PDA

View Full Version : Hi, A little help over here would be very helpful!



victorr
2007-01-08, 01:46
Hi folks, first time using these forums so forgive any mistakes.

My problem happened about 2 months ago when I visited a website, which should have been safe (guild website for WoW) and immediately got my AVG antivirus pop-up with a typical Trojan Virus. I did the virus scan and deleted the named file and it all seemed to be good and well. About two weeks ago the problems really started happening with AVG pop-ups happening around 4-5 times each time I would start up the computer, my system volume information folder in C:// was infected and these "Dropper Agents" were being found.

Now, on my computer I can't run regedit, control panel(specifically install and remove programs), and task manager. My system has also been very choppy lately, eg: pages are going very slow, very erratic, its not a smooth transition when I minimize or maximize folders/pages, also I cannot right click properties on desktop). My AVG virus scanner has not been helpful at all in this ordeal. I downloaded HijackThis and ran a log but I cannot access the .log file on my desktop. Please, I have read numerous posts and you helpers seem very very knowledgable on the matter... any help here would be greatly appreciated. Thank You.




(I cannot access notepad from Start>All Programs>Accessories as well)


Victor

Mr_JAk3
2007-01-10, 08:55
Hi victorr and welcome to the forums :)

Sounds like you're infected.

Does Notepad open if you try this:

Start -> Run -> Copy the following to the box and hit OK; notepad

Let me know also which version of windows are you using :bigthumb:

victorr
2007-01-12, 03:50
Hi Mr. Jak3, thank you for replying. Copying "notepad" into Start>Run did not work unfortunately. I am using Windows XP SP2, eagerly waiting your reply.


Victor

Mr_JAk3
2007-01-12, 22:32
Hi again :)

Seems that the notepad.exe is gone...

Please do the following:

Go to Start >Run and type "Notepad" without the quotes
Copy the text from the quotebox to Notepad.
Go to the menu at the top of the Notepad file and Save as: Name the file find.bat Save as Type: All files Select the desktop icon on the left to save it on the desktop.
Double click on find.bat and let it run.
When finished it will open a file in Notepad.
That file will be named info.txt
Please post the contents of info.txt into your next reply here.


if not exist Files MkDir Files

cd \ & dir /s /a /b notepad.exe > info.txt

Start Notepad info.txt

:bigthumb:

victorr
2007-01-13, 23:59
Hi Mr.Jak3, unfortunately I do not know follow your instructions, I cannot open notepad from Start>Run. I do not understand, could you please clarify. Thanks and sorry.


Victor

Mr_JAk3
2007-01-14, 09:18
Hi and sorry about that. Of course you can't run Notepad :red:

Please download notepad_xp.zip (http://www.richardthelionhearted.com/~merijn/files/windows/notepad_xp.zip)
and save it to your desktop. Unzip the contents (file named notepad.exe) to your desktop.

Then copy/paste the file notepad.exe to the following directories:
C:\WINDOWS
and
C:\WINDOWS\System32

Allow to replace if prompted.

Then try to start notepad:

Go to Start >Run and type: Notepad
If it starts, please run HijackThis again and post the log to here :bigthumb:

victorr
2007-01-15, 03:01
Hi Mr.Jak3 that notepad.exe worked perfectly,

Here is the logfile from HijackThis


Logfile of HijackThis v1.99.1
Scan saved at 3:44:20 PM, on 1/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Common Files\M?crosoft\ping.exe
C:\DOCUME~1\Victor\LOCALS~1\Temp\Zt2\SVCH0ST.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\Victor\LOCALS~1\Temp\svchost32.exe
C:\WINDOWS\system32\expiorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Victor\LOCALS~1\Temp\Rxa3\iexp1ore.exe
C:\DOCUME~1\Victor\LOCALS~1\Temp\conime.exe
C:\DOCUME~1\Victor\LOCALS~1\Temp\mhs2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Valve\Steam\steam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Victor\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://joblo.com/
R3 - URLSearchHook: (no name) - {D797F51D-3BD2-4404-A4AF-101342AF38C9} - C:\WINDOWS\system32\moba.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsj3E.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {D797F51D-3BD2-4404-A4AF-101342AF38C9} - C:\WINDOWS\system32\moba.dll
O2 - BHO: AD Rotator - {EEC590D8-0A3C-4464-BB20-25A4747992F9} - C:\WINDOWS\system32\adrotate.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [septpop06apsept] C:\program files\popupwithcast\septpop06apsept.exe
O4 - HKLM\..\Run: [rundll32] C:\Program Files\Common Files\rundll32.exe
O4 - HKLM\..\Run: [rzt] C:\WINDOWS\Intel\rundll32.exe
O4 - HKLM\..\Run: [ms] C:\Program Files\Microsoft\svhost32.exe
O4 - HKLM\..\Run: [mhs2] C:\DOCUME~1\Victor\LOCALS~1\Temp\mhs2.exe
O4 - HKLM\..\Run: [rxzs] C:\DOCUME~1\Victor\LOCALS~1\Temp\svchost.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [wlzs] C:\DOCUME~1\Victor\LOCALS~1\Temp\conime.exe
O4 - HKLM\..\Run: [zts2] C:\DOCUME~1\Victor\LOCALS~1\Temp\services.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Qfjslgf] C:\Program Files\Common Files\M?crosoft\ping.exe
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\Victor\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [myZt1] C:\DOCUME~1\Victor\LOCALS~1\Temp\Zt1\SVCH0ST.EXE
O4 - HKCU\..\Run: [myZt2] C:\DOCUME~1\Victor\LOCALS~1\Temp\Zt2\SVCH0ST.EXE
O4 - HKCU\..\Run: [myRx3] C:\DOCUME~1\Victor\LOCALS~1\Temp\Rxa3\iexp1ore.exe
O4 - HKCU\..\Run: [SyztMy] C:\WINDOWS\system32\expiorer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.adsextend.net
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.0.97.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - mk:@MSITStore:C:\DOCUME~1\Victor\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {92D0D610-A6FA-48D8-94CB-BD47FDF68655} - http://app.ipop.co.kr/ipop/ipopx.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Victor\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Mr_JAk3
2007-01-15, 08:24
Hi again, good work :)

I've got bad news but I need to let you know that:

One or more of the identified infections is an a backdoor trojan :sick:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

I can help you in the cleaning if you don't want to reformat but I can't promise that we'll get you 100% clean.

Please let us know what you have decided to do in your next post:bigthumb:

victorr
2007-01-15, 08:28
Hi Mr.Jak3, Unfortunate about the backdoor trojan but as I do not use the computer for banking or such things I am not worried about if any sensitive information was taken. I would like you too show me how to clean my computer, even if it won't be 100% clean. The reason being I have much too much music/travel photos and I just would like to see what the computer would be like after the cleaning. So my choice is to clean my computer to the best of yours and mines ability. Plus, it might be a challenge :)

Thanks so much, Victor.

Mr_JAk3
2007-01-15, 08:41
Hi :)

I'll be happy to help you wit the cleaning :D:

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log


Also 1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

So post 3 reports back to me, you might have to use more than one message so that nothing gets cut off :bigthumb:

victorr
2007-01-17, 09:18
Here is the ComboFix report
"Victor" - 07-01-16 23:15:44 Service Pack 2
ComboFix 07-01-16.2 - Running from: "C:\Documents and Settings\Victor\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\Program Files\Common Files\DOBE~1
C:\qoobox\purity\Program Files\Common Files\MCROSO~1
C:\qoobox\purity\Program Files\Common Files\MCROSO~1\ping.exe
C:\qoobox\purity\WINDOWS\MBOLS~1
C:\qoobox\purity\WINDOWS\MBOLS~1\MBOLS~1
C:\qoobox\purity\WINDOWS\system32\ASEMBL~1
C:\qoobox\purity\WINDOWS\system32\MCROSO~1
C:\qoobox\purity\WINDOWS\system32\PPATCH~1


((((((((((((((((((((((((((((((( Files Created from 2006-12-16 to 2007-01-16 ))))))))))))))))))))))))))))))))))


2007-01-16 23:14 514 --a------ C:\findcomboB.vbs
2007-01-16 23:14 3,603 --a------ C:\winlogondef.reg
2007-01-16 23:14 1,055 --a------ C:\region.reg
2007-01-16 23:14 <DIR> d-------- C:\6FtUnder
2007-01-16 23:13 <DIR> d-------- C:\WINDOWS\erdnt
2007-01-16 23:06 <DIR> d-------- C:\SDFix
2007-01-16 17:30 64,455 --a------ C:\WINDOWS\mhs2.exe
2007-01-16 17:30 63,897 --a------ C:\WINDOWS\rxs3.exe
2007-01-16 17:30 62,251 --a------ C:\WINDOWS\zts3.exe
2007-01-16 17:30 51,200 --a------ C:\WINDOWS\system32\dms.dll
2007-01-11 08:54 65,609 --a------ C:\WINDOWS\wls3.exe
2007-01-11 08:51 60,416 --a------ C:\WINDOWS\system32\sbme.dll
2007-01-07 15:28 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-01-03 17:47 <DIR> d-------- C:\Program Files\Funcom
2006-12-31 13:34 53,200 --a------ C:\WINDOWS\system32\retemp.exe
2006-12-31 13:34 47,616 --a------ C:\WINDOWS\system32\tempms.exe
2006-12-27 19:05 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2006-12-27 18:37 <DIR> d-------- C:\DOCUME~1\Victor\Application Data\Azureus
2006-12-25 17:40 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2006-12-22 04:55 118,784 --a------ C:\WINDOWS\system32\nsj3E.dll
2006-12-19 17:31 <DIR> d-------- C:\Program Files\Octoshape Streaming Services


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-16 23:14 -------- d-------- C:\Program Files\microsoft antispyware
2007-01-16 23:08 -------- d-------- C:\Program Files\microsoft
2007-01-15 00:20 -------- d-------- C:\Program Files\warcraft iii
2007-01-11 08:51 2 --a------ C:\WINDOWS\system32\wnstscc.exe
2007-01-07 18:15 98304 --a------ C:\WINDOWS\system32\cmdlineext.dll
2007-01-03 17:47 -------- d--h----- C:\Program Files\installshield installation information
2006-12-27 00:51 -------- d-------- C:\Program Files\world of warcraft
2006-12-22 16:31 -------- d-------- C:\Program Files\java
2006-12-07 19:20 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
2006-11-19 15:26 -------- d-------- C:\Program Files\ea games


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Steam"=""
"PowerBar"=""
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"Qfjslgf"="C:\\Program Files\\Common Files\\M?crosoft\\ping.exe"
"Aiip"="\"C:\\WINDOWS\\MBOLS~1\\svchost.exe\" -vt ndrv"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NVMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"RemoteControl"="\"C:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"wls3"="C:\\WINDOWS\\wls3.exe"
"zts3"="C:\\WINDOWS\\zts3.exe"
"rxs3"="C:\\WINDOWS\\rxs3.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="Microsoft AntiSpyware Service Hook"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\autoplay.exe

Completion time: 07-01-16 23:16:58

victorr
2007-01-17, 09:19
Here is the SD Fix Report:

SDFix: Version 1.59

Tue 01/16/2007 - 23:07:18.17

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:

Checking Services:

Name:


Path:



Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting

Normal Mode:

Checking Files:


Files will be copied to Backups folder then removed:

C:\Program Files\Microsoft\svhost32.exe - Deleted
C:\WINDOWS\system32\lEXPLORE.EXE - Deleted



Alternate Stream Check:

C:\WINDOWS\system32
No streams found.
Final Check:

Remaining Services:
------------------


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Valve\\Steam\\Steam.exe"="C:\\Program Files\\Valve\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\sephyz\\counter-strike source\\hl2.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\sephyz\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Ubisoft\\Gearbox Software\\BrothersInArms\\System\\bia.exe"="C:\\Program Files\\Ubisoft\\Gearbox Software\\BrothersInArms\\System\\bia.exe:*:Enabled:Brothers In Arms: Road to Hill 30"
"C:\\Program Files\\Call of Duty\\CoDMP.exe"="C:\\Program Files\\Call of Duty\\CoDMP.exe:*:Enabled:CoDMP"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\sephyz\\half-life 2 deathmatch\\hl2.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\sephyz\\half-life 2 deathmatch\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"="C:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme:*:Enabled:GunBound"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Bit Lord 1.1\\BitLord.exe"="C:\\Program Files\\Bit Lord 1.1\\BitLord.exe:*:Enabled:BitLord"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\sephyz\\half-life 2\\hl2.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\sephyz\\half-life 2\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\sephyz\\lostcoast\\hl2.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\sephyz\\lostcoast\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Return to Castle Wolfenstein\\WolfMP.exe"="C:\\Program Files\\Return to Castle Wolfenstein\\WolfMP.exe:*:Enabled:WolfMP"
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"="C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe:*:Enabled:CoD2MP_s"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\sephyz\\day of defeat source\\hl2.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\sephyz\\day of defeat source\\hl2.exe:*:Enabled:hl2"
"C:\\Documents and Settings\\Victor\\Local Settings\\Temporary Internet Files\\Content.IE5\\TWKVPXWL\\Nefarian_EG-downloader[1].exe"="C:\\Documents and Settings\\Victor\\Local Settings\\Temporary Internet Files\\Content.IE5\\TWKVPXWL\\Nefarian_EG-downloader[1].exe:*:Enabled:Blizzard Downloader"
"C:\\Documents and Settings\\Victor\\Local Settings\\Temporary Internet Files\\Content.IE5\\6L2TWTCB\\WoW-1.9.4.5086-to-0.10.0.5140-enUS-downloader[1].exe"="C:\\Documents and Settings\\Victor\\Local Settings\\Temporary Internet Files\\Content.IE5\\6L2TWTCB\\WoW-1.9.4.5086-to-0.10.0.5140-enUS-downloader[1].exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\sephyz\\half-life\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\sephyz\\half-life\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Sierra\\FEAR\\fpupdate.exe"="C:\\Program Files\\Sierra\\FEAR\\fpupdate.exe:*:Enabled:fpupdate"
"C:\\Documents and Settings\\Victor\\Local Settings\\Temporary Internet Files\\Content.IE5\\CHQ4VJ6I\\Naxxramas_English-downloader[1].exe"="C:\\Documents and Settings\\Victor\\Local Settings\\Temporary Internet Files\\Content.IE5\\CHQ4VJ6I\\Naxxramas_English-downloader[1].exe:*:Enabled:Blizzard Downloader"
"C:\\Documents and Settings\\Victor\\Local Settings\\Temporary Internet Files\\Content.IE5\\2PQ0STUD\\wow-ptr-downloader2[1].exe"="C:\\Documents and Settings\\Victor\\Local Settings\\Temporary Internet Files\\Content.IE5\\2PQ0STUD\\wow-ptr-downloader2[1].exe:*:Enabled:Blizzard Downloader"
"C:\\Documents and Settings\\Victor\\My Documents\\Cossacks\\warsow.exe"="C:\\Documents and Settings\\Victor\\My Documents\\Cossacks\\warsow.exe:*:Enabled:Warsow"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\sephyz\\team fortress classic\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\sephyz\\team fortress classic\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\World of Warcraft\\WoW-1.10.2.5302-to-1.11.0.5428-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.10.2.5302-to-1.11.0.5428-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.11.1.5462-to-1.11.2.5464-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.11.1.5462-to-1.11.2.5464-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\EA GAMES\\Battlefield 2142 Demo\\BF2142.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2142 Demo\\BF2142.exe:*:Enabled:BF2142"
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"="C:\\Program Files\\Sierra\\FEAR\\FEAR.exe:*:Enabled:FEAR"
"C:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"="C:\\Program Files\\Sierra\\FEAR\\FEARMP.exe:*:Enabled:FEAR"
"C:\\Program Files\\Sierra\\FEAR\\FEARXP\\FEARXP.exe"="C:\\Program Files\\Sierra\\FEAR\\FEARXP\\FEARXP.exe:*:Enabled:FEARXP"
"C:\\Program Files\\Octoshape Streaming Services\\Victor\\OctoshapeClient.exe"="C:\\Program Files\\Octoshape Streaming Services\\Victor\\OctoshapeClient.exe:*:Disabled:OctoshapeClient"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with hidden attributes:

C:\NTDETECT.COM
C:\Documents and Settings\Victor\My Documents\My Music\Rammstein.-.Reise.Reise.[www.zonadivx.com]l\AlbumArtSmall.jpg
C:\Documents and Settings\Victor\My Documents\My Music\Rammstein.-.Reise.Reise.[www.zonadivx.com]l\AlbumArt_{61F0E3A7-30D3-4DC8-8458-F81000ED58C4}_Large.jpg
C:\Documents and Settings\Victor\My Documents\My Music\Rammstein.-.Reise.Reise.[www.zonadivx.com]l\AlbumArt_{61F0E3A7-30D3-4DC8-8458-F81000ED58C4}_Small.jpg
C:\Documents and Settings\Victor\My Documents\My Music\Rammstein.-.Reise.Reise.[www.zonadivx.com]l\desktop.ini
C:\Documents and Settings\Victor\My Documents\My Music\Rammstein.-.Reise.Reise.[www.zonadivx.com]l\Folder.jpg
C:\Documents and Settings\Victor\My Documents\My Music\Rammstein.-.Reise.Reise.[www.zonadivx.com]l\Thumbs.db
C:\Documents and Settings\Victor\Local Settings\Temp\gqnz8.dll
C:\Documents and Settings\Victor\Local Settings\Temp\ho.dll
C:\Program Files\Common Files\M?crosoft\ping.exe
C:\Program Files\Internet Explorer\PLUGINS\temp.exe
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\Program Files\Internet Explorer\PLUGINS\system16.sys
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Finished

victorr
2007-01-17, 09:20
Here is the HijackThis Report. THANK YOU so much Mr.Jak3 now everything is running just like before. I thank you so much for checking over these logs and making sure my computer is as clean as it can get.

Logfile of HijackThis v1.99.1
Scan saved at 11:19:18 PM, on 1/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\wls3.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\zts3.exe
C:\WINDOWS\rxs3.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Documents and Settings\Victor\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - {D8D9AFF1-6A3E-4ABC-1930-4CC65E39319A} - C:\WINDOWS\system32\sbme.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {D8D9AFF1-6A3E-4ABC-1930-4CC65E39319A} - C:\WINDOWS\system32\sbme.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [wls3] C:\WINDOWS\wls3.exe
O4 - HKLM\..\Run: [zts3] C:\WINDOWS\zts3.exe
O4 - HKLM\..\Run: [rxs3] C:\WINDOWS\rxs3.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Qfjslgf] C:\Program Files\Common Files\M?crosoft\ping.exe
O4 - HKCU\..\Run: [Aiip] "C:\WINDOWS\MBOLS~1\svchost.exe" -vt ndrv
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.0.97.cab
O16 - DPF: {92D0D610-A6FA-48D8-94CB-BD47FDF68655} - http://app.ipop.co.kr/ipop/ipopx.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Victor\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Mr_JAk3
2007-01-17, 15:38
Hi again :)

Looks better but you're not clean yet...

Hi again, we'll continue :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Create a new folder for HijackThis and move HijackThis.exe into it.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

Please download the Killbox (http://www.downloads.subratam.org/KillBox.zip).
Unzip it to the desktop but do NOT run it yet.

Disable MS AntiSpyware's realtime protection
Right-click on the Microsoft Anti-Spyware icon in the system tray (the red and yellow bulls-eye)
Click on Security Agents Status
Click on Disable real-time protection
Close the program
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
==================

Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.
wls3.exe
zts3.exe
rxs3.exe

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

R3 - URLSearchHook: (no name) - {D8D9AFF1-6A3E-4ABC-1930-4CC65E39319A} - C:\WINDOWS\system32\sbme.dll
O2 - BHO: (no name) - {D8D9AFF1-6A3E-4ABC-1930-4CC65E39319A} - C:\WINDOWS\system32\sbme.dll
O4 - HKLM\..\Run: [wls3] C:\WINDOWS\wls3.exe
O4 - HKLM\..\Run: [zts3] C:\WINDOWS\zts3.exe
O4 - HKLM\..\Run: [rxs3] C:\WINDOWS\rxs3.exe
O4 - HKCU\..\Run: [Qfjslgf] C:\Program Files\Common Files\M?crosoft\ping.exe
O4 - HKCU\..\Run: [Aiip] "C:\WINDOWS\MBOLS~1\svchost.exe" -vt ndrv
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Victor\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab

Please run Killbox.
Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:


C:\WINDOWS\mhs2.exe
C:\WINDOWS\rxs3.exe
C:\WINDOWS\zts3.exe
C:\WINDOWS\system32\dms.dll
C:\WINDOWS\wls3.exe
C:\WINDOWS\system32\sbme.dll
C:\WINDOWS\system32\retemp.exe
C:\WINDOWS\system32\tempms.exe
C:\WINDOWS\system32\nsj3E.dll
C:\Program Files\Internet Explorer\PLUGINS\system16.sys

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Select "All Files".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log

victorr
2007-01-22, 00:41
Sorry for the wait Mr.Jak3, been extremely busy this last week.
Here is the AVG Anti Spyware Log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:36:32 PM 1/21/2007

+ Scan result:



C:\Program Files\Common Files\Microsoft Shared\MSInfo\WinInfo.bak -> Downloader.Delf.bdg : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Microsoft Shared\MSInfo\WinInfo.bkk -> Downloader.Delf.bdg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP26\snapshot\MFEX-1.DAT -> Downloader.Delf.bdg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP33\snapshot\MFEX-1.DAT -> Downloader.Delf.bdg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP26\A0016858.exe -> Downloader.Small.czl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP40\A0038261.exe -> Downloader.Small.czl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP28\A0023925.exe -> Dropper.Agent.ayr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\config\systemprofile\Cookies\system@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\system@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\system@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\system@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP27\A0017877.ocx -> Trojan.Agent.abf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP27\A0018877.ocx -> Trojan.Agent.abf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP27\A0019877.ocx -> Trojan.Agent.abf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP27\A0022881.ocx -> Trojan.Agent.abf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP28\A0023922.ocx -> Trojan.Agent.abf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP28\A0023937.ocx -> Trojan.Agent.abf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP31\A0025937.ocx -> Trojan.Agent.abf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP31\A0026952.ocx -> Trojan.Agent.abf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP32\A0026971.ocx -> Trojan.Agent.abf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP32\A0026994.ocx -> Trojan.Agent.abf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP33\A0027135.ocx -> Trojan.Agent.abf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP33\A0027150.ocx -> Trojan.Agent.abf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP34\A0027173.ocx -> Trojan.Agent.abf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP35\A0029173.ocx -> Trojan.Agent.abf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP36\A0031173.ocx -> Trojan.Agent.abf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP37\A0033173.ocx -> Trojan.Agent.abf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP37\A0034186.ocx -> Trojan.Agent.abf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP37\A0035200.ocx -> Trojan.Agent.abf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP14\A0006024.dll -> Trojan.Agent.jq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP28\A0023926.dll -> Trojan.Agent.jq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP16\snapshot\MFEX-1.DAT -> Trojan.Delf.mc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP17\snapshot\MFEX-1.DAT -> Trojan.Delf.mc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP11\A0005787.dll -> Trojan.Nilage.ara : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP11\A0005801.dll -> Trojan.Nilage.ara : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP12\A0005878.dll -> Trojan.Nilage.ara : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP12\A0005890.dll -> Trojan.Nilage.ara : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP12\A0005967.dll -> Trojan.Nilage.ara : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP12\A0005982.dll -> Trojan.Nilage.ara : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP13\A0006005.dll -> Trojan.Nilage.ara : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP14\A0006028.dll -> Trojan.Nilage.ara : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP14\A0007021.dll -> Trojan.Nilage.ara : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP15\A0007104.dll -> Trojan.Nilage.ara : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP16\A0007183.dll -> Trojan.Nilage.ara : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP16\A0008199.dll -> Trojan.Nilage.ara : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP17\A0008276.dll -> Trojan.Nilage.ara : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP18\A0009292.dll -> Trojan.Nilage.ara : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP19\A0009313.dll -> Trojan.Nilage.ara : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP33\A0027118.dll -> Trojan.Nilage.ara : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP28\A0022914.exe -> Trojan.Nilage.avi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP40\A0038263.exe -> Trojan.Nilage.bbr : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/lexplore.exe -> Trojan.Nilage.beq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP41\A0039255.exe -> Trojan.Nilage.beq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP32\A0027002.dll -> Trojan.Nilage.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP33\A0027134.dll -> Trojan.Nilage.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP33\A0027157.dll -> Trojan.Nilage.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP34\A0027180.dll -> Trojan.Nilage.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP35\A0029174.dll -> Trojan.Nilage.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP36\A0031176.dll -> Trojan.Nilage.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP37\A0033175.dll -> Trojan.Nilage.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP37\A0034187.dll -> Trojan.Nilage.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP37\A0035203.dll -> Trojan.Nilage.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP32\A0027003.exe -> Trojan.Nilage.bes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP40\A0038262.exe -> Trojan.Nilage.bes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP40\A0038264.exe -> Trojan.OnLineGames.bs : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP25\A0016832.dll -> Trojan.OnLineGames.cz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP27\A0019880.dll -> Trojan.OnLineGames.cz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP27\A0022882.dll -> Trojan.OnLineGames.cz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP28\A0022910.dll -> Trojan.OnLineGames.cz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP28\A0022909.exe -> Trojan.OnLineGames.de : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP37\A0035210.exe -> Trojan.OnLineGames.ds : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP34\A0027183.exe -> Trojan.OnLineGames.ev : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP44\A0039820.exe -> Trojan.OnLineGames.fe : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP42\A0039729.exe -> Trojan.OnLineGames.fp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP41\A0039328.sys -> Trojan.QQPass.sc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP28\A0022899.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP32\A0026980.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP36\A0031178.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93D74481-FAB2-4FDB-8DDE-A1BE56A9EAC8}\RP39\A0038241.dll -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wnstscc.exe -> Trojan.Small : Cleaned with backup (quarantined).


::Report end

victorr
2007-01-22, 00:42
And here is the HijackThis Report:

Logfile of HijackThis v1.99.1
Scan saved at 2:39:07 PM, on 1/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Documents and Settings\Victor\Desktop\HijackThis\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.0.97.cab
O16 - DPF: {92D0D610-A6FA-48D8-94CB-BD47FDF68655} - http://app.ipop.co.kr/ipop/ipopx.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Mr_JAk3
2007-01-22, 16:27
Hi again, it is looking clean now :)
The pc is running fine ?

You don't seem to a firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) running, you must install one firewall.
NOTE: If you're using Windows XP firewall, I recommend that you install a better firewall. Windows firewall doesn't really provide enough protection.
Disable Windows firewall after installing a new firewall.

These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)
Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.

Then you should update your Java to the latest version (6.0) Start
Control Panel
Add/Remove Programs
Delete the old Java, J2SE Runtime Environment 5.0 Update 10
Download the latest version of Java Runtime Environment (JRE) 6.0 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it

Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.

Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)

victorr
2007-01-23, 07:45
THANK YOU SO MUCH Mr.Jak3 I went from thinking I may need to buy a new computer to your expert advice guiding me through this. One last question tho, do you or does this site accept donations?

Thank You,


Victor

Mr_JAk3
2007-01-23, 12:13
You're very welcome :D:

Our help is free but donations (http://www.spybot.info/en/donate/index.html) are always very appreciated. Thank you :bigthumb:

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help :2thumb: