hjt log and SDfix log... plz help

Reply
1 2

Join Date: Jul 2004
Posts: 37
Reputation: JaY_2 is an unknown quantity at this point 
Solved Threads: 0
JaY_2 JaY_2 is offline Offline
Light Poster

hjt log and SDfix log... plz help

 
0
  #1
Apr 9th, 2008
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:55:00, on 09.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
C:\Programfiler\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programfiler\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe
C:\Programfiler\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programfiler\K-Lite Codec Pack\QuickTime\qttask.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe
C:\Programfiler\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\Programfiler\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\Programfiler\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\MSN Messenger\msnmsgr.exe
C:\Programfiler\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\FELLES~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programfiler\Fellesfiler\PCSuite\Services\ServiceLayer.exe
C:\Programfiler\Skype\Plugin Manager\skypePM.exe
C:\Programfiler\MSN Messenger\usnsvc.exe
C:\Programfiler\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jarle Lystad\Skrivebord\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\JARLEL~1\LOKALE~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programfiler\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programfiler\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programfiler\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Programfiler\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BM0f7886b3] Rundll32.exe "C:\WINDOWS\system32\dxvwnean.dll",s
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programfiler\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programfiler\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [PcSync] C:\Programfiler\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin 802.11g Wireless Card Utility.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {52A5CD24-64C6-4BAF-A4EC-4D13F451763F} (CU LiveUpdate Control) - http://nettdaten.meetheworld.no/nett...liveupdate.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp04.photoprintit.de/microsi...eUploader3.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programfiler\Fellesfiler\PCSuite\Services\ServiceLayer.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7446 bytes


SDFix:


SDFix: Version 1.168 
Run by Jarle Lystad on 09.04.2008 at 16:25

Microsoft Windows XP [Versjon 5.1.2600]
Running From: C:\DOCUME~1\JARLEL~1\SKRIVE~1\SDFix\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files : 

Trojan Files Found:

C:\WINDOWS\xpupdate.exe  - Deleted





Removing Temp Files

ADS Check :
 


                                 Final Check :

catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 16:42:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000f3d058367]
"00180fd1b0fc"=hex:01,e7,11,c4,ed,cf,ed,86,02,64,4f,13,46,bd,9b,f6
"00174b654abe"=hex:74,d4,6b,6e,c4,99,df,5d,9f,8c,9d,a3,56,c5,4f,93
"0018af9d46cc"=hex:50,53,fa,29,45,86,13,0f,05,89,f8,e2,1e,4c,12,3e
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000f3d058367]
"00180fd1b0fc"=hex:01,e7,11,c4,ed,cf,ed,86,02,64,4f,13,46,bd,9b,f6
"00174b654abe"=hex:74,d4,6b,6e,c4,99,df,5d,9f,8c,9d,a3,56,c5,4f,93
"0018af9d46cc"=hex:50,53,fa,29,45,86,13,0f,05,89,f8,e2,1e,4c,12,3e

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programfiler\\Azureus\\Azureus.exe"="C:\\Programfiler\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Programfiler\\Fellesfiler\\First Virtual Communications\\CUCore.exe"="C:\\Programfiler\\Fellesfiler\\First Virtual Communications\\CUCore.exe:*:Enabled:Conferencing Engine Server"
"C:\\Programfiler\\MSN Messenger\\msncall.exe"="C:\\Programfiler\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"="C:\\Programfiler\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Programfiler\\MSN Messenger\\livecall.exe"="C:\\Programfiler\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Programfiler\\iTunes\\iTunes.exe"="C:\\Programfiler\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Programfiler\\Skype\\Phone\\Skype.exe"="C:\\Programfiler\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programfiler\\MSN Messenger\\msncall.exe"="C:\\Programfiler\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"="C:\\Programfiler\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Programfiler\\MSN Messenger\\livecall.exe"="C:\\Programfiler\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\DOCUME~1\JARLEL~1\SKRIVE~1\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 10 Aug 2006         4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Finished!



appreciate for all help
JaY
Last edited by crunchie; Apr 13th, 2008 at 8:17 am.
Reply With Quote Quick reply to this message  
Join Date: Jul 2004
Posts: 37
Reputation: JaY_2 is an unknown quantity at this point 
Solved Threads: 0
JaY_2 JaY_2 is offline Offline
Light Poster

Re: hjt log and SDfix log... plz help

 
0
  #2
Apr 11th, 2008
Hi,

Forgot to add to my thread... Have some problems with popups when starting IE. send me to lot of sites. The reaseon; downloadet mapsource for Garmin GPS.
Think I have got som nasties that controlls my computer...

I appreciate all help I can get, tried some programs to clean, but the problem is still there. So therefor I posted an HJT log,

JaY
Reply With Quote Quick reply to this message  
Join Date: May 2005
Posts: 3,204
Reputation: gerbil will become famous soon enough gerbil will become famous soon enough 
Solved Threads: 188
gerbil gerbil is offline Offline
Nearly a Senior Poster

Re: hjt log and SDfix log... plz help

 
0
  #3
Apr 11th, 2008
Hello, Jay, start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\JARLEL~1\LOKALE~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [BM0f7886b3] Rundll32.exe "C:\WINDOWS\system32\dxvwnean.dll",s

Good, now delete these 2 files:
C:\DOCUME~1\JARLEL~1\LOKALE~1\Temp\UIUCU.EXE
C:\WINDOWS\system32\dxvwnean.dll
[I should add that the UIUCU pgm is not a bad one, it's just that it has done it's job....and can be removed].
Clean:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]

Scan:
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng...i-spyware-free
-Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.
Last edited by gerbil; Apr 11th, 2008 at 10:21 pm.
Deep, deep in the woods, but walking about.
Reply With Quote Quick reply to this message  
Join Date: Jul 2004
Posts: 37
Reputation: JaY_2 is an unknown quantity at this point 
Solved Threads: 0
JaY_2 JaY_2 is offline Offline
Light Poster

Re: hjt log and SDfix log... plz help

 
0
  #4
Apr 12th, 2008
Hi, when I reboot my computer I get a message: canĀ“t find and C:\WINDOWS\system32\dxvwnean.dll:

and here is the log from AVG:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:38:11 12.04.2008

+ Scan result:



C:\System Volume Information\_restore{2DE4DD7A-95AD-4DF3-B8BF-6094F5DD25AF}\RP384\A0036142.dll -> Adware.Agent : Cleaned.
C:\System Volume Information\_restore{2DE4DD7A-95AD-4DF3-B8BF-6094F5DD25AF}\RP384\A0036165.exe -> Adware.Agent : Cleaned.
C:\System Volume Information\_restore{2DE4DD7A-95AD-4DF3-B8BF-6094F5DD25AF}\RP387\A0036657.exe -> Adware.Agent : Cleaned.
C:\System Volume Information\_restore{2DE4DD7A-95AD-4DF3-B8BF-6094F5DD25AF}\RP387\A0036719.dll -> Adware.BraveSentry : Cleaned.
C:\System Volume Information\_restore{2DE4DD7A-95AD-4DF3-B8BF-6094F5DD25AF}\RP387\A0036720.dll -> Adware.BraveSentry : Cleaned.
C:\System Volume Information\_restore{2DE4DD7A-95AD-4DF3-B8BF-6094F5DD25AF}\RP387\A0036721.dll -> Adware.BraveSentry : Cleaned.
C:\Documents and Settings\Liv Lystad.DELL\Programdata\Adverts\uninst.exe -> Adware.Lop : Cleaned.
C:\System Volume Information\_restore{2DE4DD7A-95AD-4DF3-B8BF-6094F5DD25AF}\RP387\A0036656.exe -> Not-A-Virus.Adware.Agent : Cleaned.
C:\Documents and Settings\Liv Lystad.DELL\Lokale innstillinger\Temp\Cookies\liv lystad@msnportal.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\Documents and Settings\Jarle Lystad\Programdata\Mozilla\Firefox\Profiles\772uy5ao.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.16:C:\Documents and Settings\Jarle Lystad\Programdata\Mozilla\Firefox\Profiles\772uy5ao.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.19:C:\Documents and Settings\Jarle Lystad\Programdata\Mozilla\Firefox\Profiles\772uy5ao.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Liv Lystad.DELL\Cookies\liv lystad@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.25:C:\Documents and Settings\Jarle Lystad\Programdata\Mozilla\Firefox\Profiles\772uy5ao.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Liv Lystad.DELL\Cookies\liv lystad@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Liv Lystad.DELL\Lokale innstillinger\Temp\Cookies\liv lystad@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.796:C:\Documents and Settings\Liv Lystad.DELL\Programdata\Mozilla\Firefox\Profiles\gvsv1z4v.default\cookies.txt -> TrackingCookie.Cqcounter : Cleaned.
:mozilla.20:C:\Documents and Settings\Jarle Lystad\Programdata\Mozilla\Firefox\Profiles\772uy5ao.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.74:C:\Documents and Settings\Liv Lystad.DELL\Programdata\Mozilla\Firefox\Profiles\gvsv1z4v.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.75:C:\Documents and Settings\Liv Lystad.DELL\Programdata\Mozilla\Firefox\Profiles\gvsv1z4v.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
C:\Documents and Settings\Liv Lystad.DELL\Lokale innstillinger\Temp\Cookies\liv lystad@auto.search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
:mozilla.353:C:\Documents and Settings\Liv Lystad.DELL\Programdata\Mozilla\Firefox\Profiles\gvsv1z4v.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Liv Lystad.DELL\Cookies\liv lystad@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Liv Lystad.DELL\Cookies\liv lystad@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Liv Lystad.DELL\Lokale innstillinger\Temp\Cookies\liv lystad@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Liv Lystad.DELL\Lokale innstillinger\Temp\Cookies\liv lystad@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.21:C:\Documents and Settings\Liv Lystad.DELL\Programdata\Mozilla\Firefox\Profiles\gvsv1z4v.default\cookies.txt -> TrackingCookie.Statistik-gallup : Cleaned.
:mozilla.23:C:\Documents and Settings\Jarle Lystad\Programdata\Mozilla\Firefox\Profiles\772uy5ao.default\cookies.txt -> TrackingCookie.Statistik-gallup : Cleaned.
C:\Documents and Settings\Liv Lystad.DELL\Cookies\liv lystad@statistik-gallup[1].txt -> TrackingCookie.Statistik-gallup : Cleaned.
C:\Documents and Settings\Liv Lystad.DELL\Lokale innstillinger\Temp\Cookies\liv lystad@statistik-gallup[2].txt -> TrackingCookie.Statistik-gallup : Cleaned.
C:\Documents and Settings\Liv Lystad.DELL\Cookies\liv lystad@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.6:C:\Documents and Settings\Jarle Lystad\Programdata\Mozilla\Firefox\Profiles\772uy5ao.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\System Volume Information\_restore{2DE4DD7A-95AD-4DF3-B8BF-6094F5DD25AF}\RP384\A0036143.exe -> Trojan.Agent : Cleaned.


::Report end
Reply With Quote Quick reply to this message  
Join Date: May 2005
Posts: 3,204
Reputation: gerbil will become famous soon enough gerbil will become famous soon enough 
Solved Threads: 188
gerbil gerbil is offline Offline
Nearly a Senior Poster

Re: hjt log and SDfix log... plz help

 
0
  #5
Apr 12th, 2008
AVG should have solved your popup problem, you had a LOP infection.
Now, that missing file warning... that is the file we deleted. Did you also fix this hijackthis entry as I mentioned - it is the one that is calling that file..

O4 - HKLM\..\Run: [BM0f7886b3] Rundll32.exe "C:\WINDOWS\system32\dxvwnean.dll",s

Run hijackthis again and check for its presence, FIX it if it exists.
If it is not there and you are still getting the warning then please post the scan log.
Deep, deep in the woods, but walking about.
Reply With Quote Quick reply to this message  
Join Date: Jul 2004
Posts: 37
Reputation: JaY_2 is an unknown quantity at this point 
Solved Threads: 0
JaY_2 JaY_2 is offline Offline
Light Poster

Re: hjt log and SDfix log... plz help

 
0
  #6
Apr 13th, 2008
Hmmm its strange, I am really sure that I deleted
O4 - HKLM\..\Run: [BM0f7886b3] Rundll32.exe "C:\WINDOWS\system32\dxvwnean.dll",s

first time, but now its deleted again. Looks like the computer works fine again.
dont get the message about missing file.

Thank you for all help.

JaY
Reply With Quote Quick reply to this message  
Join Date: Jul 2004
Posts: 37
Reputation: JaY_2 is an unknown quantity at this point 
Solved Threads: 0
JaY_2 JaY_2 is offline Offline
Light Poster

Re: hjt log and SDfix log... plz help

 
0
  #7
Apr 13th, 2008
Hi

This is really strange. I thought that I should post a last log from HJT. After scanning and saving file. Opened my browser "firefox" and when I just hit enter for log on to daniweb, a popup window arrived. a poker site or something...

Can you see anything in this HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:45, on 13.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
C:\Programfiler\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programfiler\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe
C:\Programfiler\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programfiler\K-Lite Codec Pack\QuickTime\qttask.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\Programfiler\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programfiler\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\Programfiler\Musicmatch\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\FELLES~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programfiler\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Programfiler\Fellesfiler\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Logitech\Video\FxSvr2.exe
C:\Programfiler\MSN Messenger\msnmsgr.exe
C:\Programfiler\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\Jarle Lystad\Skrivebord\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programfiler\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programfiler\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programfiler\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Programfiler\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [0c4bb52f] rundll32.exe "C:\WINDOWS\system32\oyhhojsk.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programfiler\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programfiler\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [PcSync] C:\Programfiler\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin 802.11g Wireless Card Utility.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {52A5CD24-64C6-4BAF-A4EC-4D13F451763F} (CU LiveUpdate Control) - http://nettdaten.meetheworld.no/nett...liveupdate.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp04.photoprintit.de/microsi...eUploader3.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programfiler\Fellesfiler\PCSuite\Services\ServiceLayer.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7676 bytes


JaY
Reply With Quote Quick reply to this message  
Join Date: Feb 2004
Posts: 10,112
Reputation: crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold 
Solved Threads: 769
Moderator
Featured Poster
crunchie's Avatar
crunchie crunchie is offline Offline
Spyware Killer

Re: hjt log and SDfix log... plz help

 
0
  #8
Apr 13th, 2008
Uninstall Messenger Plus as it comes bundled with LOP, the infection you were enjoying . You can reinstall Messenger Plus without the sponsor.
Gerbil will fix up the other for you
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Reply With Quote Quick reply to this message  
Join Date: Jul 2004
Posts: 37
Reputation: JaY_2 is an unknown quantity at this point 
Solved Threads: 0
JaY_2 JaY_2 is offline Offline
Light Poster

Re: hjt log and SDfix log... plz help

 
0
  #9
Apr 13th, 2008
Thnx Crunchie

I scanned a new log, is the computer clean gerbil?


JaY

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:56:39, on 13.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\Programfiler\Fellesfiler\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programfiler\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe
C:\Programfiler\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programfiler\K-Lite Codec Pack\QuickTime\qttask.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\Programfiler\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programfiler\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programfiler\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\FELLES~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programfiler\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Jarle Lystad\Skrivebord\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programfiler\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programfiler\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Programfiler\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [LexPPS.exe] C:\WINDOWS\system32\lexpps.exe
O4 - HKLM\..\RunOnce: [MessengerPlusUninstall] C:\WINDOWS\system32\cmd.exe /C "C:\DOCUME~1\JARLEL~1\LOKALE~1\Temp\MsgPlusUninst.bat"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programfiler\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PcSync] C:\Programfiler\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Liv Lystad')
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [BaseAbout] C:\DOCUME~1\LIVLYS~1.DEL\PROGRA~1\EGGSAU~1\BALMSKIPERROR.exe (User 'Liv Lystad')
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [ActiveOwnsCampEach] C:\Documents and Settings\All Users\Programdata\Site Balm Active Owns\BIN META.exe (User 'Liv Lystad')
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe" (User 'Liv Lystad')
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [QuickTime Task] "C:\Programfiler\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime (User 'Liv Lystad')
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [MS Juan] rundll32 "C:\DOCUME~1\LIVLYS~1.DEL\LOKALE~1\Temp\nudxexdt.dll",run (User 'Liv Lystad')
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [0c4bb52f] rundll32.exe "C:\DOCUME~1\LIVLYS~1.DEL\LOKALE~1\Temp\uekxvetc.dll",b (User 'Liv Lystad')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin 802.11g Wireless Card Utility.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {52A5CD24-64C6-4BAF-A4EC-4D13F451763F} (CU LiveUpdate Control) - http://nettdaten.meetheworld.no/nett...liveupdate.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp04.photoprintit.de/microsi...eUploader3.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programfiler\Fellesfiler\PCSuite\Services\ServiceLayer.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8446 bytes
Reply With Quote Quick reply to this message  
Join Date: May 2005
Posts: 3,204
Reputation: gerbil will become famous soon enough gerbil will become famous soon enough 
Solved Threads: 188
gerbil gerbil is offline Offline
Nearly a Senior Poster

Re: hjt log and SDfix log... plz help

 
0
  #10
Apr 13th, 2008
No.. you seem to have a trojan downloader, and it is working.
Livly, what is the name of this folder.. C:\DOCUME~1\LIVLYS~1.DEL
It is C:\Documents and Settings\Livlys...what? My Swedish aint so good. Anyway, the stuff in it is rubbish, so let's get rid of it.
Every time you restart your system the trojan renames itself. It was dxvwnean.dll starting under this key:
O4 - HKLM\..\Run: [BM0f7886b3] Rundll32.exe "C:\WINDOWS\system32\dxvwnean.dll",s
It is now C:\WINDOWS\system32\oyhhojsk.dll starting under this key:
O4 - HKLM\..\Run: [0c4bb52f] rundll32.exe "C:\WINDOWS\system32\oyhhojsk.dll",b
So use hijackthis to fix these entries...
O4 - HKLM\..\Run: [0c4bb52f] rundll32.exe "C:\WINDOWS\system32\oyhhojsk.dll",b
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [BaseAbout] C:\DOCUME~1\LIVLYS~1.DEL\PROGRA~1\EGGSAU~1\BALMSKIPERROR.exe (User 'Liv Lystad')
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [ActiveOwnsCampEach] C:\Documents and Settings\All Users\Programdata\Site Balm Active Owns\BIN META.exe (User 'Liv Lystad')
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [MS Juan] rundll32 "C:\DOCUME~1\LIVLYS~1.DEL\LOKALE~1\Temp\nudxexdt.dll",run (User 'Liv Lystad')
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [0c4bb52f] rundll32.exe "C:\DOCUME~1\LIVLYS~1.DEL\LOKALE~1\Temp\uekxvetc.dll",b (User 'Liv Lystad')

Delete these files:
C:\DOCUME~1\LIVLYS~1.DEL\PROGRA~1\EGGSAU~1\BALMSKIPERROR.exe
C:\DOCUME~1\LIVLYS~1.DEL\LOKALE~1\Temp\nudxexdt.dll
C:\DOCUME~1\LIVLYS~1.DEL\LOKALE~1\Temp\uekxvetc.dll
C:\Documents and Settings\All Users\Programdata\Site Balm Active Owns\BIN META.exe
C:\WINDOWS\system32\oyhhojsk.dll

...and, I suspect, delete this folder also:
C:\DOCUME~1\LIVLYS~1.DEL\

I think that some of that stuff is a LOP infection still present, but I can't be sure, so download NoLop from the link on this page; follow the instructions given. Post the report C:\NoLop.log.
http://www.thespykiller.co.uk/index....pmod;dl=item16
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebyt...are_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file to install the application and ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
Make sure that everything is checked, and click Remove Selected.
Post the Notepad log [it is also saved under Logs tab in MBAM].

Now to find what is regenerating the trojan. Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Last edited by gerbil; Apr 13th, 2008 at 11:46 pm.
Deep, deep in the woods, but walking about.
Reply With Quote Quick reply to this message  
Reply
1 2

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Other Threads in the Viruses, Spyware and other Nasties Forum


Views: 2226 | Replies: 16
Thread Tools Search this Thread



Tag cloud for Viruses, Spyware and other Nasties
adobe adware anti-malware anti-virussitesaccessissue antivirus attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china combofix commercial commercials conficker connect control crosssitescripting cyber cybercrime ddos domains e-mafia education email europe exam exploit explorer facebook fake fancheckvirus firefox gaming gumblar hijack hosting internet kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile news norton obama panel parents patch pc phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus rootkit scareware school search security seopoisoning software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system threat trojan unwanted update usa virus viruses vista volume warning web windows worm zero-day
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC