adirgeforher
2006-06-18, 20:44
I've reformatted my computer twice...within the last 2 days. >.>
And the crap just keeps comping back. I'm currently going through all your "How did I get infected" steps right now. I can't turn my firewall on now because it won't let me...ughhh. Surfsidekick- I removed it via the whole process, and it keeps coming back. I don't think I have it at the moment? Idk I could be wrong.
(Btw I've got ad-aware, spyware doctor, hijack this, s&d and combofix)
So someone help me please.
Here's my Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 12:27:09 PM, on 18/06/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\System32\spoolsvc.exe
C:\WINDOWS\System32\logon.exe
C:\WINDOWS\dtxkzgnA.exe
C:\WINDOWS\win32066167182207.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\COMMON~1\PPPATC~1\VCHOST~1.EXE
C:\PROGRA~1\CROSOF~1.NET\ntvdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\update\updmgr.exe
C:\WINDOWS\dtxkzgn.exe
C:\WINDOWS\services.exe
C:\WINDOWS\winsock\csrss.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\mc-110-12-0000144.exe
c:\drsmartload1.exe
C:\WINDOWS\SGFp\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Deena\Desktop\HijackThis.exe
c:\defender26.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hungersite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {145D1FA9-8A40-FB9D-4CB2-A4BFDAFBD192} - C:\WINDOWS\System32\kstfcsf.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\winsock\csrss.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\winsock\csrss.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\System32\spoolsvc.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows TCP/IP Socket Driver] C:\WINDOWS\winsock\csrss.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\logon.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Update Manager] C:\WINDOWS\update\updmgr.exe
O4 - HKLM\..\Run: [dtxkzgnA] C:\WINDOWS\dtxkzgnA.exe
O4 - HKLM\..\Run: [win32066167182207] C:\WINDOWS\win32066167182207.exe
O4 - HKLM\..\Run: [newname] c:\\newname25.exe
O4 - HKLM\..\Run: [defender] c:\\defender26.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Lpjrrvh] C:\PROGRA~1\COMMON~1\PPPATC~1\VCHOST~1.EXE
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\CROSOF~1.NET\ntvdm.exe" -vt yazr
O4 - HKCU\..\Run: [Qyt] C:\Program Files\Common Files\??crosoft.NET\l?ass.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\System32\msdtc.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SGFp\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\dtxkzgn.exe
O23 - Service: Microsoft Windows Spooler Service (Windows Spooler Service) - Unknown owner - C:\WINDOWS\services.exe
O23 - Service: Windows TCP/IP Socket Driver (winsck) - Unknown owner - C:\WINDOWS\winsock\csrss.exe
My combofix log was too big to attach, so I'm copying and pasting it
here. (http://shockoflove.livejournal.com/10645.html)
Um yeah. xD I have no idea what to do now.
Someone help please :(
And the crap just keeps comping back. I'm currently going through all your "How did I get infected" steps right now. I can't turn my firewall on now because it won't let me...ughhh. Surfsidekick- I removed it via the whole process, and it keeps coming back. I don't think I have it at the moment? Idk I could be wrong.
(Btw I've got ad-aware, spyware doctor, hijack this, s&d and combofix)
So someone help me please.
Here's my Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 12:27:09 PM, on 18/06/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\System32\spoolsvc.exe
C:\WINDOWS\System32\logon.exe
C:\WINDOWS\dtxkzgnA.exe
C:\WINDOWS\win32066167182207.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\COMMON~1\PPPATC~1\VCHOST~1.EXE
C:\PROGRA~1\CROSOF~1.NET\ntvdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\update\updmgr.exe
C:\WINDOWS\dtxkzgn.exe
C:\WINDOWS\services.exe
C:\WINDOWS\winsock\csrss.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\mc-110-12-0000144.exe
c:\drsmartload1.exe
C:\WINDOWS\SGFp\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Deena\Desktop\HijackThis.exe
c:\defender26.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hungersite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {145D1FA9-8A40-FB9D-4CB2-A4BFDAFBD192} - C:\WINDOWS\System32\kstfcsf.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\winsock\csrss.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\winsock\csrss.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\System32\spoolsvc.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows TCP/IP Socket Driver] C:\WINDOWS\winsock\csrss.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\logon.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Update Manager] C:\WINDOWS\update\updmgr.exe
O4 - HKLM\..\Run: [dtxkzgnA] C:\WINDOWS\dtxkzgnA.exe
O4 - HKLM\..\Run: [win32066167182207] C:\WINDOWS\win32066167182207.exe
O4 - HKLM\..\Run: [newname] c:\\newname25.exe
O4 - HKLM\..\Run: [defender] c:\\defender26.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Lpjrrvh] C:\PROGRA~1\COMMON~1\PPPATC~1\VCHOST~1.EXE
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\CROSOF~1.NET\ntvdm.exe" -vt yazr
O4 - HKCU\..\Run: [Qyt] C:\Program Files\Common Files\??crosoft.NET\l?ass.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\System32\msdtc.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SGFp\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\dtxkzgn.exe
O23 - Service: Microsoft Windows Spooler Service (Windows Spooler Service) - Unknown owner - C:\WINDOWS\services.exe
O23 - Service: Windows TCP/IP Socket Driver (winsck) - Unknown owner - C:\WINDOWS\winsock\csrss.exe
My combofix log was too big to attach, so I'm copying and pasting it
here. (http://shockoflove.livejournal.com/10645.html)
Um yeah. xD I have no idea what to do now.
Someone help please :(