I made this post on another forum, Just don't want to clog stuff up here:
[url]http://www.security-forums.com/viewtopic.php?p=319107#319107[/url]
Well, the fact is you never quite got rid of it. Its recreating the dlls and registry keys perhaps by other items hidden elsewhere. Or within files itself.
For everyone to see: The HJT log
[code]
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\regedit.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Street-Ads Browser Enhancer hiywp - {9BFB2E92-0169-47D8-8972-6D2326B84F7A} - C:\WINDOWS\system32\hiywp.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Sfepehadajaku] rundll32.exe "C:\WINDOWS\ecidopuv.dll",Startup
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1257623837150
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: GenericMount Helper Service - Unknown owner - C:\Program Files\Norton Ghost\Shared\Drivers\GenericMountHelper.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe [/code]
I personally see no issues except the 02 [BHO] items.
Few questions:
You got two anti virus applications running, Avast and Avira. Are both are them running?
Did you use
Combofix [url=http://www.combofix.org/]Link[/url]
Super antispyware [url=http://www.superantispyware.com/]Link[/url]
Malware bytes anti-malware? (MBAM)[url=www.malwarebytes.com]Link[/url]
if you answered no to any of the above, download it and do it in SAFEMODE.
If yes to all of the above, and you still got issues:
Did you do it in safemode?
If yes, backup DOCUMENTS ONLY. Do NOT backup: .exe, .dll, .reg, .tmp.
If no, fucking do that.
******
If you cannot access any of those sites, use an other computer and copy it to a flashdrive, or write it to a CD-R(DVD-R if you feel REALALY wasteful) or a external harddrive.
Make sure you change the attributes to the flash media (incl. external hdd) to READ ONLY.
You can do this in one swipe by typing this command in the command line[lua]
attrib +r %drive letter%:\[/lua]
or
[lua]
%drive letter%:
attrib +r
[/lua]
Warning, takes time.
%drive letter% will be the letter the flash/external hdd is recognized as. like E:\ or D:\ etc.
******
To get into safe mode:
After the BIOS screen passed, press on your f8 key like you're fiending for crack. Rapidly and relentless. Then choose "Safe Mode". If you're on a domain, use safemode with network capability. DO NOT USE SYSTEM RESTORE!
[QUOTE=Richard Simmons;23502330]Well, the fact is you never quite got rid of it. Its recreating the dlls and registry keys perhaps by other items hidden elsewhere. Or within files itself.
[/QUOTE]
Thanks, I said that in the post.
[QUOTE=Richard Simmons;23502330]
Did you use
Combofix [url=http://www.combofix.org/]Link[/url]
Super antispyware [url=http://www.superantispyware.com/]Link[/url]
Malware bytes anti-malware? (MBAM)[url=www.malwarebytes.com]Link[/url]
[/QUOTE]
Thanks again, I did say in my post,
[QUOTE=bull3tmagn3t]I have scanned with Avira, Avast!, and Malwarebytes[/QUOTE]
I know you are trying to help, but PLEASE read my entire post, and you don't need to put the HijackThis log, That's why I put the link to the post.
I hope i'm not coming off as a jerk saying those previous things, but you're wasting both of our times not reading my post. U tell me useless things, and I have to tell you that that was useless.. thanks anyways :)
Sorry, you need to Log In to post a reply to this thread.