Need help removing malwares

Status
Not open for further replies.
Hi all, my computer has been attacked by a bunch of trojans/spywares and I'm need of assisstance! As of now, I am getting pop-ups constantly and my computer's speed has dropped drastically. I noticed that there are a lot of processes running now that I've never seen before in my life such as !update.exe and SPA.exe, to name a few. I've also noticed that in my internet history, it shows that my internet's been accessing a webpage under the alias of NDr7C.tmp.html (though the number and letter after NDr varies). The file is located under C://documents and settings/owner/local settings/temp/NDr7C.tmp.html. I've tried deleting them manually but they keep respawning so I really have no idea what to do now. I've posted a log of hijackthis below this (because it won't fit in this post). This is my first time doing this so I'm not sure if I'm doing it right or not. If I'm doing something wrong, please let me know otherwise I will be looking forward to some great help on removing all these malwares from my computer. Thanks in advance!
 
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:37:08 PM, on 6/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\LIVEUP~1\DOWNLO~1\Updt101\spa.exe
C:\Documents and Settings\Owner\My Documents\W?nSxS\n?pdb.exe
C:\PROGRA~1\ASEMBL~1\scanregw.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W16ZOHQR\HiJackThis_v2[1].exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:80
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,kgowpvk.exe
O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - C:\WINDOWS\System32\ddcdcbb.dll
O2 - BHO: COM+ Service - {2BDEC973-B5AC-4e5b-8AB3-5A0500880DA2} - C:\WINDOWS\System32\winload.dll
O2 - BHO: (no name) - {326A1EFA-A65D-4CA1-B4BA-6AF5794F5D67} - C:\WINDOWS\System32\gebyv.dll
O2 - BHO: 0 - {42C35D31-FD7D-4305-B7BA-B593A7409537} - C:\Program Files\Online Services\qugatan.dll
O2 - BHO: CVirtualDNSObj Object - {86C510E9-97EF-4749-914F-0280247BE3A6} - C:\WINDOWS\VirtualDNS.dll
O2 - BHO: (no name) - {893AEFE4-85AA-4966-88A2-32FC86AFC01B} - C:\Program Files\Common Files\metob.dll
O2 - BHO: (no name) - {96083F1C-86F4-A125-DB7D-8AADA9922293} - C:\WINDOWS\System32\jwqsv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Yahoo ToolBar - {BE756CFF-ADB4-4bc5-A35F-19E546E5710E} - C:\WINDOWS\System32\winnet.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\System32\ajtbfljb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mstsc] C:\WINDOWS\xrytcois.exe
O4 - HKLM\..\Run: [{13-32-29-9C-ZN}] c:\windows\system32\dwdsregt.exe CHD003
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\pwinsndt.exe CHD003
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\System32\umagbrfm.dll",realset
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [krqq] C:\PROGRA~1\COMMON~1\krqq\krqqm.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\ASEMBL~1\scanregw.exe" -vt yazb
O4 - HKCU\..\Run: [Inity] "C:\Documents and Settings\Owner\My Documents\W?nSxS\n?pdb.exe"
O4 - HKCU\..\Policies\Explorer\Run: [{5C51329C-069E-1033-1217-020409200001}] "C:\Program Files\Common Files\{5C51329C-069E-1033-1217-020409200001}\Update.exe" te-110-12-0000213
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Memento.lnk = C:\Program Files\Memento\Memento.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Owner\Local Settings\Temp\TICHD003.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\pwinsndt.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
O4 - Global Startup: LimeWire 4.0.4.lnk = C:\Program Files\LimeWire\LimeWire 4.0.4\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Trend Micro Security Services - {D5E1CDC8-64B9-4f8c-8155-FC3B6D6749F7} - http://tmss.trendmicro.com/dashboard/dashboard.aspx?FJHFEJFGJBIGJHDBDGHCFBGCGGEJCGGBEIIFF (file missing)
O9 - Extra 'Tools' menuitem: Trend Micro Security Services - {D5E1CDC8-64B9-4f8c-8155-FC3B6D6749F7} - http://tmss.trendmicro.com/dashboard/dashboard.aspx?FJHFEJFGJBIGJHDBDGHCFBGCGGEJCGGBEIIFF (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Free History Cleaner - {ECC5778A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\Free History Cleaner\FreeHistoryCleaner (file missing)
O9 - Extra 'Tools' menuitem: Free History Cleaner - {ECC5778A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\Free History Cleaner\FreeHistoryCleaner (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.snipernet.us
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.snipernet.us (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://systemdoctor.com/download/2006/cab/SystemDoctor2006FreeInstall.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B864F4C-9FFB-43F7-81B5-0A054ED89D62}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{3B864F4C-9FFB-43F7-81B5-0A054ED89D62}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{3B864F4C-9FFB-43F7-81B5-0A054ED89D62}: NameServer = 192.168.1.1
O20 - AppInit_DLLs:
O20 - Winlogon Notify: ddcdcbb - C:\WINDOWS\SYSTEM32\ddcdcbb.dll
O20 - Winlogon Notify: gebyv - C:\WINDOWS\System32\gebyv.dll
O20 - Winlogon Notify: IntlRun - C:\WINDOWS\system32\ubildll.dll (file missing)
 
O21 - SSODL: cVFJQ - {5C51329D-F6FB-9837-C9FE-BECA77BE9C20} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\SYSTEM32\Browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\SYSTEM32\Browseui.dll
O22 - SharedTaskScheduler: COM+ Service - {2BDEC973-B5AC-4e5b-8AB3-5A0500880DA2} - C:\WINDOWS\System32\winload.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 13389 bytes
 
Hi g0forkurself and welcome to techspot. =)

Firstly you should not have copied and pasted your logs. This is against the rules of this forum. Please do take your time to read the following threads.

Techspot FAQ.

A message for all newcomers.

SNGX1275`s A guide to making a good post/thread.

Secondly, your system is horribly riddled full of malware. Before you do anything, please read this.

Important: Please read this thread HERE before you decide whether to clean or reformat your system.

Should you decide to clean your computer, please go to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. These are a comprehensive mix of steps to remove several common malware, as well as provide us logs of your system to look at so we can further remove any tricky nasties.
Do follow all the instructions exactly.

Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste if not it will be ignored and/or removed.

Also, please let me know the results of the AVG Antirootkit scan


Regards,
Your friendly momok =)

This thread is for the use of g0forkurself only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.
Back