my fathers and they have since decided to use hardware and not software on the pc.

after i ran avg i ran spybot and it picked up and was able to delete all three command files. i have not seen them return. and believe i have no more detectable virii

stacked_deck

2007-01-24, 20:45

just one last question...where did this command thing come from?

Mr_JAk3

2007-01-25, 11:10

Hi again, it is looking clean now :)

Well you had all kinds of infections there...I recommend the reading of the following article:
So how did I get infected in the first place? by TonyKlein (http://forums.spybot.info/showthread.php?t=279)

If McAfee doesn't include a firewall, you don't seem to a firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) running, you must install one firewall.
NOTE: If you're using Windows XP firewall, I recommend that you install a more advanced firewall. Windows firewall doesn't really provide enough protection.
Disable Windows firewall after installing a new firewall.

These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)

Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.

Then you should update your Java to the latest version (6.0) Start
Control Panel
Add/Remove Programs
Delete the old Java, J2SE Runtime Environment 5.0 Update 1
Download the latest version of Java Runtime Environment (JRE) 6.0 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it

Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.

Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Stay clean and be safe ;)

Mr_JAk3

2007-01-29, 10:08

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help :2thumb: