assorted malware [Archive] - Safer-Networking Forums

Datnuh

2008-03-31, 05:14

I got hit pretty bad with some fierce Malware and was able to clear a lot of it up, but its still pretty bad. The junk is preventing me from running Spybot at all and also I can't open XP in Safemode for some reason. Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:55 PM, on 3/30/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\CTHELPER.EXE
D:\PROGRA~1\Java\JRE16~1.0_0\bin\jusched.exe
D:\PROGRA~1\HP\HPSOFT~1\HPWUSC~1.EXE
D:\PROGRA~1\Adobe\READER~1.0\Reader\READER~1.EXE
D:\WINDOWS\System32\BLUETO~1.EXE
D:\WINDOWS\System32\icasServ.exe
D:\WINDOWS\System32\scnttkwd.exe
D:\WINDOWS\system32\apqlyfup.exe
D:\PROGRA~1\AIM\aim.exe
D:\WINDOWS\System32\regsvr32.exe
D:\WINDOWS\System32\regsvr32.exe
D:\WINDOWS\system32\spoolsv.exe
D:\DOCUME~1\Doug\MYDOCU~1\CROSOF~1\NLOOKU~1.EXE
D:\PROGRA~1\COMMON~1\FNTS~1\wuauclt.exe
D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
D:\DOCUME~1\Doug\cftmon.exe
D:\Program Files\RALINK\Common\RaUI.exe
D:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
D:\Program Files\MagicDisc\MagicDisc.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\Documents and Settings\All Users\Application Data\erareneb\edohyjcp.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
D:\WINDOWS\System32\wuauclt.exe
D:\PROGRA~1\MOZILL~1\firefox.exe
D:\PROGRA~1\TRENDM~1\HIJACK~1\HIJACK~1.EXE
D:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - D:\WINDOWS\System32\gebaxvv.dll
O2 - BHO: (no name) - {6F481C36-B6D2-4DAD-9BEC-A965B007E263} - D:\WINDOWS\System32\clbcat.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [{E3-38-8F-F9-DW}] D:\WINDOWS\system32\jswnw64q.exe DWram
O4 - HKLM\..\Run: [ntuser] D:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] D:\Documents and Settings\Doug\cftmon.exe
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] D:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [icasServ] D:\WINDOWS\System32\icasServ.exe
O4 - HKLM\..\Run: [qdknap] rundll32.exe "D:\DOCUME~1\Doug\LOCALS~1\Temp\gbqlgrmpsfm.drv" WLEntryPoint
O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] D:\WINDOWS\System32\scnttkdn.exe DWram
O4 - HKLM\..\Run: [odidmbit] regsvr32 /u "D:\Documents and Settings\All Users\Application Data\odidmbit.dll"
O4 - HKLM\..\Run: [ExploreUpdSched] D:\WINDOWS\System32\scnttkwd.exe DWram
O4 - HKLM\..\Run: [oxgzgfct] regsvr32 /u "D:\Documents and Settings\All Users\Application Data\oxgzgfct.dll"
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [AIM] D:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Reis] "D:\PROGRA~1\COMMON~1\FNTS~1\wuauclt.exe" -vt yazb
O4 - HKCU\..\Run: [Abmk] "D:\Documents and Settings\Doug\My Documents\??crosoft\n?lookup.exe"
O4 - HKCU\..\Run: [ntuser] D:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [WintelUpdate] D:\DOCUME~1\Doug\LOCALS~1\Temp\6C21.tmp.exe
O4 - HKCU\..\Run: [braviax] D:\WINDOWS\System32\braviax.exe
O4 - HKCU\..\Run: [wqpavbkf] D:\WINDOWS\system32\apqlyfup.exe
O4 - HKCU\..\Run: [QdrModule13] "D:\Program Files\QdrModule\QdrModule13.exe"
O4 - HKCU\..\Run: [QdrPack14] "D:\Program Files\QdrPack\QdrPack14.exe"
O4 - HKCU\..\Run: [autoload] D:\Documents and Settings\Doug\cftmon.exe
O4 - HKCU\..\Run: [pjvmpwfu] D:\WINDOWS\system32\ufwvgtub.exe
O4 - HKLM\..\Policies\Explorer\Run: [nilcrih] rundll32.exe "D:\WINDOWS\System32\nmhgr.sys" WLEntryPoint
O4 - HKLM\..\Policies\Explorer\Run: [61eqx1SBd7] D:\Documents and Settings\All Users\Application Data\erareneb\edohyjcp.exe
O4 - HKUS\S-1-5-18\..\Run: [ntuser] D:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] D:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] D:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = D:\WINDOWS\system32\scnttkwd.exe
O4 - Startup: DW_Start.lnk = D:\WINDOWS\system32\jswnw64q.exe
O4 - Startup: MagicDisc.lnk = D:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = D:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - D:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - D:\Program Files\Bodog Poker\BPGame.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\tkridkbe.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\tkridkbe.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{548F40C1-A8F9-4233-BAC3-3A42F49459DE}: NameServer = 85.255.116.44,85.255.112.215
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD6279E9-D4FB-44B9-BE7A-EB6DC0953A17}: NameServer = 85.255.116.44,85.255.112.215
O17 - HKLM\System\CCS\Services\Tcpip\..\{B17D8689-DE19-4D31-B219-0AD6C677EE85}: NameServer = 85.255.116.44,85.255.112.215
O17 - HKLM\System\CCS\Services\Tcpip\..\{C59B76F3-1330-4C70-845C-C29F5DBAEF1F}: NameServer = 85.255.116.44,85.255.112.215
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.44 85.255.112.215
O17 - HKLM\System\CS1\Services\Tcpip\..\{548F40C1-A8F9-4233-BAC3-3A42F49459DE}: NameServer = 85.255.116.44,85.255.112.215
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.44 85.255.112.215
O17 - HKLM\System\CS2\Services\Tcpip\..\{548F40C1-A8F9-4233-BAC3-3A42F49459DE}: NameServer = 85.255.116.44,85.255.112.215
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.44 85.255.112.215
O20 - AppInit_DLLs: D:\WINDOWS\System32\cru629.dat
O20 - Winlogon Notify: ahojihcnqp - D:\WINDOWS\SYSTEM32\ahojihcnqp.dll
O20 - Winlogon Notify: gebaxvv - D:\WINDOWS\SYSTEM32\gebaxvv.dll
O21 - SSODL: mwOZUjWgO - {7C4E38FA-D6E4-9250-4118-B11487BD1F4F} - D:\WINDOWS\system32\spinw.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - D:\WINDOWS\system32\drivers\spools.exe

--
End of file - 8934 bytes

My Kaspersky log is too many characters so I'm not sure how to post it. Any help would be appreciated, thanks.

Rorschach112

2008-04-03, 21:10

Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum.

Please download FixWareout from here:
http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log

If you have internet connection problems then do the following :

Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.