|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help. |
 |
|
|
Thread Tools |
09-30-2006, 01:40 AM
|
#1 (permalink) |
|
Registered User
Join Date: Sep 2006
Posts: 7
OS: winXPpro
|
Lots of Spywares! Plz Help! Heres my log.
The spywares dont let me use my task manager for some reason, and i have a lot of annoying pop-ups, really hard to use the pc. Plz someone help me.
Logfile of HijackThis v1.99.1 Scan saved at 1:32:52 AM, on 9/30/2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\VFVSS1M\command.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\WINDOWS\System32\Service.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe C:\WINDOWS\System32\ezSP_Px.exe C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe C:\WINDOWS\System32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\outlook\outlook.exe C:\WINDOWS\v1201.exe C:\Program Files\Lexmark X74-X75\lxbbbmon.exe C:\WINDOWS\djsbmrtA.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\Internet Optimizer\optimize.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\WINDOWS\djsbmrt.exe C:\WINDOWS\System32\services.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\KanG\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\mlxtw.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,xhfxhdq.exe O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto O4 - HKLM\..\Run: [winlog] winlog.exe O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe O4 - HKLM\..\Run: [win3207413-590899] C:\WINDOWS\win3207413-590899.exe O4 - HKLM\..\Run: [evh15fed] RUNDLL32.EXE w071b57f.dll,n 00515fe800000005071b57f O4 - HKLM\..\Run: [sys04899413-590] C:\WINDOWS\sys04899413-590.exe O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe O4 - HKLM\..\Run: [djsbmrtA] C:\WINDOWS\djsbmrtA.exe O4 - HKLM\..\Run: [sachost] C:\WINDOWS\sachostx.exe O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe O4 - HKLM\..\Run: [fcmmotj.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\fcmmotj.dll,wforix O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe" O4 - HKLM\..\RunServices: [winlog] winlog.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\KanG\LOCALS~1\Temp\stdrun163072.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\System32\urroxtl.dll (file missing) O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VFVSS1M\command.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\djsbmrt.exe |
|
     
|
|
09-30-2006, 06:09 AM
|
#2 (permalink) |
|
TSF Enthusiast
Join Date: Apr 2006
Location: Kolkata, India
Posts: 2,048
OS: WinXP Pro SP2, Edubuntu 7.10
 |
Hi and welcome to TSF.
I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible. You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply. Please be patient with me during this time.
__________________
Utsyabye Byasane Chaibo Doorbhikhkhe Rashtrabiplabe Rajwadware Shasane Cha Ya Tishtati Sa Bandhaba- The oldest defination of a FRIEND in Sanskrit by Chanakya. Registered Linux user #426065 If you feel TSF helped you, then please help TSF by making a donation HERE. |
|
|
|
|
09-30-2006, 01:16 PM
|
#3 (permalink) |
|
Registered User
Join Date: Sep 2006
Posts: 7
OS: winXPpro
|
thx im waiting patiently. Meanwhile i guess i gotta use my laptop cuz its almost impossible to use this pc. Right after i turn on this pc, pop-ups and many other things almost freeze my pc, and with i use the browser, it keeps redirecting me to different type of sites just like it happened just now. And my pc is extremely slow.
|
|
|
|
|
10-01-2006, 08:53 PM
|
#5 (permalink) |
|
TSF Enthusiast
Join Date: Apr 2006
Location: Kolkata, India
Posts: 2,048
OS: WinXP Pro SP2, Edubuntu 7.10
|
No need to bump please. I'm working on your case
 .
__________________
Utsyabye Byasane Chaibo Doorbhikhkhe Rashtrabiplabe Rajwadware Shasane Cha Ya Tishtati Sa Bandhaba- The oldest defination of a FRIEND in Sanskrit by Chanakya. Registered Linux user #426065 If you feel TSF helped you, then please help TSF by making a donation HERE. |
|
|
|
|
10-01-2006, 11:24 PM
|
#6 (permalink) |
|
Registered User
Join Date: Sep 2006
Posts: 7
OS: winXPpro
|
ok...i tried deleting some things and i ended up with this. Still really infected though.
Logfile of HijackThis v1.99.1 Scan saved at 11:22:46 PM, on 10/1/2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\Service.exe C:\WINDOWS\System32\services.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\KanG\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\mlxtw.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,xhfxhdq.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\KanG\LOCALS~1\Temp\stdrun163072.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O20 - AppInit_DLLs: O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe |
|
|
|
|
10-02-2006, 10:17 AM
|
#7 (permalink) |
|
TSF Enthusiast
Join Date: Apr 2006
Location: Kolkata, India
Posts: 2,048
OS: WinXP Pro SP2, Edubuntu 7.10
|
Hello KenZoi,
. Please read the following instructions very carefully.Please refrain from performing any fixes on your own once you have posted a log, as now things have changed and I must prepare a new fix for you. The log you've posted appears to be from Safe Mode. I will require you to run a scan from Normal Mode but before you do, please do the following: One of the many infections present on this system may be recognizing HijackThis and preventing HJT from reading the registry locations where it resides as well as hiding other infections in those locations. I'd like you to rename HijackThis.exe to KenZoi.exe.
