Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I think I have one or more Trojans. [CLOSED]


  • This topic is locked This topic is locked

#1
Aussieants

Aussieants

    New Member

  • Member
  • Pip
  • 2 posts
Hi there,

I'm not sure if I've done the right thing here but If you could help me fix the problem when you can I'd be extremely grateful.
I had mutiple pop-ups and fake security warnings. A friend of mine advised me to run combofix which I did today. Below is the Combofix log.

ComboFix 08-05-01.1 - pc 2008-05-02 15:59:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.738 [GMT 10:00]
Running from: C:\Documents and Settings\pc\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\pc\Desktop\Error Cleaner.url
C:\Documents and Settings\pc\Desktop\Privacy Protector.url
C:\Documents and Settings\pc\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\pc\Favorites\Error Cleaner.url
C:\Documents and Settings\pc\Favorites\Privacy Protector.url
C:\Documents and Settings\pc\Favorites\Spyware&Malware Protection.url
C:\WINDOWS\base64.tmp
C:\WINDOWS\bdkpfxqw.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mslagent
C:\WINDOWS\mslagent\2_mslagent.dll
C:\WINDOWS\mslagent\mslagent.exe
C:\WINDOWS\mslagent\uninstall.exe
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\qadovnel.dll
C:\WINDOWS\resources\AvpRam.dll
C:\WINDOWS\spwoqbmv.exe
C:\WINDOWS\system32\382077\382077.dll
C:\WINDOWS\system32\bsva-egihsg52.exe
C:\WINDOWS\system32\fywvdljh.dll
C:\WINDOWS\system32\gplrwcoj.ini
C:\WINDOWS\system32\hjldvwyf.ini
C:\WINDOWS\system32\hPsDfMoq.ini
C:\WINDOWS\system32\hPsDfMoq.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nnnmnnoN.dll
C:\WINDOWS\system32\qoMfDsPh.dll
C:\WINDOWS\system32\smp
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\Web\def.htm
C:\WINDOWS\winsystem.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-02 to 2008-05-02 )))))))))))))))))))))))))))))))
.

2008-05-01 09:26 . 2008-05-02 16:01 <DIR> d-------- C:\WINDOWS\system32\382077
2008-05-01 04:50 . 2008-05-01 04:50 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-01 04:50 . 2008-05-01 04:50 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-01 04:50 . 2008-05-01 04:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-01 04:43 . 2008-05-01 04:43 <DIR> d-------- C:\Documents and Settings\pc\Application Data\TmpRecentIcons
2008-05-01 04:25 . 2008-05-01 04:33 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-01 03:42 . 2008-05-01 03:42 <DIR> d--h----- C:\WINDOWS\PIF
2008-05-01 03:34 . 2008-05-01 03:34 169 --a------ C:\WINDOWS\RtlRack.ini
2008-05-01 03:26 . 2008-05-01 03:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\otmvabkl
2008-05-01 03:04 . 2008-05-01 03:12 <DIR> d-------- C:\Program Files\PhotomatixPro3
2008-05-01 03:03 . 2008-05-01 03:03 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-04-28 22:43 . 2004-08-04 22:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-27 15:59 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-27 15:56 . 2008-04-27 15:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-04-27 15:54 . 2008-04-27 15:54 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-04-27 15:53 . 2008-04-27 15:54 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-27 15:31 . 2008-04-27 15:31 <DIR> d-------- C:\Documents and Settings\pc\Contacts
2008-04-27 14:07 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-27 14:07 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-04-27 14:07 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-25 21:26 . 2008-04-25 21:26 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2008-04-25 21:26 . 2008-04-25 21:26 <DIR> d-------- C:\Program Files\Realtek AC97
2008-04-25 21:26 . 2008-04-27 15:58 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-25 21:26 . 2008-04-25 21:26 <DIR> d-------- C:\Program Files\AvRack
2008-04-25 20:13 . 2008-04-25 20:13 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-04-25 19:39 . 2008-04-25 19:39 268 --ah----- C:\sqmdata03.sqm
2008-04-25 19:39 . 2008-04-25 19:39 244 --ah----- C:\sqmnoopt03.sqm
2008-04-25 19:18 . 2008-04-25 19:18 <DIR> d-------- C:\WINDOWS\Sun
2008-04-25 19:18 . 2008-04-27 14:06 <DIR> d-------- C:\Documents and Settings\pc\Application Data\LimeWire
2008-04-25 19:17 . 2008-04-25 19:17 <DIR> d-------- C:\Program Files\Java
2008-04-25 19:17 . 2008-04-25 19:17 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-25 19:17 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-25 19:15 . 2008-04-25 19:16 <DIR> d-------- C:\Program Files\LimeWire
2008-04-25 19:06 . 2008-04-25 19:06 268 --ah----- C:\sqmdata02.sqm
2008-04-25 19:06 . 2008-04-25 19:06 244 --ah----- C:\sqmnoopt02.sqm
2008-04-25 19:05 . 2008-04-25 19:05 <DIR> d-------- C:\Program Files\PowerISO
2008-04-25 18:39 . 2008-04-25 18:39 268 --ah----- C:\sqmdata01.sqm
2008-04-25 18:39 . 2008-04-25 18:39 244 --ah----- C:\sqmnoopt01.sqm
2008-04-25 16:58 . 2008-04-25 16:58 268 --ah----- C:\sqmdata00.sqm
2008-04-25 16:58 . 2008-04-25 16:58 244 --ah----- C:\sqmnoopt00.sqm
2008-04-25 16:56 . 2008-04-25 16:56 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-25 16:53 . 2008-04-25 16:56 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-25 16:52 . 2008-04-25 16:56 <DIR> d-------- C:\Program Files\Windows Live
2008-04-25 16:52 . 2008-04-25 16:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-25 16:41 . 2008-04-25 16:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-04-25 16:37 . 2008-04-25 16:40 <DIR> d-------- C:\WINDOWS\nview
2008-04-25 16:37 . 2008-04-25 16:37 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-04-25 16:37 . 2006-10-22 15:06 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-04-25 16:37 . 2006-10-22 12:22 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-04-25 16:37 . 2008-05-02 16:03 88,566 --a------ C:\WINDOWS\system32\nvapps.xml
2008-04-25 16:37 . 2006-10-22 12:22 17,056 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-04-25 16:36 . 2008-04-25 16:36 <DIR> d-------- C:\NVIDIA
2008-04-25 16:34 . 2008-04-25 16:34 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-04-25 15:56 . 2008-04-27 19:11 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-25 15:56 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 16:19 299,008 ----a-w C:\WINDOWS\gndarmblsnv.dll
2008-03-14 06:04 46,652 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BFC1E05-8287-420E-8526-F6D76E1FEBB8}]
2008-05-01 02:19 299008 --a------ C:\WINDOWS\gndarmblsnv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{C3169036-557E-45E1-840F-C845DC406C55}"= "C:\WINDOWS\wxdbpfvo.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{c3169036-557e-45e1-840f-c845dc406c55}]
[HKEY_CLASSES_ROOT\wxdbpfvo.1]
[HKEY_CLASSES_ROOT\TypeLib\{D95C697F-D985-4AB1-92B5-40DF04BBE322}]
[HKEY_CLASSES_ROOT\wxdbpfvo]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"xokusmxu"="C:\WINDOWS\system32\sfcdujox.exe" [2008-05-01 03:26 110592]
"VirusIsolator.exe"="C:\Program Files\VirusIsolator\VirusIsolator.exe" [ ]
"bbwagssu"="C:\WINDOWS\system32\jwfuvsna.exe" [2008-05-02 16:03 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-03-15 09:50 233472]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 05:12 577536 C:\WINDOWS\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 22:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"fxJGGjEJ5K"= C:\Documents and Settings\All Users\Application Data\otmvabkl\yjelchwd.exe

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKLM\~\startupfolder\C:^Documents and Settings^pc^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\pc\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=


.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 16:03:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\jwfuvsna.exe 90112 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-02 16:04:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-02 06:04:55

Pre-Run: 71,601,983,488 bytes free
Post-Run: 71,799,435,264 bytes free

180 --- E O F --- 2008-05-01 05:25:07



Even after running combofix I am still having many of the same symptoms. I downloaded HJT and ran a scan. Here is the HJT log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:43:07 PM, on 2/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Documents and Settings\All Users\Application Data\otmvabkl\yjelchwd.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\sfcdujox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: DVA Gate - {5BFC1E05-8287-420E-8526-F6D76E1FEBB8} - C:\WINDOWS\gndarmblsnv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: wxdbpfvo - {C3169036-557E-45E1-840F-C845DC406C55} - C:\WINDOWS\wxdbpfvo.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [xokusmxu] C:\WINDOWS\system32\sfcdujox.exe
O4 - HKCU\..\Run: [VirusIsolator.exe] C:\Program Files\VirusIsolator\VirusIsolator.exe
O4 - HKCU\..\Run: [bbwagssu] C:\WINDOWS\system32\jwfuvsna.exe
O4 - HKLM\..\Policies\Explorer\Run: [fxJGGjEJ5K] C:\Documents and Settings\All Users\Application Data\otmvabkl\yjelchwd.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1072885874406
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 5249 bytes

I appreciate your time and effort.
Cheers,
Antrhony.

Edited by Aussieants, 02 May 2008 - 02:07 AM.

  • 0

Advertisements


#2
Octagonal

Octagonal

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,528 posts
Hi Aussieants,

Welcome to Geeks to Go. :)

You shouldn't run tools such as Combofix etc. unless you're under supervision of trained personnel in their use. The reason being that they are extremely powerfull in what they do and without proper and carefull use they can render a system unbootable. Just a precaution for future reference. :)

Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of SDFix and make sure you are disconnected from the Internet after downloading the program but before extracting the files.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix and remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re-enable the protection again afterwards before connecting to the Internet.
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

  • 0

#3
Aussieants

Aussieants

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Thanks for your quick reply Octagonal :) I ran SDFix and here is the report:

C:\WINDOWS\gndarmblsnv.dll - Deleted
C:\WINDOWS\system32\msvchost.exe - Deleted



Folder C:\WINDOWS\system32\382077 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 19:16:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 4 Aug 2004 24,448 A.SHR --- "C:\NTBOOTDD.SYS"

Finished!


And here is the HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:37 PM, on 2/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\jwfuvsna.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [xokusmxu] C:\WINDOWS\system32\sfcdujox.exe
O4 - HKCU\..\Run: [bbwagssu] C:\WINDOWS\system32\jwfuvsna.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1072885874406
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 4957 bytes

Cheers,
Anthony.
  • 0

#4
Octagonal

Octagonal

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,528 posts
Hi Aussieants,

I notice that you have Limewire installed and set to run on Windows start-up. Peer to Peer (P2P) programs enable you to connect with other computers to download files. These are often files such as music, games or movies to name a few. Using P2P programs is quite often the cause of computers becoming infected. It is not necessarily the P2P program that is infected but the file or files that are being downloaded that are. Then there also is the legal aspect of the sharing of certain files (ie. copyright).

Sure, a lot of the files that are downloaded are legitimate, but how do you know if it is or isn't. Just because the filename may indicate what you think that you are downloading, but what happens when the file isn't the song, game or movie you thought it was. I am sure that almost everyone who has used P2P programs has discovered at some point that what they download wasn't really the file that they expected.

Sometimes it's harmless, it just may be a case of the wrong filename. Other times you can get a lot more than what you bargined for. Many of the files that you think are safe when you download them can actually have viruses, trojans or malware of some type attached to or embedded into the file. So I pose the question, do you really know what you are downloading...?

While we clean your system either uninstall this program or change the settings so that this program or any other P2P program does not run. Failure to follow the advice to at least disable this program can make it harder to completely clean your system and possibly leave you in a loop of continual infections.

Please download RogueRemover by RubberDucky here.
  • Double-click rr-free-setup.exe to begin installing the program.
  • Follow the setup instructions for installation.
  • Double-click the RogueRemover icon on your desktop.
  • Once the program runs, select Check for Updates.
  • When prompted, select Check for Updates.
  • If prompted again, click Download to receive the latest updates.
  • When completed, close the update window.
  • Next, click Scan
  • If it detects anything, select to remove all objects found.
  • Close RogueRemover

A. Please RUN HijackThis
  • Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    O4 - HKCU\..\Run: [xokusmxu] C:\WINDOWS\system32\sfcdujox.exe
    O4 - HKCU\..\Run: [bbwagssu] C:\WINDOWS\system32\jwfuvsna.exe

  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

B. 1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\wxdbpfvo.dll
C:\WINDOWS\system32\sfcdujox.exe
C:\WINDOWS\system32\jwfuvsna.exe
C:\Documents and Settings\All Users\Application Data\otmvabkl\yjelchwd.exe

Folder::


Driver::

ADS::

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{C3169036-557E-45E1-840F-C845DC406C55}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xokusmxu"=-
"VirusIsolator.exe"=-
"bbwagssu"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"fxJGGjEJ5K"= -

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#5
Octagonal

Octagonal

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,528 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP