[emydobos]

Hi, today my folks entered some travel site and suddenly this big x appeared on the bar telling me my pc is infected with this hjack virus. I read some topics, and made this log. Please help.



Logfile of HijackThis v1.99.1
Scan saved at 8:24:12 PM, on 7/2/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
D:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
D:\WINDOWS\Mixer.exe
D:\Program Files\WinFast\WFTVFM\WFWIZ.exe
D:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
D:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
D:\WINDOWS\System32\MMTray.exe
D:\WINDOWS\System32\MMTray2k.exe
D:\WINDOWS\System32\MMTrayLSI.exe
D:\Program Files\D-Tools\daemon.exe
D:\Program Files\Softwin\BitDefender Free Edition\bdmcon.exe
D:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
D:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
D:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\kituri\Emule\emule.exe
D:\Program Files\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe
D:\Program Files\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe
D:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
D:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
D:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
D:\Program Files\Yahoo!\Messenger\ypager.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Emy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgo...info/ad/ad0411/
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinFast Schedule] D:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iKeyWorks] D:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] D:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
O4 - HKLM\..\Run: [NetLimiter] D:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [nulknsd] D:\WINDOWS\nulknsd.exe
O4 - HKLM\..\Run: [BDMCon] D:\Program Files\Softwin\BitDefender Free Edition\\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] D:\Program Files\Softwin\BitDefender Free Edition\\bdnagent.exe
O4 - HKLM\..\Run: [DataLayer] D:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Systems] D:\WINDOWS\System32\itDDD.exe
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [eMuleAutoStart] C:\kituri\Emule\emule.exe -AutoStart
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PCSuiteForNokia6600 Detect.lnk = ?
O4 - Global Startup: PCSuiteForNokia6600 TS.lnk = ?
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117276108566
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6148E5F8-623D-49C7-B40B-18C97221BB54}: NameServer = 81.180.254.158 81.180.254.157
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - D:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Leadtek Driver Helper Service (nvsvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - D:\WINDOWS\svchost.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - D:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

[Advertisements]

Howdy emydobos and Welcome to GeekstoGo!!

I need to ask you for a sample of a few files please!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!

Here is a link to help with that
http://www.bleepingc...showtutorial=62

Be sure to follow the directions that apply to your Operating System!

Right Click the Desktop and Select Compressed(zipped)Folder!

Click Start>> Run>> Type in services.msc and click OK!

Scroll that list and locate this entry

PowerManager

Now,Click Stop and go to Startup Type and Click Disabled!

Now locate these files

D:\WINDOWS\svchost.exe<< That must be in that location only!!

D:\WINDOWS\nulknsd.exe<< That must be in that location only!!

D:\WINDOWS\System32\itDDD.exe<< That must be in that location only!!

Place a copy of each of those in the New Zip Folder,now before you close the folder,go up and click File>> Add a Password

Make the Password "infected"<< All Lower Case letters please!

Restart Normal

Email those files here>> [email protected]

Have each of those files scanned at these 2 sites

http://www.virustota...h/index_en.html

and

http://virusscan.jotti.org/

If they scan infected,please upload them to this site with a link to our post!

http://www.thespykiller.co.uk/forum/

Now have the PC Scanned here but dont let it repair anything just yet!
http://security.syma...IMXQKCDTOSKVYRM

Click Virus Detection and Save any results you get!

We need to know for sure what we have here!

Please Dont Use this PC and Turn it off completely if you have another way to access the Internet!

Disconnect it from any Networks and let it be if possible!

Post back with a Confirmation that the files were mailed and or uploaded and the Results of the Scan!

[Wizard]

Howdy emydobos and Welcome to GeekstoGo!!

I need to ask you for a sample of a few files please!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!

Here is a link to help with that
http://www.bleepingc...showtutorial=62

Be sure to follow the directions that apply to your Operating System!

Right Click the Desktop and Select Compressed(zipped)Folder!

Click Start>> Run>> Type in services.msc and click OK!

Scroll that list and locate this entry

PowerManager

Now,Click Stop and go to Startup Type and Click Disabled!

Now locate these files

D:\WINDOWS\svchost.exe<< That must be in that location only!!

D:\WINDOWS\nulknsd.exe<< That must be in that location only!!

D:\WINDOWS\System32\itDDD.exe<< That must be in that location only!!

Place a copy of each of those in the New Zip Folder,now before you close the folder,go up and click File>> Add a Password

Make the Password "infected"<< All Lower Case letters please!

Restart Normal

Email those files here>> [email protected]

Have each of those files scanned at these 2 sites

http://www.virustota...h/index_en.html

and

http://virusscan.jotti.org/

If they scan infected,please upload them to this site with a link to our post!

http://www.thespykiller.co.uk/forum/

Now have the PC Scanned here but dont let it repair anything just yet!
http://security.syma...IMXQKCDTOSKVYRM

Click Virus Detection and Save any results you get!

We need to know for sure what we have here!

Please Dont Use this PC and Turn it off completely if you have another way to access the Internet!

Disconnect it from any Networks and let it be if possible!

Post back with a Confirmation that the files were mailed and or uploaded and the Results of the Scan!