Run a new scan with KenZoi.exe from Normal Mode and post a new log so we can continue.
__________________
Utsyabye Byasane Chaibo Doorbhikhkhe Rashtrabiplabe Rajwadware Shasane Cha Ya Tishtati Sa Bandhaba- The oldest defination of a FRIEND in Sanskrit by Chanakya. Registered Linux user #426065 If you feel TSF helped you, then please help TSF by making a donation HERE. Last edited by src2206 : 10-02-2006 at 10:34 AM. |
|
|
|
|
10-02-2006, 11:15 PM
|
#8 (permalink) |
|
Registered User
Join Date: Sep 2006
Posts: 7
OS: winXPpro
|
ok i renamed it and did scan on normal mode.
Logfile of HijackThis v1.99.1 Scan saved at 11:14:42 PM, on 10/2/2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\Service.exe C:\WINDOWS\System32\services.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\KanG\Desktop\KenZoi.exe.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\mlxtw.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,xhfxhdq.exe O2 - BHO: (no name) - {1FE54DD2-6152-4000-9570-84DB4C0FF250} - C:\WINDOWS\System32\ddabb.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\KanG\LOCALS~1\Temp\stdrun163072.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O20 - AppInit_DLLs: O20 - Winlogon Notify: ddabb - C:\WINDOWS\System32\ddabb.dll O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\p84u0ih9e84.dll O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe |
|
|
|
|
10-03-2006, 06:19 PM
|
#9 (permalink) |
|
Registered User
Join Date: Sep 2006
Posts: 7
OS: winXPpro
|
aw! Spywares are multiplying themselves, pop-ups is getting more annoying. Many spywares are trying to download programs in my pc without my permission such as spyware doctor. I post the new log cuz i think it got more spywares now and i didnt do anything.
Logfile of HijackThis v1.99.1 Scan saved at 6:16:54 PM, on 10/3/2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\services.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\Service.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\System32\dllhost.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\WINDOWS\SKS~1\scanregw.exe C:\Program Files\Internet Optimizer\optimize.exe C:\WINDOWS\W?nSxS\w?nlogon.exe C:\Documents and Settings\KanG\Desktop\KenZoi.exe.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ R3 - URLSearchHook: (no name) - _{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file) R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\mlxtw.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,xhfxhdq.exe O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll O2 - BHO: (no name) - {0CADFCD0-5EE7-446A-9969-3DC79A320DBB} - C:\Program Files\Common Files\hower.dll O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\AUTOSE~1.DLL O2 - BHO: (no name) - {B50290BC-8AAE-407C-9FD7-0212762AE53F} - C:\WINDOWS\System32\ddabb.dll O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll O2 - BHO: (no name) - {D7D8EDFE-0260-0E9E-1406-5FF07EC86EE2} - C:\WINDOWS\System32\vnd.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe" O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe" O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe" O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe" O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\KanG\LOCALS~1\Temp\stdrun163072.exe O4 - HKCU\..\Run: [Hnma] "C:\WINDOWS\SKS~1\scanregw.exe" -vt yazb O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe O4 - HKCU\..\Run: [Ynu] C:\WINDOWS\W?nSxS\w?nlogon.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O15 - Trusted Zone: *.sxload.com O20 - AppInit_DLLs: dxclib303562752.dll O20 - Winlogon Notify: ddabb - C:\WINDOWS\System32\ddabb.dll O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\fp6u03j9e.dll O20 - Winlogon Notify: yayabax - C:\WINDOWS\SYSTEM32\yayabax.dll O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe plz help |
|
|
|
|
10-04-2006, 03:16 AM
|
#10 (permalink) |
|
TSF Enthusiast
Join Date: Apr 2006
Location: Kolkata, India
Posts: 2,048
OS: WinXP Pro SP2, Edubuntu 7.10
|
Hi KenZoi,
Do not worry. I'm working on your case. I should be able to post a fix by next few hours. Please understand due to time difference there always exsits a lag. Hold on a bit longer my dear friend and try not to browse with your infected PC. I remember that you told me that you can use a Laptop. So I suggest that you check out this site whethere I posted the fix or not and then follow those instructions in your infected PC. In a nutshell I would like to have you online as minimum as possible with your infected PC. Sorry for this delay.
__________________
Utsyabye Byasane Chaibo Doorbhikhkhe Rashtrabiplabe Rajwadware Shasane Cha Ya Tishtati Sa Bandhaba- The oldest defination of a FRIEND in Sanskrit by Chanakya. Registered Linux user #426065 If you feel TSF helped you, then please help TSF by making a donation HERE. |
|
|
|
|
10-04-2006, 02:32 PM
|
#11 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 19,020
OS: WinXP and Vista
|
Hello KenZoi,
Our apologies for the delay, but src2006 is experiencing internet connection difficulties. Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. *************************************************** Download combofix from one of these locations:
Download LSPFix.exe *************************************************** Disconnect this PC from the internet. ***************************************************  Go to <<Start>> then <<Run>> then paste in the single line command then click OK "%userprofile%\desktop\combofix.exe" /v AUTOSE~1 nem220 hower ddabb vnd yayabax When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ----------------------------------- Reboot your system back into Normal Mode. ----------------------------------- Instructions for using LSPFix
Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Internet Optimizer WebHancer Webhancer requires a reboot--reboot directly into Safe Mode. ------------------------------------------- Please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login with your usual account. Make sure to close any open browsers. ----------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) R3 - URLSearchHook: (no name) - _{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file) R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\mlxtw.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,xhfxhdq.exe O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll O2 - BHO: (no name) - {0CADFCD0-5EE7-446A-9969-3DC79A320DBB} - C:\Program Files\Common Files\hower.dll O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\AUTOSE~1.DLL O2 - BHO: (no name) - {B50290BC-8AAE-407C-9FD7-0212762AE53F} - C:\WINDOWS\System32\ddabb.dll O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll O2 - BHO: (no name) - {D7D8EDFE-0260-0E9E-1406-5FF07EC86EE2} - C:\WINDOWS\System32\vnd.dll O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe" O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe" O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe" O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe" O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\KanG\LOCALS~1\Temp\stdrun163072.exe O4 - HKCU\..\Run: [Hnma] "C:\WINDOWS\SKS~1\scanregw.exe" -vt yazb O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe O4 - HKCU\..\Run: [Ynu] C:\WINDOWS\W?nSxS\w?nlogon.exe O15 - Trusted Zone: *.sxload.com O20 - AppInit_DLLs: dxclib303562752.dll O20 - Winlogon Notify: ddabb - C:\WINDOWS\System32\ddabb.dll O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\fp6u03j9e.dll O20 - Winlogon Notify: yayabax - C:\WINDOWS\SYSTEM32\yayabax.dll Click 'Fix Checked' and close HijackThis. ----------------------------------- Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. *Also, make sure there is no checkmark beside Hide file extensions for known file types. * Click OK. ----------------------------------- Delete the following Files and Folders if they still exist. C:\Program Files\ DeluxeCommunications C:\Program Files\ webHancer C:\Program Files\ Internet Optimizer C:\WINDOWS\System32\ mlxtw.exe C:\WINDOWS\SYSTEM32\ xhfxhdq.exe C:\WINDOWS\ xload.exe ----------------------------------- Clear your Temp and Temporary Internet Files: Go to Start > Run and type cleanmgr in the box. Let it scan your system for files to remove. Make sure Temporary Internet Files and Temporary Files checked' and click OK. ----------------------------------- Reboot into Normal Mode. ----------------------------------- I see no evidence of an AntiVirus program on your system. This must be resolved. Here are two very good free Antivirus products which are available:Select one of these, or another of your choice. Download, install, update definitions, and run a full system scan. ----------------------------------- IMPORTANT!: Before we can proceed any further, please visit the Microsoft's Windows Update Page and install ALL Critical Updates for your system (except service pack 2 (SP2). SP2 should only be installed on a fully disinfected system.) At the minimum install at least SP1a for both XP and IE6. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online. Please apply those updates BEFORE posting your next log. It is this forum's policy to stop the disinfection process until these basic updates are done. If during the updating process you get a message that your product key is invalid ....then you may not have a legitimate copy of Windows XP. Unfortunately it’s also this forums policy that we only address users with a legal copy of Windows XP.... therefore if you can not update Windows XP to SP1 we must stop the cleansing process here. **Note** If you're having trouble locating the service pack SP1a here is a direct link to download it from.. ----------------------------------- Once you’ve updated to XP SP1... Perform an online scan using Internet Explorer with Panda ActiveScan ** click on "Free use ActiveScan" located on the top right hand corner
Double click on combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply Please include the following in your next reply: ComboFix2.txt Panda results ComboFix.txt New HijackThis log
__________________
 Keep this site free for all. Please consider, donating "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Last edited by Ried : 10-04-2006 at 03:49 PM. |
|
|
|
|
10-05-2006, 04:40 AM
|
#13 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 19,020
OS: WinXP and Vista
|
Hello KenZoi,
I know your symptoms have likely subsided after following the fix I provided for you, but be forewarned that additional malware is still lurking about on your system. I highly recommend you follow all instructions given previously and return with the logs requested after updating to XP SP1. |
|
|
|
