Tech Support banner

Status
Not open for further replies.
1 - 18 of 18 Posts

·
Registered
Joined
·
10 Posts
Discussion Starter #1
A couple of weeks ago I began receiving a triangular error message on my desktop with various messages reporting spyware or suspicious files on my system and offering a free scan. When I click the triangle I am directed to at least 3 different sites all advertising anti-spyware software. Also, when I use Google and click on a lick a blank page is loaded or I am taken to another search engine website. I get between 2 and 4 of these error messages per day and usually when I open Internet Explorer and occasionally when I open Windows Explorer. I have used both AVG and Spybot but neither detected or solved the problem. Also, after running Hijack This I noticed a file in the system32 folder called dmserve.dll which when I hover the cursor over gives no info other than the file name and creation date and does not seem to be a Microsoft file nor has any connection with disk management I aslo get the same result when I right click for properties. I have been unble to delete this file and its registry entry in both normal and safe mode. The file was created around the time that the problems began I have since found out that dmserve.dll is a trojan but have been unable to find any information with regards to its removal and my AV program (nod32) does not even detect its presence. I have downloaded and installed 3 apps on or just prior to the problem starting 2 of which were cracked. All 3 have since been removed.

Please find below the requested scan logs from DSS (which also contains the Hijack This log) and Panda Scan. I have also attached the Extra Txt log from DSS

Thank You.

Deckard's System Scanner v20071014.68
Run by Bogey on 2007-11-14 12:18:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Bogey.exe) -----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-11-14 12:19:57
Platform: Windows XP Service Pack 1 (5.01.2600)
MSIE: Internet Explorer (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ESET\nod32kui.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Bogey\My Documents\Programs\dss.exe
C:\Documents and Settings\Bogey\My Documents\Programs\hijackthis\Bogey.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B589A78F-E3AF-4493-8FA2-BE171FD114E8} - C:\WINDOWS\system32\dmserve.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm
O9 - Extra 'Tools' menuitem: @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm
O9 - Extra button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191276819764
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_03) - http://java.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\ESET\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


--
End of file - 8409 bytes

-- Files created between 2007-10-14 and 2007-11-14 -----------------------------

2007-11-13 19:13:33 0 d------c- C:\WINDOWS\Prefetch
2007-11-13 18:11:22 0 d------c- C:\WINDOWS\System32\PreInstall
2007-11-13 17:07:24 0 d------c- C:\WINDOWS\ServicePackFiles
2007-11-13 17:07:23 0 d------c- C:\WINDOWS\ehome
2007-11-13 14:42:04 118784 --a----c- C:\WINDOWS\System32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2007-11-13 14:41:55 0 d------c- C:\Program Files\SpywareBlaster
2007-11-13 14:29:04 0 d------c- C:\Documents and Settings\All Users\Application Data\Prevx
2007-11-13 14:28:43 0 d------c- C:\Temp
2007-11-13 13:52:10 0 d--h---c- C:\Documents and Settings\Administrator\Templates
2007-11-13 13:52:10 0 dr-----c- C:\Documents and Settings\Administrator\Start Menu
2007-11-13 13:52:10 0 dr-h---c- C:\Documents and Settings\Administrator\SendTo
2007-11-13 13:52:10 0 d--h---c- C:\Documents and Settings\Administrator\Recent
2007-11-13 13:52:10 0 d--h---c- C:\Documents and Settings\Administrator\PrintHood
2007-11-13 13:52:10 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-13 13:52:10 0 d--h---c- C:\Documents and Settings\Administrator\NetHood
2007-11-13 13:52:10 0 d------c- C:\Documents and Settings\Administrator\My Documents
2007-11-13 13:52:10 0 d--h---c- C:\Documents and Settings\Administrator\Local Settings
2007-11-13 13:52:10 0 d------c- C:\Documents and Settings\Administrator\Favorites
2007-11-13 13:52:10 0 d------c- C:\Documents and Settings\Administrator\Desktop
2007-11-13 13:52:10 0 d---s--c- C:\Documents and Settings\Administrator\Cookies
2007-11-13 13:52:10 0 dr-h---c- C:\Documents and Settings\Administrator\Application Data
2007-11-13 13:52:10 0 d---s--c- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-11-13 13:52:10 0 d------c- C:\Documents and Settings\Administrator\Application Data\DivX
2007-11-12 23:37:44 0 d------c- C:\WINDOWS\System32\ActiveScan
2007-11-10 12:50:59 1689600 --a----c- C:\WINDOWS\System32\d3d9.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-11-10 12:50:58 1769472 --a----c- C:\WINDOWS\System32\dxdiagn.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-11-10 12:49:20 0 d--h---c- C:\WINDOWS\msdownld.tmp
2007-11-10 11:50:05 0 d--h---c- C:\WINDOWS\$hf_mig$
2007-11-09 23:08:31 0 d------c- C:\Documents and Settings\All Users\Application Data\GRETECH
2007-11-09 23:07:36 0 d------c- C:\Documents and Settings\Bogey\Application Data\GRETECH
2007-11-09 23:07:18 0 d------c- C:\Program Files\GRETECH
2007-11-09 22:01:07 494848 -ra----c- C:\WINDOWS\System32\drivers\WLANUTG.SYS <Not Verified; Texas Instruments; TNET1150 USB WLAN Adapter>
2007-11-09 22:01:07 97388 -ra----c- C:\WINDOWS\System32\drivers\Fwusb1b.bin
2007-11-09 21:51:46 0 d------c- C:\Documents and Settings\Default User\Application Data\DivX
2007-11-09 18:38:19 0 d------c- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-09 17:25:02 2028 --a----c- C:\WINDOWS\System32\tmp.reg
2007-11-09 16:52:04 0 d------c- C:\WINDOWS\pss
2007-11-09 14:36:57 0 d------c- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-07 19:21:30 0 d------c- C:\WINDOWS\System32\ZoneLabs
2007-11-05 22:51:46 0 d------c- C:\My Music
2007-10-30 13:12:24 18688 --a----c- C:\WINDOWS\System32\drivers\ndsfqkpr.dat
2007-10-30 13:12:22 5120 --a----c- C:\WINDOWS\System32\drivers\gmksqzsc.dat
2007-10-30 13:11:49 114944 --a----c- C:\WINDOWS\System32\dmserve.dll
2007-10-28 21:54:17 0 d------c- C:\Program Files\Messenger Plus! Live
2007-10-28 00:33:17 120 --a----c- C:\drmHeader.bin
2007-10-20 13:18:09 0 d------c- C:\Documents and Settings\All Users\Application Data\DFX
2007-10-20 13:18:07 0 d------c- C:\Program Files\DFX
2007-10-19 01:17:19 0 d------c- C:\Program Files\K-Lite Codec Pack
2007-10-19 01:17:19 0 d------c- C:\Documents and Settings\Bogey\Application Data\Real
2007-10-19 01:17:19 0 d------c- C:\Documents and Settings\All Users\Application Data\Real
2007-10-17 14:02:50 0 d------c- C:\Program Files\PeerGuardian2
2007-10-16 12:50:25 0 d------c- C:\Documents and Settings\Bogey\Application Data\Real(2)
2007-10-16 12:43:20 0 d------c- C:\Program Files\Common Files\Real
2007-10-16 12:43:18 0 d------c- C:\Program Files\Real


-- Find3M Report ---------------------------------------------------------------

2007-11-14 11:26:18 0 d------c- C:\Documents and Settings\Bogey\Application Data\uTorrent
2007-11-13 22:48:29 0 d------c- C:\Program Files\MSN Messenger
2007-11-13 20:29:43 0 d------c- C:\Program Files\Winamp
2007-11-13 20:28:35 0 d------c- C:\Program Files\QuickTime
2007-11-13 20:28:08 0 d------c- C:\Program Files\PowerISO
2007-11-13 20:28:06 0 d------c- C:\Program Files\Opera
2007-11-13 20:26:21 0 d------c- C:\Program Files\iTunes
2007-11-13 20:25:20 0 d------c- C:\Program Files\Google
2007-11-13 19:32:13 0 d------c- C:\Program Files\Messenger
2007-11-13 17:06:54 0 d------c- C:\Program Files\Movie Maker
2007-11-10 12:16:03 0 d------c- C:\Program Files\Common Files
2007-11-10 00:27:19 0 d--h---c- C:\Program Files\WindowsUpdate
2007-11-09 22:03:59 0 d------c- C:\Program Files\K-litePro
2007-11-09 21:49:39 23348 --a----c- C:\WINDOWS\System32\emptyregdb.dat
2007-11-09 21:17:18 0 d------c- C:\Documents and Settings\Bogey\Application Data\Azureus
2007-11-07 19:22:39 4212 --ah---c- C:\WINDOWS\System32\zllictbl.dat
2007-10-10 18:59:32 0 d------c- C:\Program Files\Bit Che
2007-10-07 02:19:53 0 d------c- C:\Program Files\Azureus
2007-10-05 22:05:39 0 d------c- C:\Documents and Settings\Bogey\Application Data\Sun
2007-10-05 22:05:26 0 d------c- C:\Program Files\Java
2007-10-05 22:02:46 0 d------c- C:\Program Files\Common Files\Java
2007-10-05 15:59:36 0 d------c- C:\Program Files\WIDCOMM
2007-10-05 00:30:02 0 d------c- C:\Documents and Settings\Bogey\Application Data\vlc
2007-10-05 00:29:02 0 d------c- C:\Program Files\VideoLAN
2007-10-04 15:25:20 0 d------c- C:\Program Files\BitComet
2007-10-04 12:00:16 0 d------c- C:\Documents and Settings\Bogey\Application Data\Google
2007-10-03 21:37:39 0 d------c- C:\Documents and Settings\Bogey\Application Data\Ahead
2007-10-03 19:38:07 0 d--h---c- C:\Program Files\InstallShield Installation Information
2007-10-03 19:38:07 0 d------c- C:\Program Files\GoldEsel
2007-10-03 19:36:02 0 d------c- C:\Program Files\Ahead
2007-10-03 19:33:37 0 d------c- C:\Program Files\Common Files\Ahead
2007-10-02 21:19:56 0 d------c- C:\Documents and Settings\Bogey\Application Data\Macromedia
2007-10-02 13:58:36 0 d------c- C:\Program Files\iPod
2007-10-02 13:57:32 0 d------c- C:\Program Files\Apple Software Update
2007-10-02 13:26:38 0 d------c- C:\Documents and Settings\Bogey\Application Data\Apple Computer
2007-10-02 13:22:05 0 d------c- C:\Program Files\Common Files\InstallShield
2007-10-02 12:33:35 0 d------c- C:\Program Files\BearShare
2007-10-02 12:03:11 0 d------c- C:\Documents and Settings\Bogey\Application Data\Media Player Classic
2007-10-02 02:16:14 0 d------c- C:\Documents and Settings\Bogey\Application Data\DivX
2007-10-02 00:47:36 0 d------c- C:\Documents and Settings\Bogey\Application Data\Creative
2007-10-02 00:47:27 0 d------c- C:\Program Files\Creative
2007-10-02 00:20:32 0 d------c- C:\Program Files\DivX
2007-10-01 23:59:15 0 d------c- C:\Documents and Settings\Bogey\Application Data\Opera
2007-10-01 23:43:18 298104 --a------ C:\WINDOWS\System32\imon.dll <Not Verified; Eset; NOD32 Antivirus System>
2007-10-01 22:46:25 0 d------c- C:\Program Files\Common Files\ODBC
2007-10-01 22:46:22 0 d------c- C:\Program Files\Common Files\SpeechEngines
2007-10-01 22:46:03 62 --ahs---- C:\Documents and Settings\Bogey\Application Data\desktop.ini
2007-10-01 22:02:24 0 d------c- C:\Program Files\Intel
2007-10-01 22:00:58 0 d------c- C:\Program Files\Analog Devices
2007-10-01 21:59:02 0 d------c- C:\Documents and Settings\Bogey\Application Data\Identities
2007-10-01 21:55:34 0 d------c- C:\Program Files\microsoft frontpage
2007-10-01 21:54:35 0 -rahs--c- C:\MSDOS.SYS
2007-10-01 21:54:35 0 -rahs--c- C:\IO.SYS
2007-10-01 21:54:35 0 --a----c- C:\CONFIG.SYS
2007-10-01 21:54:35 0 --a----c- C:\AUTOEXEC.BAT
2007-10-01 21:53:32 0 d------c- C:\Program Files\Online Services
2007-10-01 21:52:30 0 d------c- C:\Program Files\Common Files\MSSoap
2007-10-01 21:51:25 0 d------c- C:\Program Files\Windows NT
2007-10-01 21:51:25 0 d------c- C:\Program Files\MSN Gaming Zone
2007-09-17 18:23:00 823296 --a----c- C:\WINDOWS\System32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-09-17 18:23:00 823296 --a----c- C:\WINDOWS\System32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-09-17 18:22:58 802816 --a----c- C:\WINDOWS\System32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-09-17 18:22:58 739840 --a----c- C:\WINDOWS\System32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-09-17 00:07:00 1626112 --a----c- C:\WINDOWS\System32\nwiz.exe
2007-09-17 00:07:00 1019904 --a----c- C:\WINDOWS\System32\nvwimg.dll
2007-09-17 00:07:00 1703936 --a----c- C:\WINDOWS\System32\nvwdmcpl.dll
2007-09-17 00:07:00 466944 --a----c- C:\WINDOWS\System32\nvshell.dll
2007-09-17 00:07:00 1478656 --a----c- C:\WINDOWS\System32\nview.dll
2007-09-17 00:07:00 1339392 --a----c- C:\WINDOWS\System32\nvdspsch.exe
2007-09-17 00:07:00 442368 --a----c- C:\WINDOWS\System32\nvappbar.exe
2007-09-17 00:07:00 425984 --a----c- C:\WINDOWS\System32\keystone.exe
2007-08-21 00:26:52 196608 --a----c- C:\WINDOWS\System32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-08-21 00:26:52 81920 --a----c- C:\WINDOWS\System32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-08-15 22:33:14 3596288 --a----c- C:\WINDOWS\System32\qt-dx331.dll
2007-08-15 22:30:26 12288 --a----c- C:\WINDOWS\System32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B589A78F-E3AF-4493-8FA2-BE171FD114E8}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [19/06/2002 18:14]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [19/06/2002 18:05]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [17/09/2007 00:07]
"nwiz"="nwiz.exe" [17/09/2007 00:07 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [17/09/2007 00:07]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [08/01/2007 14:29]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [14/05/2007 22:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 00:11]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [29/06/2007 05:24]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [07/08/2007 00:05]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [01/10/2007 23:43]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 10:50]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [26/09/2007 13:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [29/08/2002 03:41]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/10/2007 02:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [29/07/2003 15:14:16]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - USNJSVC



-- End of Deckard's System Scanner: finished at 2007-11-14 12:29:33 ------------

Panda Scan


Incident Status Location

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Bogey\Cookies\[email protected][2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Bogey\Cookies\[email protected][1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Bogey\Cookies\[email protected][1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Bogey\Cookies\[email protected][1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Bogey\Cookies\[email protected][1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Bogey\Cookies\[email protected][1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Bogey\Cookies\[email protected][1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Bogey\Cookies\[email protected][1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Bogey\Cookies\[email protected][1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Bogey\Cookies\[email protected][2].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Bogey\Cookies\[email protected][1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\RECYCLER\S-1-5-21-1757981266-1644491937-725345543-1004\Dc1.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/SuperFast Not disinfected C:\RECYCLER\S-1-5-21-1757981266-1644491937-725345543-1004\Dc1.zip[SmitfraudFix/restart.exe]
Adware:Adware/BHO Not disinfected C:\RECYCLER\S-1-5-21-1757981266-1644491937-725345543-1004\Dc3.1
PLEASE NOTE: The last 3 entries have since been removed from the recycle bin, however, the dmserve.dll is still in my system32 folder.
 

Attachments

·
Registered
Joined
·
1,702 Posts
Welcome Moschops2007
Sorry for the delay
If your still in need of assitance and are not recieving help at another forum ?, post back with a new hijackthis log please.
 

·
Registered
Joined
·
10 Posts
Discussion Starter #4
Thanks for getting back to me.

Here is the new HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 19:54:37, on 20/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Documents and Settings\Bogey\My Documents\Programs\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B589A78F-E3AF-4493-8FA2-BE171FD114E8} - C:\WINDOWS\System32\dmserve.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191276819764
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe




Also Nod32 now detects the dmserve.dll as a virus saying that it's probably a variant of the Win32 trojan.

Thanks
 

·
Registered
Joined
·
1,702 Posts
download/save not run catchme
http://files.thespykiller.co.uk/catchme.exe
place it in c:\windows\ or c:\windows\system32\


Copy the contents of the code (dont include the word code) box below into a new notepad document (not wordpad or another text editor).
Click file> save as...> call it check.bat > file types *all files*> and save it to your desktop.
Code:
set "file1=C:\WINDOWS\System32\drivers\ndsfqkpr.dat"
set "file2=C:\WINDOWS\System32\drivers\gmksqzsc.dat"
set "file3=C:\WINDOWS\System32\dmserve.dll"
::NTFS test
type nul>test
type nul>"%cd%\test:test" && goto start
echo batch intended for NTFS systems & pause & exit
:start
if exist test del test
If exist "%file1%" (
catchme -K "%file1%" -l "%temp%\catchme.txt" >nul 2>&1
echo.Y|cacls "%file1%" /g %username%:f >nul 2>&1
del "%file1%" >nul 2>&1
if not exist %file1% echo.%file1% Deleted >%systemdrive%\log.txt 2>nul
)
If exist "%file2%" (
catchme -K "%file2%" -l "%temp%\catchme.txt" >nul 2>&1
echo.Y|cacls "%file2%" /g %username%:f >nul 2>&1
del "%file2%" >nul 2>&1
if not exist %file2% echo.%file2% Deleted >%systemdrive%\log.txt 2>nul
)
If exist "%file3%" (
catchme -K "%file3%" -l "%temp%\catchme.txt" >nul 2>&1
del "%file3%" >nul 2>&1
if not exist %file3% echo.%file3% Deleted >>%systemdrive%\log.txt 2>nul
)
echo.Y|cacls "%temp%\*.dat" /g %username%:f >nul 2>&1
if exist "%systemdrive%\log.txt" start notepad.exe "%systemdrive%\log.txt"
disconnect from the internet and disable nod32 for now

run check.bat then restart your PC and run check.bat again, a text should open post it.
re-enable nod32
Start Hijackthis Scan and place a check next to these items If there.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {B589A78F-E3AF-4493-8FA2-BE171FD114E8} - C:\WINDOWS\System32\dmserve.dll
====================================
Hit fix checked , scan again > save log, post it then close Hijackthis.
 

·
Registered
Joined
·
10 Posts
Discussion Starter #6
Have done everything as instructed. I placed catchme.exe in c\windows\system32. However, after the restart and 2nd check.bat run no text opened I continued anyway ran hijackthis fixed the 2 entries and ran hijackthis again only 1 of the entries was removed the dmserve.dll is still present.

Here is the last hijackthis log.


Logfile of HijackThis v1.99.1
Scan saved at 21:17:13, on 20/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Documents and Settings\Bogey\My Documents\Programs\hijackthis\HijackThis.exe
C:\Program Files\ESET\nod32kui.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B589A78F-E3AF-4493-8FA2-BE171FD114E8} - C:\WINDOWS\System32\dmserve.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191276819764
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 

·
Registered
Joined
·
1,702 Posts
I edited my last post, Make a new check bat, be sure to disconnect and disable nod32 before running, same procedure run it reboot run it again post the text if if opens.
 

·
Registered
Joined
·
10 Posts
Discussion Starter #8
Again, did everything as you instructed still no text opens after the 2nd check.bat run. Have turned off back ups in hijackthis and even tried moving the catchme.exe into c:\windows\ and still no joy. Don't know what I'm doing wrong.
 

·
Registered
Joined
·
1,702 Posts
Has nod32 been displaying warnings ?
How did you disable it before running the bat ?

Id like to see another dds main text, you need to run it in this fashion though.

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK
"C:\Documents and Settings\Bogey\My Documents\Programs\dss.exe" /config
Tick

main log
[x] system restore
[x]temp cleanup
[x] hijackthis[x] hijackthis ignored [x] hijackthis fixed
[x] file assosiations
[x] drivers
[x] services
[x] device manager
[x] process modules
[x] scheduled tasks
[x] files created/modified
[x] registry dump
[] hosts file
Click Scan!

When finished, it shall produce a log for you. Post that log in your next reply.
 

·
Registered
Joined
·
10 Posts
Discussion Starter #10
I disable Nod by opening the control center and selecting "quit". However, after the 1st run when I restarted the pc Nod automatically starts up with windows so I disabled it via the start up tab in msconfig and have been starting Nod manually after the 2nd check.bat run. With regards to virus warnings Nod has only detected the actual \system32\dmserve.dll file once this was after it updated its virus signatures since then it has only picked it up in the back up file created by hijackthis the warning is displayed as soon as the back up is created and copies the file to quarantine I have since disabled back ups in hijackthis deleted the backed up files and the quarantined files.

Here is the new DSS log


Deckard's System Scanner v20071014.68
Run by Bogey on 2007-11-21 13:30:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-11-21 13:31:02 UTC - RP1 - System Checkpoint


Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Bogey.exe) -----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-11-21 13:32:20
Platform: Windows XP Service Pack 1 (5.01.2600)
MSIE: Internet Explorer (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Firewall\cpf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\Program Files\ESET\nod32kui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Bogey\My Documents\Programs\dss.exe
C:\Documents and Settings\Bogey\My Documents\Programs\hijackthis\Bogey.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B589A78F-E3AF-4493-8FA2-BE171FD114E8} - C:\WINDOWS\system32\dmserve.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm
O9 - Extra 'Tools' menuitem: @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm
O9 - Extra button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191276819764
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_03) - http://java.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\ESET\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


--
End of file - 8464 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 pksqszmb - c:\windows\system32\drivers\ndsfqkpr.dat
R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 BTSERIAL (Bluetooth Serial Driver) - c:\windows\system32\drivers\btserial.sys
R2 BTSLBCSP (Bluetooth Port Client Driver) - c:\windows\system32\drivers\btslbcsp.sys <Not Verified; WIDCOMM, Inc.; Bluetooth Software 1.4.2 Build 10>
R3 btwhid - c:\windows\system32\drivers\btwhid.sys <Not Verified; WIDCOMM, Inc.; Bluetooth Software 1.4.2 Build 10>
R3 NBXG750 (NB 802.11g XG750 Driver) - c:\windows\system32\drivers\wlanutg.sys <Not Verified; Texas Instruments; TNET1150 USB WLAN Adapter>

S3 ASFWHide - c:\docume~1\bogey\locals~1\temp\asfwhide (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Bluetooth LAN Access Server Driver
Device ID: ROOT\NET\0000
Manufacturer: WIDCOMM, Inc.
Name: Bluetooth LAN Access Server Driver
PNP Device ID: ROOT\NET\0000
Service: BTWDNDIS


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\svchost.exe (pid 720)
2007-10-01 23:43:18 298104 --a------ C:\WINDOWS\system32\imon.dll <Not Verified; Eset; NOD32 Antivirus System>

C:\WINDOWS\system32\svchost.exe (pid 772)
2007-10-01 23:43:18 298104 --a------ C:\WINDOWS\system32\imon.dll <Not Verified; Eset; NOD32 Antivirus System>


-- Scheduled Tasks -------------------------------------------------------------

2007-11-19 16:54:06 284 --a----c- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-10-21 and 2007-11-21 -----------------------------

2007-11-15 14:36:56 0 d------c- C:\Documents and Settings\Bogey\Application Data\Comodo
2007-11-15 14:36:55 0 d------c- C:\Documents and Settings\All Users\Application Data\Comodo
2007-11-15 14:29:11 0 d------c- C:\Program Files\Comodo
2007-11-15 10:44:51 0 d------c- C:\Program Files\Ashampoo
2007-11-14 16:17:31 217088 --a----c- C:\WINDOWS\System32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2007-11-14 16:17:31 564224 --a----c- C:\WINDOWS\System32\x264vfw.dll
2007-11-14 16:17:30 1559040 --a----c- C:\WINDOWS\System32\xvidcore.dll
2007-11-14 16:17:29 282624 --a----c- C:\WINDOWS\System32\xvidvfw.dll
2007-11-14 16:17:27 7680 --a----c- C:\WINDOWS\System32\ff_vfw.dll
2007-11-14 16:17:24 0 d------c- C:\Documents and Settings\Bogey\Application Data\Real
2007-11-14 16:17:24 0 d------c- C:\Documents and Settings\All Users\Application Data\Real
2007-11-13 19:13:33 0 d------c- C:\WINDOWS\Prefetch
2007-11-13 18:11:22 0 d------c- C:\WINDOWS\System32\PreInstall
2007-11-13 17:07:24 0 d------c- C:\WINDOWS\ServicePackFiles
2007-11-13 17:07:23 0 d------c- C:\WINDOWS\ehome
2007-11-13 14:42:04 118784 --a----c- C:\WINDOWS\System32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2007-11-13 14:41:55 0 d------c- C:\Program Files\SpywareBlaster
2007-11-13 14:29:04 0 d------c- C:\Documents and Settings\All Users\Application Data\Prevx
2007-11-13 14:28:43 0 d------c- C:\Temp
2007-11-13 13:52:10 0 d--h---c- C:\Documents and Settings\Administrator\Templates
2007-11-13 13:52:10 0 dr-----c- C:\Documents and Settings\Administrator\Start Menu
2007-11-13 13:52:10 0 dr-h---c- C:\Documents and Settings\Administrator\SendTo
2007-11-13 13:52:10 0 d--h---c- C:\Documents and Settings\Administrator\Recent
2007-11-13 13:52:10 0 d--h---c- C:\Documents and Settings\Administrator\PrintHood
2007-11-13 13:52:10 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-13 13:52:10 0 d--h---c- C:\Documents and Settings\Administrator\NetHood
2007-11-13 13:52:10 0 d------c- C:\Documents and Settings\Administrator\My Documents
2007-11-13 13:52:10 0 d--h---c- C:\Documents and Settings\Administrator\Local Settings
2007-11-13 13:52:10 0 d------c- C:\Documents and Settings\Administrator\Favorites
2007-11-13 13:52:10 0 d------c- C:\Documents and Settings\Administrator\Desktop
2007-11-13 13:52:10 0 d---s--c- C:\Documents and Settings\Administrator\Cookies
2007-11-13 13:52:10 0 dr-h---c- C:\Documents and Settings\Administrator\Application Data
2007-11-13 13:52:10 0 d---s--c- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-11-13 13:52:10 0 d------c- C:\Documents and Settings\Administrator\Application Data\DivX
2007-11-12 23:37:44 0 d------c- C:\WINDOWS\System32\ActiveScan
2007-11-10 12:50:59 1689600 --a----c- C:\WINDOWS\System32\d3d9.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-11-10 12:50:58 1769472 --a----c- C:\WINDOWS\System32\dxdiagn.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-11-10 12:49:20 0 d--h---c- C:\WINDOWS\msdownld.tmp
2007-11-10 11:50:05 0 d--h---c- C:\WINDOWS\$hf_mig$
2007-11-09 23:08:31 0 d------c- C:\Documents and Settings\All Users\Application Data\GRETECH
2007-11-09 23:07:36 0 d------c- C:\Documents and Settings\Bogey\Application Data\GRETECH
2007-11-09 23:07:18 0 d------c- C:\Program Files\GRETECH
2007-11-09 22:01:07 494848 -ra----c- C:\WINDOWS\System32\drivers\WLANUTG.SYS <Not Verified; Texas Instruments; TNET1150 USB WLAN Adapter>
2007-11-09 22:01:07 97388 -ra----c- C:\WINDOWS\System32\drivers\Fwusb1b.bin
2007-11-09 21:51:46 0 d------c- C:\Documents and Settings\Default User\Application Data\DivX
2007-11-09 18:38:19 0 d------c- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-09 17:25:02 2028 --a----c- C:\WINDOWS\System32\tmp.reg
2007-11-09 16:52:04 0 d------c- C:\WINDOWS\pss
2007-11-09 14:36:57 0 d------c- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-05 22:51:46 0 d------c- C:\My Music
2007-10-30 13:12:24 18688 --a----c- C:\WINDOWS\System32\drivers\ndsfqkpr.dat
2007-10-30 13:12:22 5120 --a----c- C:\WINDOWS\System32\drivers\gmksqzsc.dat
2007-10-30 13:11:49 106496 --a----c- C:\WINDOWS\System32\dmserve.dll
2007-10-28 21:54:17 0 d------c- C:\Program Files\Messenger Plus! Live
2007-10-28 00:33:17 120 --a----c- C:\drmHeader.bin


-- Find3M Report ---------------------------------------------------------------

2007-11-21 13:26:17 0 d------c- C:\Documents and Settings\Bogey\Application Data\uTorrent
2007-11-20 15:34:19 0 d------c- C:\Documents and Settings\Bogey\Application Data\Azureus
2007-11-14 16:17:27 0 d------c- C:\Program Files\K-Lite Codec Pack
2007-11-13 22:48:29 0 d------c- C:\Program Files\MSN Messenger
2007-11-13 20:29:43 0 d------c- C:\Program Files\Winamp
2007-11-13 20:28:35 0 d------c- C:\Program Files\QuickTime
2007-11-13 20:28:08 0 d------c- C:\Program Files\PowerISO
2007-11-13 20:28:06 0 d------c- C:\Program Files\Opera
2007-11-13 20:26:21 0 d------c- C:\Program Files\iTunes
2007-11-13 20:25:20 0 d------c- C:\Program Files\Google
2007-11-13 19:32:13 0 d------c- C:\Program Files\Messenger
2007-11-13 17:06:54 0 d------c- C:\Program Files\Movie Maker
2007-11-10 12:16:03 0 d------c- C:\Program Files\Common Files
2007-11-10 00:27:19 0 d--h---c- C:\Program Files\WindowsUpdate
2007-11-09 22:03:59 0 d------c- C:\Program Files\K-litePro
2007-11-09 21:49:39 23348 --a----c- C:\WINDOWS\System32\emptyregdb.dat
2007-11-07 19:22:39 4212 --ah---c- C:\WINDOWS\System32\zllictbl.dat
2007-10-20 13:18:07 0 d------c- C:\Program Files\DFX
2007-10-19 01:17:29 0 d------c- C:\Program Files\Common Files\Real
2007-10-19 01:17:18 0 d------c- C:\Documents and Settings\Bogey\Application Data\Real(2)
2007-10-19 01:16:58 0 d------c- C:\Program Files\PeerGuardian2
2007-10-16 12:43:18 0 d------c- C:\Program Files\Real
2007-10-10 18:59:32 0 d------c- C:\Program Files\Bit Che
2007-10-07 02:19:53 0 d------c- C:\Program Files\Azureus
2007-10-05 22:05:39 0 d------c- C:\Documents and Settings\Bogey\Application Data\Sun
2007-10-05 22:05:26 0 d------c- C:\Program Files\Java
2007-10-05 22:02:46 0 d------c- C:\Program Files\Common Files\Java
2007-10-05 15:59:36 0 d------c- C:\Program Files\WIDCOMM
2007-10-05 00:30:02 0 d------c- C:\Documents and Settings\Bogey\Application Data\vlc
2007-10-05 00:29:02 0 d------c- C:\Program Files\VideoLAN
2007-10-04 12:00:16 0 d------c- C:\Documents and Settings\Bogey\Application Data\Google
2007-10-03 21:37:39 0 d------c- C:\Documents and Settings\Bogey\Application Data\Ahead
2007-10-03 19:38:07 0 d--h---c- C:\Program Files\InstallShield Installation Information
2007-10-03 19:38:07 0 d------c- C:\Program Files\GoldEsel
2007-10-03 19:36:02 0 d------c- C:\Program Files\Ahead
2007-10-03 19:33:37 0 d------c- C:\Program Files\Common Files\Ahead
2007-10-02 21:19:56 0 d------c- C:\Documents and Settings\Bogey\Application Data\Macromedia
2007-10-02 13:58:36 0 d------c- C:\Program Files\iPod
2007-10-02 13:57:32 0 d------c- C:\Program Files\Apple Software Update
2007-10-02 13:26:38 0 d------c- C:\Documents and Settings\Bogey\Application Data\Apple Computer
2007-10-02 13:22:05 0 d------c- C:\Program Files\Common Files\InstallShield
2007-10-02 12:33:35 0 d------c- C:\Program Files\BearShare
2007-10-02 12:03:11 0 d------c- C:\Documents and Settings\Bogey\Application Data\Media Player Classic
2007-10-02 02:16:14 0 d------c- C:\Documents and Settings\Bogey\Application Data\DivX
2007-10-02 00:47:36 0 d------c- C:\Documents and Settings\Bogey\Application Data\Creative
2007-10-02 00:47:27 0 d------c- C:\Program Files\Creative
2007-10-02 00:20:32 0 d------c- C:\Program Files\DivX
2007-10-01 23:59:15 0 d------c- C:\Documents and Settings\Bogey\Application Data\Opera
2007-10-01 23:43:18 298104 --a------ C:\WINDOWS\System32\imon.dll <Not Verified; Eset; NOD32 Antivirus System>
2007-10-01 22:46:25 0 d------c- C:\Program Files\Common Files\ODBC
2007-10-01 22:46:22 0 d------c- C:\Program Files\Common Files\SpeechEngines
2007-10-01 22:46:03 62 --ahs---- C:\Documents and Settings\Bogey\Application Data\desktop.ini
2007-10-01 22:02:24 0 d------c- C:\Program Files\Intel
2007-10-01 22:00:58 0 d------c- C:\Program Files\Analog Devices
2007-10-01 21:59:02 0 d------c- C:\Documents and Settings\Bogey\Application Data\Identities
2007-10-01 21:55:34 0 d------c- C:\Program Files\microsoft frontpage
2007-10-01 21:54:35 0 -rahs--c- C:\MSDOS.SYS
2007-10-01 21:54:35 0 -rahs--c- C:\IO.SYS
2007-10-01 21:54:35 0 --a----c- C:\CONFIG.SYS
2007-10-01 21:54:35 0 --a----c- C:\AUTOEXEC.BAT
2007-10-01 21:53:32 0 d------c- C:\Program Files\Online Services
2007-10-01 21:52:30 0 d------c- C:\Program Files\Common Files\MSSoap
2007-10-01 21:51:25 0 d------c- C:\Program Files\Windows NT
2007-10-01 21:51:25 0 d------c- C:\Program Files\MSN Gaming Zone
2007-09-17 18:23:00 823296 --a----c- C:\WINDOWS\System32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-09-17 18:23:00 823296 --a----c- C:\WINDOWS\System32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-09-17 18:22:58 802816 --a----c- C:\WINDOWS\System32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-09-17 18:22:58 739840 --a----c- C:\WINDOWS\System32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-09-17 00:07:00 1626112 --a----c- C:\WINDOWS\System32\nwiz.exe
2007-09-17 00:07:00 1019904 --a----c- C:\WINDOWS\System32\nvwimg.dll
2007-09-17 00:07:00 1703936 --a----c- C:\WINDOWS\System32\nvwdmcpl.dll
2007-09-17 00:07:00 466944 --a----c- C:\WINDOWS\System32\nvshell.dll
2007-09-17 00:07:00 1478656 --a----c- C:\WINDOWS\System32\nview.dll
2007-09-17 00:07:00 1339392 --a----c- C:\WINDOWS\System32\nvdspsch.exe
2007-09-17 00:07:00 442368 --a----c- C:\WINDOWS\System32\nvappbar.exe
2007-09-17 00:07:00 425984 --a----c- C:\WINDOWS\System32\keystone.exe
2007-08-21 00:26:52 196608 --a----c- C:\WINDOWS\System32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-08-21 00:26:52 81920 --a----c- C:\WINDOWS\System32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B589A78F-E3AF-4493-8FA2-BE171FD114E8}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [19/06/2002 18:14]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [19/06/2002 18:05]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [17/09/2007 00:07]
"nwiz"="nwiz.exe" [17/09/2007 00:07 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [17/09/2007 00:07]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 00:11]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [29/06/2007 05:24]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [07/08/2007 00:05]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 10:50]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [26/09/2007 13:42]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [15/11/2007 14:28]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [29/08/2002 03:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [29/08/2002 03:41]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/10/2007 02:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [29/07/2003 15:14:16]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]
"C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE




-- End of Deckard's System Scanner: finished at 2007-11-21 13:41:52 ------------
 

·
Registered
Joined
·
1,702 Posts
Lets try it this way
"so I disabled it via the start up tab in msconfig"
re-enable it
Disconnect from the Internet (if on broadband unplug the modem)
In nod32's options under threat protection modules
for each, amon dmon emon and imon, uncheck its protection.

Put check.bat and catchme.exe in c:\

run checkme.bat restart your pc and run it again
do not connect to the internet until you have re-enabled nods protections

check if these files are present ?
C:\WINDOWS\System32\drivers\ndsfqkpr.dat
C:\WINDOWS\System32\drivers\gmksqzsc.dat
C:\WINDOWS\System32\dmserve.dll
 

·
Registered
Joined
·
10 Posts
Discussion Starter #14
The result is still the same, no text opens after 2nd check.bat I've even checked my copy of check.bat to make sure I didn't mess the copy and paste up, they're exactly the same. I've also redownloaded catchme but all 3 files are still present. Anyway here's the latest hijackthis log.


Logfile of HijackThis v1.99.1
Scan saved at 15:11:53, on 21/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Bogey\My Documents\Programs\hijackthis\Bogey.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B589A78F-E3AF-4493-8FA2-BE171FD114E8} - C:\WINDOWS\System32\dmserve.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191276819764
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 

·
Registered
Joined
·
1,702 Posts
Odd in our testing it worked great

Delete check.bat and catchme.exe

Download gmer.zip - http://www.gmer.net/files.php
Extract the contents of the zipped file to your desktop.
Disconnect from internet and close all running programs.
Disable nod32 as before
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...say yes.

You should see an item or two like this >
page ntoskrnl!RtCopySID + 38 80567b83 7 bytes JMP F9CCC020 gmksqzsc.dat
or
page ntoskrnl!RtCopySID + 38 80567b83 7 bytes JMP F9CCC020 ndsfqkpr.dat
or
Code \SystemRoot\system32\drivers\ndsfqkpr.dat ObOpenObjectByName


right click and choose the option "restore code" (if the option is there, it might not be, continue on)
Close gmer

Copy the contents of the code (dont include the word code) box below into a new notepad document (not wordpad or another text editor).
Click file> save as...> call it gmerbat.bat > file types *all files*> and save it to your desktop.

Code:
gmer -del service pksqszmb
gmer -del file "C:\WINDOWS\System32\drivers\ndsfqkpr.dat"
gmer -del file "C:\WINDOWS\System32\drivers\gmksqzsc.dat"
gmer -del file "C:\WINDOWS\System32\dmserve.dll"
gmer -reboot
after windows has started run hijackhtis and fix this item
O2 - BHO: (no name) - {B589A78F-E3AF-4493-8FA2-BE171FD114E8} - C:\WINDOWS\System32\dmserve.dll

Dont forget to re-enable nod32
check and tell us if those files are still present ?
 

·
Registered
Joined
·
10 Posts
Discussion Starter #16
All 3 files have gone...


Don't know if you need this but here's hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 16:37:19, on 21/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Bogey\My Documents\Programs\hijackthis\Bogey.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191276819764
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 

·
Registered
Joined
·
1,702 Posts
Great, good work

Post back in a few days and let us know how the pc is please

Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month


To help avoid reinfection see "So how did I get infected in the first place?"
http://castlecops.com/postlite7736-.html

PC Safety and Security--What Do I Need - http://www.techsupportforum.com/f174/pc-safety-and-security-what-do-i-need-115548.html
 
1 - 18 of 18 Posts
Status
Not open for further replies.
Top