Help Please

Question

fustrateduser 0 Newbie Poster

16 Years Ago

Ok guys and gals I been working on my system for 2 days now and have determend the following
A. I know I got at least 2 trojans on it
B.xoftspyse is great at finding the problems but won't let ya remove unless ya regester it
c. dialup sucks
d.when playing online game I get super high pings in game due to something dirty running

so I read around on here and threw what I have read I went and downloaded hijack this
I ran it. if anyone can please help me get my system totaly safe again I would appreciate it.
I can be contacted at unbound007@aol.com ya can shoot me a instant message, or post on here. I know alot of it's in the reg my os is windows xp sp1 .
I even tryed going into safe mode to manualely delete some of bad files but system won't let me into safe mode atm . I hold down F8 during startup and it just beeps but never goes into menu to pick safemode.. I super fustrated at this point I was running avg free but as we all know it sucks . and didn't help at all I'm afraid to login to the online game I play.

as well as I'm afraid to use regedit and to try and delete entry's that xoftspyse showed me.
below is my hijackthis log..
Thank you in advance . also when I start up system I get bombared with rundll error about everything that trys to load at startup haveing a bad image or something like that it stops if I kill the runddll then it reloads rundll and problem stops.. please oh please help.
log from hijack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:41:00 AM, on 11/14/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1191362209\ee\AOLSoftware.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
c:\program files\common files\aol\1191362209\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1191362209\ee\aolsoftware.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\BitComet\tools\UPNP.exe
C:\Program Files\XoftSpySEoldversion\xoftspy.exe
C:\Documents and Settings\Bardwell\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {034BCF48-D4E7-4335-8F56-CE9AB44F6961} - C:\WINDOWS\System32\nnnljge.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3644117A-821A-4cc4-ADD5-226A6694F722} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: (no name) - {64F089AB-FFF9-422A-A53F-DFB9EB7A248B} - C:\WINDOWS\System32\cscdl.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\System32\wvusstq.dll (file missing)
O2 - BHO: (no name) - {A04B2EC1-8CC7-4443-8D07-AE0398D7571F} - C:\WINDOWS\System32\awtqn.dll (file missing)
O2 - BHO: Internet Security Class - {A75E294E-C047-4D29-B07E-37B792881BEF} - (no file)
O2 - BHO: (no name) - {D9BEBBC8-6E6E-43E9-90DB-E7BC5B7AD956} - C:\WINDOWS\System32\ssqrr.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [w06cfa50.dll] RUNDLL32.EXE w06cfa50.dll,I2 000328c9006cfa50
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [trioService] "C:\Program Files\3D-Relax\3D Fireplace 2 Trial\trioService.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [j1241636] rundll32 C:\WINDOWS\System32\j1241636.dll sook
O4 - HKLM\..\Run: [YMYS Agent] C:\WINDOWS\System32\Sys32\YMYS.exe
O4 - HKLM\..\Run: [cfmpgzwd.exe] C:\Documents and Settings\All Users\Application Data\cfmpgzwd.exe
O4 - HKLM\..\Run: [ipmon] ipmon.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1191362209\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aror] "C:\DOCUME~1\Bardwell\APPLIC~1\SSTEM3~1\services.exe" -vt yazb
O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download with SupersonicDownloadAccelerator! - C:\Program Files\Supersonic Download Accelerator\supersonicdownloadaccelerator.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145077550405
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12} (CSS Web Installer Class) - http://www.commandondemand.com/eval/cod/cabs/cssweb.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145077653670
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{715AC9EA-1826-4B18-9D13-981A1001E088}: NameServer = 205.188.146.145
O20 - Winlogon Notify: awtqn - C:\WINDOWS\
O20 - Winlogon Notify: nnnljge - nnnljge.dll (file missing)
O20 - Winlogon Notify: winkxt32 - C:\WINDOWS\
O20 - Winlogon Notify: wvusstq - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - (no file)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah CD Burner\NMSAccess.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 10333 bytes

please someone istand message me at unbound007@aol.com thank you,,,

windows-virus

2 Contributors
3 Replies
112 Views
2 Days Discussion Span
Latest Post 16 Years Ago Latest Post by crunchie

All 3 Replies

crunchie 990 Most Valuable Poster

16 Years Ago

Please download this file - combofix.exe by sUBs

Save it to your Desktop
Now physically disconnect from the internet and STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.

"%userprofile%\desktop\ComboFix.exe" /KillAll
Click OK and this will start ComboFix.
When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply along with a fresh HJT log.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

* After you have saved the logs, restart your system to re-enable all the programs that were disabled during the running of ComboFix.

* Reconnect to the internet

* Post the following logs/Reports:

ComboFix.txt
Fresh HijackThis log run after all the other tools have performed their cleanup.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

fustrateduser 0 Newbie Poster · Answer 1 · 2007-11-15T20:39:09+00:00

ok first off thank you for taking time to help without further delay here's logs

combofix log



ComboFix 07-11-08.3 - Bardwell 2007-11-15  9:12:30.1 - NTFSx86
Running from: C:\Documents and Settings\Bardwell\desktop\ComboFix.exe
Command switches used :: /KillAll
* Created a new restore point
.


Unable to gain System Privileges


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.


C:\Documents and Settings\Bardwell\Application Data\PPATCH~1
C:\Documents and Settings\Bardwell\Application Data\PPATCH~1\??pPatch\
C:\Documents and Settings\Bardwell\Application Data\SSTEM3~1
C:\Documents and Settings\Bardwell\Application Data\SSTEM3~1\s?stem32\
C:\Documents and Settings\Bardwell\My Documents\SCURIT~1
C:\WINDOWS\keyboard101.dat
C:\WINDOWS\qmdispatch.dll
C:\WINDOWS\system32\cimm.dll
C:\WINDOWS\system32\LiveProtectSetup.exe
C:\WINDOWS\system32\cscdl.dll . . . . failed to delete


.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


.
-------\LEGACY_COM+_MESSAGES
-------\LEGACY_JKFSBUPX
-------\LEGACY_NPF
-------\COM+ Messages
-------\jkfsbupx



(((((((((((((((((((((((((   Files Created from 2007-10-15 to 2007-11-15  )))))))))))))))))))))))))))))))
.


2007-11-15 09:11    51,200  --a------   C:\WINDOWS\NirCmd.exe
2007-11-15 00:19    <DIR>    d--------   C:\WINDOWS\system32\ActiveScan
2007-11-14 14:04    <DIR>    d--------   C:\Program Files\PCPitstop
2007-11-14 11:53    <DIR>    d--------   C:\Program Files\Trojan Remover
2007-11-14 11:53    <DIR>    d--------   C:\Documents and Settings\Bardwell\Application Data\Simply Super Software
2007-11-14 11:53    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Simply Super Software
2007-11-14 11:53    162,304 --a------   C:\WINDOWS\system32\ztvunrar36.dll
2007-11-14 11:53    153,088 --a------   C:\WINDOWS\system32\UNRAR3.dll
2007-11-14 11:53    77,312  --a------   C:\WINDOWS\system32\ztvunace26.dll
2007-11-14 11:53    75,264  --a------   C:\WINDOWS\system32\unacev2.dll
2007-11-14 11:53    69,632  --a------   C:\WINDOWS\system32\ztvcabinet.dll
2007-11-14 08:49    <DIR>    d--------   C:\Program Files\PC Registry Cleaner
2007-11-14 08:49    <DIR>    d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-11-14 07:28    <DIR>    d--------   C:\Program Files\Microsoft Windows OneCare Live
2007-11-14 06:33    <DIR>    d--------   C:\Program Files\xoftspyse2
2007-11-14 03:13    93,184  --a------   C:\WINDOWS\system32\cscdl.dll
2007-11-14 03:13    18,688      C:\WINDOWS\system32\drivers\gfqdyguf.dat
2007-11-13 23:54    <DIR>    d--------   C:\Program Files\XoftSpySE
2007-11-13 22:04    <DIR>    d--------   C:\WINDOWS\system32\Kaspersky Lab
2007-11-13 21:56    <DIR>    d--------   C:\KAV
2007-11-13 09:21    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-10 07:33    <DIR>    d--------   C:\Program Files\Connection Keeper
2007-11-10 07:28    <DIR>    d--------   C:\Program Files\Common Files\System-G
2007-11-07 00:03    <DIR>    d--------   C:\Documents and Settings\Bardwell\Application Data\teamspeak2
2007-11-07 00:02    <DIR>    d--------   C:\Program Files\Teamspeak2_RC2
2007-11-01 04:33    <DIR>    d--------   C:\Program Files\Launch-n-Go
2007-10-30 06:19    <DIR>    d--------   C:\Program Files\Viewpoint


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 10:28    ---------   d-----w C:\Program Files\PC Tools Firewall Plus
2007-11-15 10:20    ---------   d-----w C:\Program Files\Common Files\Scanner
2007-11-15 10:20    ---------   d-----w C:\Program Files\Common Files\AOL
2007-11-15 10:19    ---------   d-----w C:\Program Files\America Online 9.0
2007-11-15 05:15    ---------   d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-14 03:04    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-13 09:28    102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-13 08:51    ---------   d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-08 09:35    ---------   d-----w C:\Program Files\Automation Anywhere 3.0
2007-11-03 03:02    ---------   d-----w C:\Program Files\Conquer 2.0
2007-10-30 10:31    ---------   d-----w C:\Program Files\Registry Clean Expert
2007-10-30 10:10    ---------   d-----w C:\Documents and Settings\Bardwell\Application Data\Technology Lighthouse
2007-10-27 11:57    ---------   d--h--w C:\Program Files\InstallShield Installation Information
2007-10-04 23:28    ---------   d-----w C:\Program Files\Common Files\Adobe
2007-10-04 23:28    ---------   d-----w C:\Documents and Settings\Bardwell\Application Data\AdobeUM
2007-10-03 20:18    ---------   d-----w C:\Documents and Settings\Bardwell\Application Data\AOL
2007-10-02 21:57    ---------   d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-09-14 16:57    10,920  ----a-w C:\aolconnfix.exe
2007-06-08 12:15    92,219  ----a-w C:\Program Files\LimeWire.torrent
2006-04-12 09:07:41 80  --sha-r C:\WINDOWS\system32\A0A77291C2.dll
2007-05-08 11:33:57 1,479,706   --sha-w C:\WINDOWS\system32\rrqss.bak1
2007-05-07 11:33:42 1,470,307   --sha-w C:\WINDOWS\system32\rrqss.bak2
2007-05-06 11:32:09 1,471,679   --sha-w C:\WINDOWS\system32\rrqss.ini2
.


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3644117A-821A-4cc4-ADD5-226A6694F722}]


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64F089AB-FFF9-422A-A53F-DFB9EB7A248B}]
2001-08-23 00:00    93184   --a------   C:\WINDOWS\System32\cscdl.dll


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A75E294E-C047-4D29-B07E-37B792881BEF}]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43]
"w06cfa50.dll"="w06cfa50.dll" []
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-07-28 14:19]
"nwiz"="nwiz.exe" [2003-07-28 14:19 C:\WINDOWS\system32\nwiz.exe]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 C:\WINDOWS\BCMSMMSG.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"trioService"="C:\Program Files\3D-Relax\3D Fireplace 2 Trial\trioService.exe" []
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"EtherDetect"="" []
"Mouse Suite 98 Daemon"="PELMICED.EXE" [2001-08-21 10:08 C:\WINDOWS\system32\PELMICED.EXE]
"YMYS Agent"="C:\WINDOWS\System32\Sys32\YMYS.exe" []
"00PCTFW"="C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" [2007-04-28 07:13]
"WabKey"="" []
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-07 11:07]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-09-14 09:12]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" []
"HostManager"="C:\Program Files\Common Files\AOL\1191362209\ee\AOLSoftware.exe" [2006-03-10 17:22]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2007-11-11 13:42]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-07-28 14:19 C:\WINDOWS\system32\nview.dll]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 12:32]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" []
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"Aror"="C:\DOCUME~1\Bardwell\APPLIC~1\SSTEM3~1\services.exe" []


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqn]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winkxt32]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvusstq]


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau
path=
backup=


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Bardwell^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegClean Expert Scheduler]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet


R0 jkfsbupx;jkfsbupx;C:\WINDOWS\System32\drivers\gfqdyguf.dat
R1 pelmouse;Mouse Suite Driver;C:\WINDOWS\System32\DRIVERS\pelmouse.sys
R3 pelps2m;PS/2 Mouse Filter Driver;C:\WINDOWS\System32\DRIVERS\pelps2m.sys
S3 RapDrv;RapDrv;\??\C:\WINDOWS\System32\drivers\RapDrv.sys
S3 RapFile;RapFile;\??\C:\WINDOWS\System32\drivers\RapFile.sys
S3 RapNet;RapNet;\??\C:\WINDOWS\System32\drivers\RapNet.sys
S3 SUSTUCAM;Susteen USB Cable Modem Driver;C:\WINDOWS\System32\DRIVERS\sustucam.sys
S3 SUSTUCAP;Susteen USB Cable Port Driver;C:\WINDOWS\System32\DRIVERS\sustucap.sys
S4 black;black;C:\WINDOWS\System32\drivers\BlackDrv.sys


*Newly Created Service* - JKFSBUPX
.
Contents of the 'Scheduled Tasks' folder
"2007-11-11 17:09:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-11-15 12:57:01 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2007-11-14 22:00:08 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2007-11-14 04:54:39 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************


catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 09:17:54
Windows 5.1.2600  NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...


scan completed successfully
hidden files: 0


**************************************************************************


[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ATWPKT2]
"ImagePath"="\??\C:\PROGRA~1\COMMON~1\AOL\ACS\ATWPKT2.SYS"
.
Completion time: 2007-11-15  9:19:42 - machine was rebooted
.
--- E O F ---


NEW HIJACKTHIS LOGFILE



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:36 AM, on 11/15/2007
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\PELMICED.EXE
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1191362209\ee\AOLSoftware.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
c:\program files\common files\aol\1191362209\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1191362209\ee\aolsoftware.exe
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\Bardwell\Desktop\HiJackThis.exe


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3644117A-821A-4cc4-ADD5-226A6694F722} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: (no name) - {64F089AB-FFF9-422A-A53F-DFB9EB7A248B} - C:\WINDOWS\System32\cscdl.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Internet Security Class - {A75E294E-C047-4D29-B07E-37B792881BEF} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [w06cfa50.dll] RUNDLL32.EXE w06cfa50.dll,I2 000328c9006cfa50
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [trioService] "C:\Program Files\3D-Relax\3D Fireplace 2 Trial\trioService.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [YMYS Agent] C:\WINDOWS\System32\Sys32\YMYS.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1191362209\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aror] "C:\DOCUME~1\Bardwell\APPLIC~1\SSTEM3~1\services.exe" -vt yazb
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download with SupersonicDownloadAccelerator! - C:\Program Files\Supersonic Download Accelerator\supersonicdownloadaccelerator.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145077550405
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12} (CSS Web Installer Class) - http://www.commandondemand.com/eval/cod/cabs/cssweb.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145077653670
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: awtqn - C:\WINDOWS\
O20 - Winlogon Notify: winkxt32 - C:\WINDOWS\
O20 - Winlogon Notify: wvusstq - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O24 - Desktop Component 0: (no name) - (no file)


--
End of file - 9172 bytes

thanks .

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 2 · 2007-11-16T15:25:46+00:00

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

C:\WINDOWS\system32\A0A77291C2.dll
2007-05-08 11:33:57 1,479,706 --sha-w C:\WINDOWS\system32\rrqss.bak1
2007-05-07 11:33:42 1,470,307 --sha-w C:\WINDOWS\system32\rrqss.bak2
2007-05-06 11:32:09 1,471,679 --sha-w C:\WINDOWS\system32\rrqss.ini2

==

Please download VundoFix.exe
to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HijackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

==

Please download OTMoveIt from here:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file path below to the clipboard by highlighting and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\cscdl.dll

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
The list will be processed and the results for each line will be displayed in the right-hand pane.
Highlight everything in the Results window, press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Help Please

Recommended Answers Collapse Answers

All 3 Replies

Recommended Answers