Major Problems

yep 6 hidden again

04/04/06 00:22:05 [Info]: BlackLight Engine 1.0.35 initialized
04/04/06 00:22:05 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/04/06 00:22:05 [Note]: 7019 4
04/04/06 00:22:05 [Note]: 7005 0
04/04/06 00:22:14 [Note]: 7006 0
04/04/06 00:22:14 [Note]: 7022 0
04/04/06 00:22:14 [Note]: 7011 1460
04/04/06 00:22:14 [Note]: 7026 0
04/04/06 00:22:14 [Note]: 7026 0
04/04/06 00:22:14 [Note]: 7024 3
04/04/06 00:22:14 [Info]: Hidden process: C:\WINDOWS\system32\ntwrse.exe
04/04/06 00:22:14 [Note]: 7024 3
04/04/06 00:22:14 [Info]: Hidden process: C:\WINDOWS\system32\ednvs.exe
04/04/06 00:22:14 [Note]: 7024 3
04/04/06 00:22:14 [Info]: Hidden process: C:\WINDOWS\system32\ednvs.exe
04/04/06 00:22:14 [Note]: 7024 3
04/04/06 00:22:14 [Info]: Hidden process: C:\WINDOWS\system32\ednvs.exe
04/04/06 00:22:14 [Note]: FSRAW library version 1.7.1015
04/04/06 00:23:30 [Info]: Hidden file: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\gbisy.exe
04/04/06 00:23:30 [Note]: 10002 1
04/04/06 00:23:35 [Note]: 4020 9663 65536
04/04/06 00:23:35 [Note]: 4018 9663 65536
04/04/06 00:23:35 [Note]: 4020 9663 65536
04/04/06 00:23:35 [Note]: 4018 9663 65536
04/04/06 00:23:35 [Note]: 4020 9663 65536
04/04/06 00:23:35 [Note]: 4018 9663 65536
04/04/06 00:23:35 [Note]: 4020 9663 65536
04/04/06 00:23:35 [Note]: 4018 9663 65536
04/04/06 00:23:35 [Note]: 4020 9663 65536
04/04/06 00:23:35 [Note]: 4018 9663 65536
04/04/06 00:23:36 [Note]: 4020 9663 65536
04/04/06 00:23:36 [Note]: 4018 9663 65536
04/04/06 00:23:51 [Note]: 4020 32851 196608
04/04/06 00:23:51 [Note]: 4018 32851 196608
04/04/06 00:23:51 [Note]: 4020 32851 196608
04/04/06 00:23:51 [Note]: 4018 32851 196608
04/04/06 00:23:51 [Note]: 4020 32851 196608
04/04/06 00:23:51 [Note]: 4018 32851 196608
04/04/06 00:23:51 [Note]: 4020 32851 196608
04/04/06 00:23:51 [Note]: 4018 32851 196608
04/04/06 00:23:51 [Note]: 4020 32853 327680
04/04/06 00:23:51 [Note]: 4018 32853 327680
04/04/06 00:23:51 [Note]: 4020 32853 327680
04/04/06 00:23:51 [Note]: 4018 32853 327680
04/04/06 00:23:58 [Note]: 4020 32845 196608
04/04/06 00:23:58 [Note]: 4018 32845 196608
04/04/06 00:23:58 [Note]: 4020 32845 196608
04/04/06 00:23:58 [Note]: 4018 32845 196608
04/04/06 00:23:58 [Note]: 4020 32845 196608
04/04/06 00:23:58 [Note]: 4018 32845 196608
04/04/06 00:23:58 [Note]: 4020 32845 196608
04/04/06 00:23:58 [Note]: 4018 32845 196608
04/04/06 00:23:58 [Note]: 4020 32845 196608
04/04/06 00:23:58 [Note]: 4018 32845 196608
04/04/06 00:23:58 [Note]: 4020 32845 196608
04/04/06 00:23:58 [Note]: 4018 32845 196608
04/04/06 00:23:58 [Note]: 4020 32860 196608
04/04/06 00:23:58 [Note]: 4018 32860 196608
04/04/06 00:23:58 [Note]: 4020 32860 196608
04/04/06 00:23:58 [Note]: 4018 32860 196608
04/04/06 00:23:58 [Note]: 4020 32860 196608
04/04/06 00:23:58 [Note]: 4018 32860 196608
04/04/06 00:23:58 [Note]: 4020 32860 196608
04/04/06 00:23:58 [Note]: 4018 32860 196608
04/04/06 00:23:58 [Note]: 4020 32860 196608
04/04/06 00:23:58 [Note]: 4018 32860 196608
04/04/06 00:23:58 [Note]: 4020 32860 196608
04/04/06 00:23:58 [Note]: 4018 32860 196608
04/04/06 00:24:32 [Note]: 4013 29108
04/04/06 00:24:32 [Note]: 4020 30161 262144
04/04/06 00:24:32 [Note]: 4020 30161 262144
04/04/06 00:24:32 [Note]: 4018 30161 262144
04/04/06 00:24:32 [Note]: 4013 29108
04/04/06 00:24:32 [Note]: 4020 30161 262144
04/04/06 00:24:32 [Note]: 4018 30161 262144
04/04/06 00:25:05 [Info]: Hidden file: C:\WINDOWS\system32\oyuydkp.exe
04/04/06 00:25:05 [Note]: 10002 1
04/04/06 00:25:09 [Info]: Hidden file: C:\WINDOWS\system32\ntwrse.exe
04/04/06 00:25:09 [Note]: 10002 1
04/04/06 00:25:10 [Info]: Hidden file: C:\WINDOWS\system32\tbvrjmb.dll
04/04/06 00:25:10 [Note]: 10002 1
04/04/06 00:25:15 [Info]: Hidden file: C:\WINDOWS\system32\ednvs.exe
04/04/06 00:25:15 [Note]: 10002 1
04/04/06 00:25:25 [Info]: Hidden file: C:\WINDOWS\modxj.dll
04/04/06 00:25:25 [Note]: 10002 1
04/04/06 00:26:39 [Note]: 7007 0
 
Run blacklite again the same way, from start run
and rename all of those file's. in some infections legit files can show like explorer.exe, but not this paticular infection, so rename anything that shows
and let blacklite restart your pc after you have renamed all the files.
 
OK lets try Killbox (by Option_explicit)

Download Pocket Killbox to the desktop
http://www.downloads.subratam.org/KillBox.exe
If you already have killbox what version is it ?
Start Killbox place a tick next to [x]Delete on reboot Press the ALL Files button
Copy this whole list into the windows clipboard, all the Bolded below.

C:\WINDOWS\system32\oyuydkp.exe
C:\WINDOWS\system32\ntwrse.exe
C:\WINDOWS\system32\tbvrjmb.dll
C:\WINDOWS\system32\ednvs.exe
C:\WINDOWS\modxj.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\gbisy.exe

Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the prompt to restart the pc.

Run Blacklite again, any files show ?

If not Post a fresh hijackthis log
 
0 HIDDEN ITEMS FOUND!!!! :)

heres the jack log


Logfile of HijackThis v1.99.1
Scan saved at 3:48:48 PM, on 4/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\trend antivirus\PCClient.exe
E:\trend antivirus\TMOAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\system32\wuauclt.exe
E:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ednvs.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,oyuydkp.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\lewis\Application Data\Mozilla\Profiles\default\90h2q8uy.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\lewis\Application Data\Mozilla\Profiles\default\90h2q8uy.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\spybot\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Anonymizer 2005 Toolbar - {DB264E15-F83B-4603-BFC1-4EA7E3204686} - E:\anonymizer\AnonIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCClient.exe] "E:\trend antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "E:\trend antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [mlbjrc] C:\WINDOWS\system32\ntwrse.exe reg_run
O4 - HKCU\..\Run: [jhhkt] C:\WINDOWS\system32\ntwrse.exe reg_run
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\adobe\Reader\reader_sl.exe
O4 - Global Startup: gbisy.exe.ren
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - E:\bodog\Bodog Poker\GameClient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\ipod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roger Wilco Base Station - Unknown owner - E:\ROGERW~1\ROGERW~1\rwbs\rwbs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
 
That did it

Start Hijackthis and place a check next to these items If there.
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ednvs.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,oyuydkp.exe
O4 - HKLM\..\Run: [mlbjrc] C:\WINDOWS\system32\ntwrse.exe reg_run
O4 - HKCU\..\Run: [jhhkt] C:\WINDOWS\system32\ntwrse.exe reg_run

O4 - Global Startup: gbisy.exe.ren

Optional fix >
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly to keep it updated

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279


Let us know if there are any problems
 
thanks for the help. unforunately 2 of my problems are still here.

when i try to start my antivirus program it doesnt start. it says the system is busy and is unable to query the Real-time Scanning service status. please restart.

also it still wont let me start my firewall. says due to an unidentified problem windows cannot display windows firewall settings
 
ok reinstalled the antivirus and did a scan. found 26 viruses. 5 of which are from killbox and 2 of which are from hijackthis. should i delete them all?

also when i try to download the sharedaccess.reg for the firewall it tries to download as a text document. am i doing something wrong?
 
Yes go ahead and let it delete all of them

Try rightclick "save target as" on the link to that reg file, and save it to your desktop, then run, any luck ?
Also there are a couple links near the bottom that might help if the reg file doesnt.
Why not use a third party firewall, they are much better than SP2's builtin firewall.
 
thanks for everything am very gratefull for all the help. im gonna use a diff firewall that was on the other post u provided. gonna follow ALL the advice on that post as well!!! :)


once im done with everything ill check with antivirus and spybot again and see if theres anything left.
 
Clean

wow u guys are fantastic!! virus detected nothing and spybot detected nothing!! i feel safe again. and now i am using zone alarm for my firewall. using a bunch of new things as suggested. i cant thank u enough for all the help!!
 
Java

i have one more problem that im hopin u can help me with. i downloaded java and installed it but it doesnt seem to work. any ideas?
 
update!!!

sorry it took so long to update u!!

things are doing great. althought there is still one problem. i still here a clicking noise on occasion. its the same noise that u here when u access a file. happens randomly when im not doing anything. makes me very nervous like someone is using my comp without me knowing it.

as far as viruses go i run anti virus daily and have caught a few new ones. when i run spybot it almost always comes up clean!! :)

i installed zone alarm firewall and so far almost 10,000 access attempts blocked. that seems a little excesive. but i am very glad i have zone alarm now and not windows firewall. windows firewall is useless!!

its actually time for another scan with spybot and antivirus. ill post back with the results!!
 
You must log in or register to reply here.
Back
Top