Well I got a bad problem -- which I've removed in the future but this time its bein a real pain.

I acidentally got this ... whatever it is by clicking before reading -- stupid me.

It initially locked my computer down pretty hardcore, disabled my Taskmanager so I couldn't open it. And added a user account on my comp ... after removing it and playin around with a few things ... I got it back to ... almost normal.

Now after running Spybot, and HijackThis.. it still won't get rid of it.

Spybot log is too long.... but here is the HijackThis log.


Logfile of HijackThis v1.99.1
Scan saved at 2:07:12 PM, on 4/8/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\Spybot\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Trav\Desktop\897 7.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.nasioc.com/forums
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\ntos.exe,
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "D:\Spybot\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O10 - Unknown file in Winsock LSP: c:\windows\system32\ouviewer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ouviewer.dll
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O23 - Service: ieupdater (Microsoft IE Updater) - Unknown owner - C:\DOCUME~1\Trav\LOCALS~1\Temp\ieupdate.exe (file missing)
O23 - Service: Card Adapter (NETDown) - Unknown owner - C:\WINDOWS\smss.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Oh! And uh... Thanks for the help in advance. Most of the time I can get rid of it myself but damn this one is tough...

AND! ... Sorry, forgot to add this.


Spybot refused to remove ...

C:/windows/system32/rpcc.dll

c:/windows/system32/wsnpoem/video.dll

c:/windows/system32/wsnpoem/audio.dll

c:/windows/system32/wsnpoem/

Hi, welcome to safer Networking forums!

I'm afraid I got some bad news..

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)

When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.

Should you have any questions, please feel free to ask.
___________

Should you decide to clean please do the following first:

You are currently using an unpatched version of Microsoft XP. It is CRITICAL that you update to Service Pack 1
Please visit this link:
Microsoft Service Pack 1 (http://www.softwarepatch.com/windows/winxpsp1.html)

and install Service Pack 1. If you run into troubles, please post them here.

IMPORTANT: DO NOT update to Service pack 2. Doing so before your computer is clean can cause Windows to become unstable.
We will update to SP2 when you are clean.


Please post back with a HJT log and your computer running with Service pack 1, or with any problems you are having updating.

Thanks a bunch. I would rather clean it for the time being. And am downloading and installing SP1. Will report with HJT soon following.

Ok. I'll be standing by:bigthumb:

BAH. Well... It looks like I'm going to have to forego installing SP1.

I have a slight problem aswell with drive space on my comp sometimes. Its been a long running fit of laziness that I have been needing to fix, and kept procrastinating. I run Windows XP (And only XP) installed on a 4.5gb hard drive. And run all my games, movies, pictures, etc on a 70gb HD... Frequently I run into problems with it... And I always just work around it.

So. I'm thinkin I'm just gonna hook up my 350gb External HD right now, transfer everything over ... and then go buy a new copy of XP Professional SP2.

Considering I have a trojan, would you think it would be advisable to transfer the things I want to keep to my External, and then format, and remove the 4-gig... and use my 70 in tandem with the 350? Or would the Trojan get "ahold" so to speak... of the External?

Keep in mind, I'm only transfering various video games, and my music + Pictures and such.

Considering I have a trojan, would you think it would be advisable to transfer the things I want to keep to my External, and then format, and remove the 4-gig... and use my 70 in tandem with the 350? Or would the Trojan get "ahold" so to speak... of the External?

No, it won't get ahold of the external since it doesn't have an OS or something right? Also, since you're going to transfer various video games, and my music + Pictures and such, I guess it's just fine but it is best if you scan all those files that you're going to transfer to your external HD to prevent reinfection of the new reformatted machine.

From what I know... No files outside my C:Windows folder are infected... according to Spybot

Yes, that's what I see in your log too. It's most probably in C:\ only. I'll go with your decision:bigthumb:

Thanks man. Had it not been for running out of drivespace for SP1... I'd probably be needing a lot more help right now. :) hahaha:fear:

Here are some free programs I recommend that could help you improve your pc's security.

AntiVirus - Having one AntiVirus is a MUST in your system. If you do not have one, it is very important to get one right now. Here are some free but good AntiVirus:

» Avast! (http://www.asw.cz/eng/avast_4_home.html)
» AVG AntiVirus (http://free.grisoft.com/freeweb.php/doc/2/)
» AntiVir (http://www.free-av.com/)

Firewall Application - Although Windows Xp comes with a firewall, you should not rely on it because the Windows Firewall can only filter incoming data; outgoing traffic is not controlled, meaning that malware/viruses that are present in your computer can access the internet with no restrictions. There are several other Firewall that can protect you better by filtering incoming and outgoing data. Make sure you get only one of these.

» ZoneAlarm (http://www.zonelabs.com)
» Kerio (http//www.sunbelt-software.com/Kerio-Download.cfm)

Adaware
~You can download it from here (http://www.lavasoft.de)
~There is a tutorial on how to use Adaware properly here (http://forums.spywareinfo.com/index.php?showtopic=11150)

Spybot Search and Destroy
~You can download it from here (http://security.kolla.de/index.php?lang=en&page=download) . Just choose a mirror and off you go.
~There is also a tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)

Install Spyware Guard
~You can download it from here (http://www.javacoolsoftware.com/spywareguard.html)
~You can read the tutorial on how to use Spyware Guard here (http://www.bleepingcomputer.com/tutorials/tutorial50.html)

Install SpyWare Blaster
~You can download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
~You can read the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)

Install WinPatrol
~You can download it from here (http://www.winpatrol.com/download.html)
~You can get some information about how WinPatrol works here (http://www.winpatrol.com/features.html)

IESpyAds
~You can download it from here (http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD)
~If you want to know how IEspyads work you can take a look at it here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
~Please note that IESpyAds only works with Internet Explorer.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?" (http://castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html)

Happy safe surfing!

Hehe I run WinPatrol and Spybot + HJT mostly... Had AdAware for a while but... grew out of it I reckon. Anyway. Thanks for the help. :D Make me feel so much better knowing people are helpful if ya go someplace nice. :D

Glad we could be of assistance :bigthumb:

Since the problem has been resolved, this topic is now closed and archived. If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.