View Full Version : need help getting rid of cmd serv. also i might have done something stupid
vyxazejezi7o7
2006-10-15, 18:41
File Infection Status Path
1bd21bfb.hta VBS/Petch infected C:\
ac3_0003.exe Win32/SillyDl.AST infected C:\
ms32.tmp Win32/Winshow!generic infected C:\
umffl.exe Win32/SillyDl.NM infected C:\Program Files\Common Files\umff\
umffm.exe Win32/Sasla.A infected C:\Program Files\Common Files\umff\
dstart2.exe Win32/SillyDl.OT infected C:\WINDOWS\
itshta.exe Win32/SuperSpider.A infected C:\WINDOWS\
srvqojpjmz.exe Win32/Dyfuca.X infected C:\WINDOWS\
Loader.dll Win32/SillyDl.OT infected C:\WINDOWS\system\
ldE84.tmp Win32/Spax.H infected C:\WINDOWS\system32\1024\
dmonwv.dll_tobedeleted Win32/Qoologic.AB infected C:\WINDOWS\system32\
hp13E3.tmp Win32/Puper.CD infected C:\WINDOWS\system32\
hp28F6.tmp Win32/Puper!generic infected C:\WINDOWS\system32\
hp317.tmp Win32/Puper!generic infected C:\WINDOWS\system32\
hp7395.tmp Win32/Puper!generic infected C:\WINDOWS\system32\
hp9485.tmp Win32/Puper!generic infected C:\WINDOWS\system32\
hpDFD.tmp Win32/Puper!generic infected C:\WINDOWS\system32\
hpE371.tmp Win32/Puper.BL infected C:\WINDOWS\system32\
ld7DBB.tmp Win32/Beovens!generic infected C:\WINDOWS\system32\
A7151400.so Win32/Alemod infected C:\WINDOWS\system32\LogFiles\
ulokq.dat Win32/Qoologic.AB infected C:\WINDOWS\system32\
zwhkp.dll Win32/Startpage.TF infected C:\WINDOWS\system32\
tmp.hta VBS/Petch infected C:\WINDOWS\
uninst108.exe Win32/SillyDl.AWB infected C:\WINDOWS\
vyxazejezi7o7
2006-10-15, 18:43
Logfile of HijackThis v1.99.1
Scan saved at 12:43:11 PM, on 10/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\asuskbservice.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\Cyb2k.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPRV10.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\HJT\HijackThis.exe
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\fxqle.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system\Userinit.exe,pswopbn.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\Cyb2k.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\\INTELAUDIOSTUDIO.EXE" TRAY
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: ASUSKeyboardService - ASUSTeK COMPUTER INC. - C:\WINDOWS\asuskbservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
vyxazejezi7o7
2006-10-15, 18:45
StartupList report, 10/15/2006, 12:43:59 PM
StartupList version: 1.52.2
Started from : C:\HJT\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\asuskbservice.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\Cyb2k.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPRV10.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system\Userinit.exe,pswopbn.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
C2K = C:\WINDOWS\Cyb2k.exe
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
SoundMan = SOUNDMAN.EXE
RemoteControl = "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
mmtask = c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
IntelAudioStudio = "C:\Program Files\Intel Audio Studio\\INTELAUDIOSTUDIO.EXE" TRAY
anvshell = anvshell.exe
AlcWzrd = ALCWZRD.EXE
Alcmtr = ALCMTR.EXE
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
(Default) =
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
AIM = C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
Steam = C:\Program Files\Valve\Steam\\Steam.exe -silent
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe, C:\WINDOWS\system32\fxqle.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
--------------------------------------------------
Enumerating Task Scheduler jobs:
PPv5Scan_Daily as steven at 10 15 PM.job
PPv5Scan_Daily as steven at 11 15 PM.job
Symantec NetDetect.job
--------------------------------------------------
Enumerating Download Program Files:
[WScanCtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\webscan.dll
CODEBASE = http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
--------------------------------------------------
Enumerating Winsock LSP files:
Protocol #1: C:\WINDOWS\system32\lspcs.dll
Protocol #2: C:\WINDOWS\system32\lspcs.dll
Protocol #3: C:\WINDOWS\system32\lspcs.dll
Protocol #4: C:\WINDOWS\system32\lspcs.dll
Protocol #5: C:\WINDOWS\system32\lspcs.dll
Protocol #11: C:\WINDOWS\system32\lspcs.dll
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll
--------------------------------------------------
End of report, 6,122 bytes
Report generated in 0.047 seconds
vyxazejezi7o7
2006-10-15, 19:50
Hey I'm having this prob with cmd serv. i think it was initially installed by this program called diskcleaner2006 or something like that. I deleted that program but i still get popups from that site or other ads. Also when i start my comp up i need to ctrl alt f4, click start new task and start windows explorer before i see anything on my desktop. here is my HJT log. i alread used etrust antivirus web scanner and deleted the stuff. thanks for your help.
Logfile of HijackThis v1.99.1
Scan saved at 12:43:11 PM, on 10/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\asuskbservice.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\Cyb2k.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPRV10.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\HJT\HijackThis.exe
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\fxqle.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system\Userinit.exe,pswopbn.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\Cyb2k.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\\INTELAUDIOSTUDIO.EXE" TRAY
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O23 - Service: ASUSKeyboardService - ASUSTeK COMPUTER INC. - C:\WINDOWS\asuskbservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
LonnyRJones
2006-10-18, 17:05
Welcome vyxazejezi7o7
Fallow the instructions here
http://forums.spybot.info/showthread.php?t=4015
when finished post the logs mentioned near the bottom
vyxazejezi7o7
2006-10-19, 05:36
i followed the instructions in that removal page and i have the 3 logs. Also AVG anti-spyware is picking up a downloader.qoologic.bj located in system32\ooyhfv.exe. i click clean and move to quarantine but the alert just keeps popping up. Here are my logs
c:\rapport.txt
SmitFraudFix v2.110
Scan done at 22:17:32.64, Wed 10/18/2006
Run from C:\Documents and Settings\AAA\My Documents\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\uniq Deleted
C:\WINDOWS\back.gif Deleted
C:\WINDOWS\buy-btn.gif Deleted
C:\WINDOWS\download-btn.gif Deleted
C:\WINDOWS\keyboard1.dat Deleted
C:\WINDOWS\system32\exuc32.tmp Deleted
C:\WINDOWS\system32\wp.bmp Deleted
C:\WINDOWS\system32\1024\ Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
AVG Anti-spyware log
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:16:32 PM 10/18/2006
+ Scan result:
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Ignored.
C:\WINDOWS\cfg32a.exe -> Adware.BookedSpace : Ignored.
C:\WINDOWS\pzapyboq.exe -> Adware.BookedSpace : Ignored.
C:\WINDOWS\ygrxrwug.exe -> Adware.BookedSpace : Ignored.
C:\WINDOWS\tmp.000 -> Adware.CashDeluxe : Ignored.
HKLM\SOFTWARE\KMiNT21 -> Adware.DesktopSpyAgent : Ignored.
C:\WINDOWS\Temp\mmserver0.DLL -> Backdoor.Hupigon.ps : Cleaned with backup (quarantined).
C:\WINDOWS\mmserver.DLL -> Backdoor.Hupigon.ps : Cleaned with backup (quarantined).
C:\919_133.exe -> Downloader.Dyfuca.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DCBE668A-2810-4FD8-B6B3-FFADD9E206C1}\RP4\A0002327.dll -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DCBE668A-2810-4FD8-B6B3-FFADD9E206C1}\RP4\A0002328.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DCBE668A-2810-4FD8-B6B3-FFADD9E206C1}\RP4\A0002329.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ulokq.dat -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
[848] C:\WINDOWS\system32\uvyhvey.dll -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32:liaa.dll -> Downloader.Small.azk : Cleaned with backup (quarantined).
C:\WINDOWS\system32\LogFiles\DA7021900.so -> Downloader.Small.baz : Cleaned with backup (quarantined).
C:\141ts.exe -> Downloader.TSUpdate.o : Cleaned with backup (quarantined).
C:\WINDOWS\ursjrcv.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DCBE668A-2810-4FD8-B6B3-FFADD9E206C1}\RP3\A0002138.exe -> Hijacker.Costrat.n : Cleaned with backup (quarantined).
C:\WINDOWS\system32:lzx32.sys -> Hijacker.Costrat.n : Cleaned with backup (quarantined).
C:\Program Files\MSN Gaming Zone\tenefusyp.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Program Files\Online Services\woqohav.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DCBE668A-2810-4FD8-B6B3-FFADD9E206C1}\RP3\A0002130.dll -> Logger.Goldun.ms : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DCBE668A-2810-4FD8-B6B3-FFADD9E206C1}\RP3\A0002133.exe -> Logger.Goldun.ms : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DCBE668A-2810-4FD8-B6B3-FFADD9E206C1}\RP3\A0002127.sys -> Proxy.Small.bo : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@c.enhance[2].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
::Report end
HJT log
Logfile of HijackThis v1.99.1
Scan saved at 11:29:07 PM, on 10/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\asuskbservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ooyhfv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\fxqle.exe
C:\WINDOWS\system32\fxqle.exe
C:\WINDOWS\system32\fxqle.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Cyb2k.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel Audio Studio\INTELAUDIOSTUDIO.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\fxqle.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,pswopbn.exe
O4 - HKLM\..\Run: [ofdyet] C:\WINDOWS\system32\ooyhfv.exe reg_run
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\Cyb2k.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\\INTELAUDIOSTUDIO.EXE" TRAY
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [kckag] C:\WINDOWS\system32\ooyhfv.exe reg_run
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: hvlil.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: ASUSKeyboardService - ASUSTeK COMPUTER INC. - C:\WINDOWS\asuskbservice.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
LonnyRJones
2006-10-26, 09:38
Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.
LonnyRJones
2006-11-03, 13:22
Due to lack of responses this thread is closed
If you still need assistance a new log will be needed, send me or Tashi a PM (personal message) and we will re-open it.