Help with Broadcaster.com Virus Thing please

JazzyJimmyJ · 2007/03/25

Hey guys, I was hoping for some help on this problem.

This broadcaster.com page keeps popping up and its pretty annoying.

I ran a hijack this thing and this is the log.

Logfile of HijackThis v1.99.1
Scan saved at 7:53:38 PM, on 3/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\freecell.exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\Program Files\Hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ShowLOMControl]
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe "
O4 - HKLM\..\Run: [nietjdi.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\JimmyJ\Local Settings\Application Data\nietjdi.dll ",emjwfab
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\ukqfpesh.dll ",setvm
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {07b7f771-1b8e-4b7b-823e-ffac1732aa9e} - (no file) (HKCU)
O9 - Extra button: (no name) - {07b7f771-1b8e-4b7b-823e-ffac1732aa9f} - (no file) (HKCU)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Would love if anyone could help.

Geri · 2007/03/25

Hi JazzyJimmyJ

Please rename Hijackthis.exe to Killer.exe.

Then please run a new scan and post the log.

Thanks
Geri

JazzyJimmyJ · 2007/03/25

Here you go.

Logfile of HijackThis v1.99.1
Scan saved at 1:06:05 PM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Bentley\Program\MicroStation\ustation.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\killer.exe

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {76173C9F-44B7-207B-D24D-0320C1A9DC6B} - C:\WINDOWS\system32\fahhrnk.dll
O2 - BHO: (no name) - {82717A3F-2228-4ADD-91CD-AD21C110597d} - C:\WINDOWS\system32\likefcqp.dll
O2 - BHO: (no name) - {9898C1BC-D911-4DDC-9339-4FA1F246ACCE} - C:\WINDOWS\system32\awvtu.dll
O2 - BHO: (no name) - {ADE4BC9B-2777-42EC-ABEA-685CE310BE68} - C:\WINDOWS\system32\qomkhgh.dll
O2 - BHO: (no name) - {D235C91B-76A9-0B0C-894E-5690ECD86EBF} - C:\WINDOWS\system32\bswq.dll (file missing)
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\nitqdcvk.dll
O2 - BHO: (no name) - {D83FCA1E-75F1-5F0E-DB4E-5690ECD93AED} - C:\WINDOWS\system32\deg.dll (file missing)
O2 - BHO: (no name) - {D93A991F-71F1-5E0C-DD4E-5690ECD86FB0} - C:\WINDOWS\system32\jyx.dll (file missing)
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\hkpyuiii.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ShowLOMControl]
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe "
O4 - HKLM\..\Run: [nietjdi.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\JimmyJ\Local Settings\Application Data\nietjdi.dll ",emjwfab
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\ukqfpesh.dll ",setvm
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {07b7f771-1b8e-4b7b-823e-ffac1732aa9e} - (no file) (HKCU)
O9 - Extra button: (no name) - {07b7f771-1b8e-4b7b-823e-ffac1732aa9f} - (no file) (HKCU)
O20 - Winlogon Notify: awvtu - C:\WINDOWS\system32\awvtu.dll
O20 - Winlogon Notify: qomkhgh - C:\WINDOWS\SYSTEM32\qomkhgh.dll
O20 - Winlogon Notify: winxtx32 - winxtx32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Geri · 2007/03/25

Hi

Please follow the instructions in the order given.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, the Advanced Options Menu should appear;

Select the first option, to run Windows in Safe Mode, then press Enter.

Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.

It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.

Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Now Do this.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files, click YES

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will reboot your computer, click OK.

Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Please post the SDFix log the Vundo log and a New HJT log.

Thanks
Geri

JazzyJimmyJ · 2007/03/26

SDFix

SDFix: Version 1.74

Run by JimmyJ - Mon 03/26/2007 - 19:02:08.64

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
COM+ Messages

ImagePath:
"C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272

COM+ Messages Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\unsvchosts.lzma - Deleted
C:\WINDOWS\Temp\win*.tmp - Deleted

ADS Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\\Program Files\\iTunes\\iTunes.exe "= "C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes "
"C:\\Program Files\\Messenger\\msmsgs.exe "= "C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger "
"C:\\DOCUME~1\\JimmyJ\\LOCALS~1\\Temp\\win11.tmp.exe "= "C:\\DOCUME~1\\JimmyJ\\LOCALS~1\\Temp\\win11.tmp.exe:*:Enabled:win11.tmp "
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe "= "C:\\WINDOWS\\system32\\usmt\\migwiz.exe:*isabled:Files and Settings Transfer Wizard "
"C:\\Program Files\\LimeWire\\LimeWire.exe "= "C:\\Program Files\\LimeWire\\LimeWire.exe:*isabled:LimeWire "
"C:\\StubInstaller.exe "= "C:\\StubInstaller.exe:*isabled:LimeWire swarmed installer "
"C:\\Program Files\\Soulseek\\slsk.exe "= "C:\\Program Files\\Soulseek\\slsk.exe:*isabled:SoulSeek "
"C:\\Program Files\\Bentley\\Program\\MicroStation\\ustation.exe "= "C:\\Program Files\\Bentley\\Program\\MicroStation\\ustation.exe:*:Enabled:MicroStation for Windows x86 "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\WINDOWS\system32\awvtu.dll
C:\WINDOWS\system32\qomkhgh.dll
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe

Finished

Vundu

VundoFix V6.3.17

Checking Java version...

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Scan started at 7:10:49 PM 3/26/2007

Listing files found while scanning....

C:\WINDOWS\system32\awqrvxtp.exe
C:\WINDOWS\system32\awvtu.dll
C:\WINDOWS\system32\cqaxrnjy.exe
C:\WINDOWS\system32\eguapgvj.exe
C:\WINDOWS\system32\eqixeyym.exe
C:\WINDOWS\system32\fkfgrnmq.exe
C:\WINDOWS\system32\fpcxkqjn.exe
C:\WINDOWS\system32\gyuctgep.exe
C:\WINDOWS\system32\hbsqljrc.exe
C:\WINDOWS\system32\hjufnaxl.dll
C:\WINDOWS\system32\hkpyuiii.dll
C:\WINDOWS\system32\hrcpnkuv.exe
C:\WINDOWS\system32\hyxiwhad.exe
C:\WINDOWS\system32\ldojvlde.dll
C:\WINDOWS\system32\legebjcg.exe
C:\WINDOWS\system32\lmavcdjj.exe
C:\WINDOWS\system32\mbxvrlok.dll
C:\WINDOWS\system32\mpkrupvw.exe
C:\WINDOWS\system32\nakaelxy.exe
C:\WINDOWS\system32\ndbmyakr.dll
C:\WINDOWS\system32\nitqdcvk.dll
C:\WINDOWS\system32\npptrpds.exe
C:\WINDOWS\system32\onlpqyfi.dll
C:\WINDOWS\system32\ornxonse.exe
C:\WINDOWS\system32\ouwoekyj.exe
C:\WINDOWS\system32\oxnpjctw.dll
C:\WINDOWS\system32\pahjolxt.exe
C:\WINDOWS\system32\qeymshid.exe
C:\WINDOWS\system32\qomkhgh.dll
C:\WINDOWS\system32\qypfrqrh.dll
C:\WINDOWS\system32\rehdnvdv.exe
C:\WINDOWS\system32\sodkcyco.exe
C:\WINDOWS\system32\spvvgnfn.exe
C:\WINDOWS\system32\swmytnqt.exe
C:\WINDOWS\system32\tmuyvmyh.exe
C:\WINDOWS\system32\ubjhnfqm.exe
C:\WINDOWS\system32\undiihnh.exe
C:\WINDOWS\system32\utvwa.bak1
C:\WINDOWS\system32\utvwa.bak2
C:\WINDOWS\system32\utvwa.ini
C:\WINDOWS\system32\vaplyrdh.exe
C:\WINDOWS\system32\vioonrrj.exe
C:\WINDOWS\system32\wcunhmgu.exe
C:\WINDOWS\system32\wxapvfse.exe
C:\WINDOWS\system32\yudpvfrv.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awqrvxtp.exe
C:\WINDOWS\system32\awqrvxtp.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\awvtu.dll
C:\WINDOWS\system32\awvtu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cqaxrnjy.exe
C:\WINDOWS\system32\cqaxrnjy.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\eguapgvj.exe
C:\WINDOWS\system32\eguapgvj.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\eqixeyym.exe
C:\WINDOWS\system32\eqixeyym.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\fkfgrnmq.exe
C:\WINDOWS\system32\fkfgrnmq.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\fpcxkqjn.exe
C:\WINDOWS\system32\fpcxkqjn.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\gyuctgep.exe
C:\WINDOWS\system32\gyuctgep.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\hbsqljrc.exe
C:\WINDOWS\system32\hbsqljrc.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjufnaxl.dll
C:\WINDOWS\system32\hjufnaxl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hkpyuiii.dll
C:\WINDOWS\system32\hkpyuiii.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hrcpnkuv.exe
C:\WINDOWS\system32\hrcpnkuv.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\hyxiwhad.exe
C:\WINDOWS\system32\hyxiwhad.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ldojvlde.dll
C:\WINDOWS\system32\ldojvlde.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\legebjcg.exe
C:\WINDOWS\system32\legebjcg.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\lmavcdjj.exe
C:\WINDOWS\system32\lmavcdjj.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\mbxvrlok.dll
C:\WINDOWS\system32\mbxvrlok.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mpkrupvw.exe
C:\WINDOWS\system32\mpkrupvw.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\nakaelxy.exe
C:\WINDOWS\system32\nakaelxy.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ndbmyakr.dll
C:\WINDOWS\system32\ndbmyakr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nitqdcvk.dll
C:\WINDOWS\system32\nitqdcvk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\npptrpds.exe
C:\WINDOWS\system32\npptrpds.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\onlpqyfi.dll
C:\WINDOWS\system32\onlpqyfi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ornxonse.exe
C:\WINDOWS\system32\ornxonse.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ouwoekyj.exe
C:\WINDOWS\system32\ouwoekyj.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\oxnpjctw.dll
C:\WINDOWS\system32\oxnpjctw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pahjolxt.exe
C:\WINDOWS\system32\pahjolxt.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\qeymshid.exe
C:\WINDOWS\system32\qeymshid.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\qomkhgh.dll
C:\WINDOWS\system32\qomkhgh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qypfrqrh.dll
C:\WINDOWS\system32\qypfrqrh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rehdnvdv.exe
C:\WINDOWS\system32\rehdnvdv.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\sodkcyco.exe
C:\WINDOWS\system32\sodkcyco.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\spvvgnfn.exe
C:\WINDOWS\system32\spvvgnfn.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\swmytnqt.exe
C:\WINDOWS\system32\swmytnqt.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\tmuyvmyh.exe
C:\WINDOWS\system32\tmuyvmyh.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ubjhnfqm.exe
C:\WINDOWS\system32\ubjhnfqm.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\undiihnh.exe
C:\WINDOWS\system32\undiihnh.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\utvwa.bak1
C:\WINDOWS\system32\utvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\utvwa.bak2
C:\WINDOWS\system32\utvwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\utvwa.ini
C:\WINDOWS\system32\utvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vaplyrdh.exe
C:\WINDOWS\system32\vaplyrdh.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\vioonrrj.exe
C:\WINDOWS\system32\vioonrrj.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\wcunhmgu.exe
C:\WINDOWS\system32\wcunhmgu.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\wxapvfse.exe
C:\WINDOWS\system32\wxapvfse.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\yudpvfrv.dll
C:\WINDOWS\system32\yudpvfrv.dll Has been deleted!

Performing Repairs to the registry.
Done!

Highjackthis

Logfile of HijackThis v1.99.1
Scan saved at 7:16:42 PM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\killer.exe

O2 - BHO: (no name) - {07E29159-7CA0-4CF6-993B-D206764C72D3} - C:\WINDOWS\system32\awvtu.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {76173C9F-44B7-207B-D24D-0320C1A9DC6B} - C:\WINDOWS\system32\fahhrnk.dll
O2 - BHO: (no name) - {82717A3F-2228-4ADD-91CD-AD21C110597d} - C:\WINDOWS\system32\likefcqp.dll
O2 - BHO: (no name) - {D235C91B-76A9-0B0C-894E-5690ECD86EBF} - C:\WINDOWS\system32\bswq.dll (file missing)
O2 - BHO: (no name) - {D83FCA1E-75F1-5F0E-DB4E-5690ECD93AED} - C:\WINDOWS\system32\deg.dll (file missing)
O2 - BHO: (no name) - {D93A991F-71F1-5E0C-DD4E-5690ECD86FB0} - C:\WINDOWS\system32\jyx.dll (file missing)
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ShowLOMControl]
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe "
O4 - HKLM\..\Run: [nietjdi.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\JimmyJ\Local Settings\Application Data\nietjdi.dll ",emjwfab
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\ukqfpesh.dll ",setvm
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {07b7f771-1b8e-4b7b-823e-ffac1732aa9e} - (no file) (HKCU)
O9 - Extra button: (no name) - {07b7f771-1b8e-4b7b-823e-ffac1732aa9f} - (no file) (HKCU)
O20 - Winlogon Notify: winxtx32 - winxtx32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Geri · 2007/03/26

Hi

Please run the Vundofix again.

Please Download NoLop to your desktop from one of the links below...
Link 1
Link 2
Link 3

First close any other programs you have running as this will require a reboot

Double click NoLop.exe to run it

Now click the button labelled "Search and Destroy "
<<your computer will now be scanned for infected files>>

When scanning is finished you will be prompted to reboot only if infected, Click OK

Now click the "REBOOT" Button.

A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log

--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.

Please post the Vundo log the NoLop log and a new HJT log.

Thanks
Geri

JazzyJimmyJ · 2007/03/26

Nolop

NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\JimmyJ\Desktop
[3/27/2007]
[12:32:23 AM]

---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.

---Listing AppData sub directories---

C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Autodesk
C:\Documents and Settings\All Users\Application Data\Avg7
C:\Documents and Settings\All Users\Application Data\Installshield
C:\Documents and Settings\All Users\Application Data\Intel
C:\Documents and Settings\All Users\Application Data\Mcneel
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Jimmyj\Application Data\Adobe
C:\Documents and Settings\Jimmyj\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Jimmyj\Application Data\Alfacleaner
C:\Documents and Settings\Jimmyj\Application Data\American Dad Screenmate
C:\Documents and Settings\Jimmyj\Application Data\Apple Computer
C:\Documents and Settings\Jimmyj\Application Data\Autodesk
C:\Documents and Settings\Jimmyj\Application Data\Avg7
C:\Documents and Settings\Jimmyj\Application Data\Cyberlink
C:\Documents and Settings\Jimmyj\Application Data\Google
C:\Documents and Settings\Jimmyj\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Jimmyj\Application Data\Identities
C:\Documents and Settings\Jimmyj\Application Data\Intel
C:\Documents and Settings\Jimmyj\Application Data\Leadertech
C:\Documents and Settings\Jimmyj\Application Data\Lgr
C:\Documents and Settings\Jimmyj\Application Data\Macromedia
C:\Documents and Settings\Jimmyj\Application Data\Microsoft
C:\Documents and Settings\Jimmyj\Application Data\Mozilla
C:\Documents and Settings\Jimmyj\Application Data\Sun
C:\Documents and Settings\Jimmyj\Application Data\Winrar -- EMPTY Directory
C:\Documents and Settings\Jimmyj\Application Data\?racle
C:\Documents and Settings\Localservice\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Intel
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\School\Application Data\Mozilla -- EMPTY Directory

Vundu didn't create a new log, said there were no infected files found.

Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 12:35:40 AM, on 3/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\killer.exe

O2 - BHO: (no name) - {07E29159-7CA0-4CF6-993B-D206764C72D3} - C:\WINDOWS\system32\awvtu.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {76173C9F-44B7-207B-D24D-0320C1A9DC6B} - C:\WINDOWS\system32\fahhrnk.dll
O2 - BHO: (no name) - {82717A3F-2228-4ADD-91CD-AD21C110597d} - C:\WINDOWS\system32\likefcqp.dll
O2 - BHO: (no name) - {D235C91B-76A9-0B0C-894E-5690ECD86EBF} - C:\WINDOWS\system32\bswq.dll (file missing)
O2 - BHO: (no name) - {D83FCA1E-75F1-5F0E-DB4E-5690ECD93AED} - C:\WINDOWS\system32\deg.dll (file missing)
O2 - BHO: (no name) - {D93A991F-71F1-5E0C-DD4E-5690ECD86FB0} - C:\WINDOWS\system32\jyx.dll (file missing)
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ShowLOMControl]
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe "
O4 - HKLM\..\Run: [nietjdi.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\JimmyJ\Local Settings\Application Data\nietjdi.dll ",emjwfab
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\ukqfpesh.dll ",setvm
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {07b7f771-1b8e-4b7b-823e-ffac1732aa9e} - (no file) (HKCU)
O9 - Extra button: (no name) - {07b7f771-1b8e-4b7b-823e-ffac1732aa9f} - (no file) (HKCU)
O20 - Winlogon Notify: winxtx32 - winxtx32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Geri · 2007/03/26

Hi JazzyJimmyJ

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.

Please double-click Killbox.exe to run it.

Select:

Delete on Reboot

then Click on the All Files button.

Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\JimmyJ\Local Settings\Application Data\nietjdi.dll
C:\WINDOWS\system32\bswq.dll
C:\WINDOWS\system32\likefcqp.dll
C:\WINDOWS\system32\fahhrnk.dll
C:\WINDOWS\system32\awvtu.dll
C:\WINDOWS\system32\ukqfpesh.dll

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {07E29159-7CA0-4CF6-993B-D206764C72D3} - C:\WINDOWS\system32\awvtu.dll (file missing)
O2 - BHO: (no name) - {76173C9F-44B7-207B-D24D-0320C1A9DC6B} - C:\WINDOWS\system32\fahhrnk.dll
O2 - BHO: (no name) - {82717A3F-2228-4ADD-91CD-AD21C110597d} - C:\WINDOWS\system32\likefcqp.dll
O2 - BHO: (no name) - {D235C91B-76A9-0B0C-894E-5690ECD86EBF} - C:\WINDOWS\system32\bswq.dll (file missing)
O2 - BHO: (no name) - {D83FCA1E-75F1-5F0E-DB4E-5690ECD93AED} - C:\WINDOWS\system32\deg.dll (file missing)
O2 - BHO: (no name) - {D93A991F-71F1-5E0C-DD4E-5690ECD86FB0} - C:\WINDOWS\system32\jyx.dll (file missing)
O4 - HKLM\..\Run: [nietjdi.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\JimmyJ\Local Settings\Application Data\nietjdi.dll ",emjwfab
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\ukqfpesh.dll ",setvm
O9 - Extra button: (no name) - {07b7f771-1b8e-4b7b-823e-ffac1732aa9e} - (no file) (HKCU)
O9 - Extra button: (no name) - {07b7f771-1b8e-4b7b-823e-ffac1732aa9f} - (no file) (HKCU)
O20 - Winlogon Notify: winxtx32 - winxtx32.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.
Please reboot your computer.

Post a new HJT log.

Thanks
Geri

JazzyJimmyJ · 2007/03/27

Hey Geri,

Latest HJT below.

Just a note on deleting those files using Killbox...on the startup a series of RUNDLL errors came up (one for each of the files I deleted saying it was missing).

This makes sense to me, but just thought I'd check.

Logfile of HijackThis v1.99.1
Scan saved at 12:58:54 PM, on 3/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Hijackthis\killer.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ShowLOMControl]
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe "
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Geri · 2007/03/27

Hi JazzyJimmyJ

Your log is clean, How are things running?

If everything seems OK then here is what is left to do.

You can delete any tools you were asked to download,(SDFix, Vundo, NoLop, KillBox) There will be newer versions if ever needed again any way.

You should update your Java, Here's how.

Updating Java and Clearing Cache

Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.

It will say "Java Plug-in" under the icon.
Please find the update button or tab in the Java Control Panel. Update your Java then reboot.

If you are unable to update you can manually update by going here:

http://www.java.com/en/download/manual.jsp

After the reboot, go back into the Control Panel and double-click the Java Icon.

Under Temporary Internet Files, click the Delete Files button.

There are three options in the window to clear the cache - Leave ALL 3 Checked

Downloaded Applets
Downloaded Applications
Other Files

Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

Click OK to leave the Java Control Panel.

Delete older versions from Add/Remove list.

We have just a few more things to do, mostly maintenance and then our recommendations:

Delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion. It is very rare that anything significant is ever found.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

SpywareBlaster - Great prevention tool to keep nasties from installing on your system.

SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SpyAd - puts over 23,000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all,
and MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

Install WinPatrol to prevent unknown applications from being inserted to start up on your machine

Now just because you have security apps installed, they are useless unless updated regularly.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only, Cleans out temporary files all the garbage you collect while surfing the web.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

Surf Safely
Geri

JazzyJimmyJ · 2007/03/27

Thanks a bunch Geri.

All is better now, needless to say you've been great.

Geri · 2007/03/28

Hi JazzyJimmyJ

Glad to help out.

Geri

Log in or Sign up

Help with Broadcaster.com Virus Thing please

JazzyJimmyJ Inactive Thread Starter

Geri Inactive Alumni

JazzyJimmyJ Inactive Thread Starter

Geri Inactive Alumni

JazzyJimmyJ Inactive Thread Starter

Geri Inactive Alumni

JazzyJimmyJ Inactive Thread Starter

Geri Inactive Alumni

JazzyJimmyJ Inactive Thread Starter

Geri Inactive Alumni

JazzyJimmyJ Inactive Thread Starter

Geri Inactive Alumni

Share This Page

Log in or Sign up

Help with Broadcaster.com Virus Thing please

JazzyJimmyJ Inactive Thread Starter

Geri Inactive Alumni

JazzyJimmyJ Inactive Thread Starter

Geri Inactive Alumni

JazzyJimmyJ Inactive Thread Starter

Geri Inactive Alumni

JazzyJimmyJ Inactive Thread Starter

Geri Inactive Alumni

JazzyJimmyJ Inactive Thread Starter

Geri Inactive Alumni

JazzyJimmyJ Inactive Thread Starter

Geri Inactive Alumni

Share This Page

Useful Searches