Thread: help!! HKsRv dll pop up plus more :(
View Single Post
Old 08-08-2006, 03:18 PM   #10 (permalink)
Hopperonfire
Registered User
 
Join Date: Aug 2006
Posts: 12
OS: xp


Thumbs Up
ijackThis v1.99.1
Scan saved at 22:12, on 06-08-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Paul\Desktop\New Folder\HijackThis.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{918C79A8-7413-4598-9CA1-C2FB83BBE473}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
8 22:07:26.89
Running from: C:\DOCUME~1\Paul\LOCALS~1\Temp\

((((((((((((((((((((((((((((((( Files Created from 2006-07-08 to 2006-08-08 ))))))))))))))))))))))))))))))))))


2006-08-08 20:19 199,806,976 C:\hiberfil.sys
2006-08-08 09:01 53,248 C:\WINDOWS\system32\Process.exe
2006-08-08 09:01 42,496 C:\WINDOWS\system32\swreg.exe
2006-08-08 09:01 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-08-08 01:04 90,112 C:\WINDOWS\system32\AVASTSS.scr
2006-08-08 01:04 597,504 C:\WINDOWS\system32\aswBoot.exe
2006-08-07 21:46 112,259 C:\WINDOWS\system32\mswmmqce.exe
2006-08-07 17:21 1,176 C:\WINDOWS\system32\ggjlm.ini2
2006-08-07 10:33 73,728 C:\WINDOWS\system32\asuninst.exe
2006-08-07 10:33 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-08-06 21:56 469,997 C:\WINDOWS\system32\ggjlm.bak2
2006-08-04 23:28 90,112 C:\WINDOWS\system32\RegDACL.exe
2006-08-04 23:28 5,862 C:\clean.bat
2006-08-04 23:28 40,960 C:\WINDOWS\system32\swsc.exe
2006-08-04 23:28 4,096 C:\WINDOWS\system32\reboot.exe
2006-08-04 23:28 38,400 C:\WINDOWS\system32\moveex.exe
2006-08-03 09:05 573,492 C:\WINDOWS\system32\mljgg.dll
2006-08-02 15:26 94,208 C:\WINDOWS\system32\pisia32.dll
2006-08-02 14:16 8,464 C:\WINDOWS\system32\sporder.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-08 21:38 469997 ---hs---- C:\WINDOWS\system32\ggjlm.bak2
2006-08-08 01:04 ------- d-------- C:\Program Files\Alwil Software
2006-08-07 21:46 112259 --ah----- C:\WINDOWS\system32\mswmmqce.exe
2006-08-07 18:14 1176 ---hs---- C:\WINDOWS\system32\ggjlm.ini2
2006-08-06 22:38 ------- d-------- C:\Program Files\CleanUp!
2006-08-06 22:29 ------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-04 23:28 ------- d-------- C:\Program Files\HaxFix
2006-08-03 09:05 573492 --------- C:\WINDOWS\system32\mljgg.dll
2006-08-02 21:13 ------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-08-02 20:52 359808 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2006-08-02 19:43 ------- d-------- C:\Program Files\Lavasoft
2006-08-02 19:43 ------- d-------- C:\Documents and Settings\Paul\Application Data\Lavasoft
2006-08-02 17:09 5862 --a------ C:\clean.bat
2006-08-02 15:26 94208 --a------ C:\WINDOWS\system32\pisia32.dll
2006-08-02 14:16 8464 --a------ C:\WINDOWS\system32\sporder.dll
2006-08-02 14:13 ------- d--h----- C:\Program Files\BHO Plugin
2006-06-19 14:03 ------- d-------- C:\Documents and Settings\Paul\Application Data\Sun
2006-05-25 01:22 53248 --a------ C:\WINDOWS\bdoscandel.exe
2006-05-12 02:33 73736 --a------ C:\WINDOWS\system32\_winsys00.dll
2006-05-08 15:23 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"POINTER"="point32.exe"
"DSLSTATEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon"
"DSLAGENTEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe"
"%FP%Friendly fts.exe"="\"C:\\Program Files\\VoyagerTest\\fts.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000001

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"CallBack Ware"="{8e29f930-135a-4568-3338-24cbc8cbbfc1}"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2240}"="DCOM Server 2240"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"



Contents of the 'Scheduled Tasks' folder

Completion time: 06-08-08 22:09:48.87
ComboFix ver 06.08.04 - This logfile is located at C:\ComboFix.txt

ComboFix2.txt
ComboFix3.txt
ComboFix.txt


online scan

Scan report generated at: Tue, Aug 08, 2006 - 21:59:59









Scan path: A:\;C:\;D:\;E:\;















Statistics

Time


01:21:04

Files


173874

Folders


2408

Boot Sectors


2

Archives


1496

Packed Files


15941







Results

Identified Viruses


5

Infected Files


8

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


9







Engines Info

Virus Definitions


443349

Engine build


AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)

Scan plugins


13

Archive plugins


39

Unpack plugins


5

E-mail plugins


6

System plugins


1







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\Documents and Settings\All Users\Application Data\Spybot - Search &

Destroy\Logs\Checks.060802-2346.txt


Infected with: Generic.Qhost.6A8C1AED

C:\Documents and Settings\All Users\Application Data\Spybot - Search &

Destroy\Logs\Checks.060802-2346.txt


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Spybot - Search &

Destroy\Logs\Checks.060802-2346.txt


Deleted

C:\Documents and Settings\All Users\Application Data\Spybot - Search &

Destroy\Logs\Fixes.060802-2352.txt


Infected with: Generic.Qhost.00EDC811

C:\Documents and Settings\All Users\Application Data\Spybot - Search &

Destroy\Logs\Fixes.060802-2352.txt


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Spybot - Search &

Destroy\Logs\Fixes.060802-2352.txt


Deleted

C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0011.CHK=>(NSIS o)


Infected with: Trojan.Downloader.Agent.AOE

C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0011.CHK=>(NSIS o)


Disinfection failed

C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0011.CHK=>(NSIS o)


Deleted

C:\Documents and Settings\Paul\DoctorWeb\Quarantine\FILE0011.CHK


Update failed

C:\Documents and

Settings\Paul\DoctorWeb\Quarantine\dfcpr.dll=>(Quarantine-PE)


Infected with: Trojan.Spy.Mxsender.F

C:\Documents and

Settings\Paul\DoctorWeb\Quarantine\dfcpr.dll=>(Quarantine-PE)


Disinfection failed

C:\Documents and

Settings\Paul\DoctorWeb\Quarantine\dfcpr.dll=>(Quarantine-PE)


Deleted

C:\Program Files\ewido anti-spyware 4.0\Quarantine\filB5144A40.dat=>(gzip)


Infected with: Trojan.Agent.UV

C:\Program Files\ewido anti-spyware 4.0\Quarantine\filB5144A40.dat=>(gzip)


Disinfection failed

C:\Program Files\ewido anti-spyware 4.0\Quarantine\filB5144A40.dat=>(gzip)


Deleted

C:\Program Files\ewido anti-spyware 4.0\Quarantine\filB5144A40.dat


Update failed

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil2458AC84.dat=>(gzip)


Infected with: Trojan.Agent.UV

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil2458AC84.dat=>(gzip)


Disinfection failed

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil2458AC84.dat=>(gzip)


Deleted

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil2458AC84.dat


Update failed

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil90461F10.dat=>(gzip)


Infected with: Trojan.Agent.UV

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil90461F10.dat=>(gzip)


Disinfection failed

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil90461F10.dat=>(gzip)


Deleted

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil90461F10.dat


Update failed

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil0F70D690.dat=>(gzip)


Infected with: Trojan.Agent.UV

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil0F70D690.dat=>(gzip)


Disinfection failed

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil0F70D690.dat=>(gzip)


Deleted

C:\Program Files\ewido anti-spyware 4.0\Quarantine\fil0F70D690.dat


Update failed


SmitFraudFix v2.81

Scan done at 20:09:39.75, 06-08-08
Run from C:\Documents and Settings\Paul\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"CallBack Ware"="{8e29f930-135a-4568-3338-24cbc8cbbfc1}"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2240}"="DCOM Server 2240"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Documents and Settings\Paul\Application Data\Install.dat Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"CallBack Ware"="{8e29f930-135a-4568-3338-24cbc8cbbfc1}"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2240}"="DCOM Server 2240"



»»»»»»»»»»»»»»»»»»»»»»»» End


keep up the good work
Hopperonfire is offline