Lavasoft Support Forums > Malware problems

Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive General Support Issues

infectedguy

Sep 27 2006, 12:12 AM

Hi

I've browsed this site for a while and because of the information here, I've been able to help myself thanks to all of you. I just recently got hit hard and it's been the hardest challenge for me yet. I've done everything possible to get rid of it, but something still causing me problems. I am getting pop ups constantly while doing other things and it's disrupting me in the middle of things. I did find Duce6.exe and SearchAssistant and I believe I got them. I ran Hijack, BFU and Combofix and here are my current logs. If you could take a look for me and advise me on what I'm missing in correcting. My pop ups are not as bad as they were an hour ago, but still bad.

Logfile of HijackThis v1.99.1
Scan saved at 18:43, on 06-09-26
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Razer\Krait\razerhid.exe
C:\WINDOWS\win3207721485717.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Razer\Krait\razertra.exe
C:\Program Files\Razer\Krait\razerofa.exe
C:\DOCUME~1\NESTOR~1.RNE\LOCALS~1\Temp\Rar$EX00.297\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nsy3D.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Krait] C:\Program Files\Razer\Krait\razerhid.exe
O4 - HKLM\..\Run: [win3207721485717] C:\WINDOWS\win3207721485717.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe

This is the Combofix log

ComboFix 06.09.27 - Running from: "C:\Documents and Settings\Nestor L Rodriguez.RNESTOR\Desktop"

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Nestor L Rodriguez.RNESTOR\Application Data\Dxcknwrd.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\Eim03.exe

((((((((((((((((((((((((((((((( Files Created from 2006-08-26 to 2006-09-26 ))))))))))))))))))))))))))))))))))

2006-09-25 18:57 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2006-09-25 18:55 32,768 --a------ C:\WINDOWS\DXCecho.exe
2006-09-25 18:55 268,581 --a------ C:\WINDOWS\popupwithcast.exe
2006-09-25 18:55 217,276 --a------ C:\WINDOWS\srvchipuqb.exe
2006-09-25 18:55 183,478 --a------ C:\WINDOWS\srvcexcrlc.exe
2006-09-25 18:55 163,840 --a------ C:\WINDOWS\win3207721485717.exe
2006-09-25 18:55 1,018,784 -r-hs---- C:\WINDOWS\vjajokr.exe
2006-09-18 07:32 80,896 --a------ C:\WINDOWS\system32\nsy3D.dll
2006-09-15 17:21 53,248 --a------ C:\WINDOWS\uninst108.exe
2006-09-15 17:16 53,248 --a------ C:\WINDOWS\uni_e6h.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-26 16:09 -------- d-------- C:\Program Files\World of Warcraft
2006-09-26 15:42 -------- d-------- C:\Program Files\Yahoo!
2006-09-26 09:23 -------- d-------- C:\Program Files\SpywareBlaster
2006-09-26 09:22 -------- d-------- C:\Program Files\CCleaner
2006-09-26 09:19 -------- d-------- C:\Documents and Settings\Nestor L Rodriguez.RNESTOR\Application Data\Lavasoft
2006-09-26 09:18 -------- d-------- C:\Program Files\Lavasoft
2006-09-26 08:31 -------- d-------- C:\Program Files\Common Files
2006-09-25 19:09 7680 --ahs---- C:\Program Files\Thumbs.db
2006-09-25 18:57 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2006-09-02 07:34 -------- d-------- C:\Documents and Settings\Nestor L Rodriguez.RNESTOR\Application Data\Ahead
2006-08-31 02:30 -------- d-------- C:\Program Files\Google
2006-08-29 00:02 -------- d-------- C:\Program Files\Teamspeak2_RC2
2006-08-29 00:02 -------- d-------- C:\Documents and Settings\Nestor L Rodriguez.RNESTOR\Application Data\teamspeak2
2006-08-28 19:07 -------- d-------- C:\Program Files\CCP
2006-08-27 19:01 -------- d-------- C:\Program Files\KnightOnline
2006-08-27 18:54 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-27 17:18 -------- d-------- C:\Documents and Settings\Nestor L Rodriguez.RNESTOR\Application Data\Help
2006-08-17 17:35 -------- d-------- C:\Program Files\Razer
2006-08-17 17:31 -------- d-------- C:\Program Files\Microsoft IntelliType Pro
2006-08-17 17:29 -------- d-------- C:\Program Files\Logitech
2006-08-09 16:16 -------- d-------- C:\Program Files\QuickTime
2006-08-07 14:56 -------- d-------- C:\Documents and Settings\Nestor L Rodriguez.RNESTOR\Application Data\Macromedia
2006-08-05 21:00 -------- d-------- C:\Documents and Settings\Nestor L Rodriguez.RNESTOR\Application Data\Ventrilo
2006-08-05 16:16 -------- d-------- C:\Program Files\Ventrilo
2006-08-05 16:14 -------- d-------- C:\Documents and Settings\Nestor L Rodriguez.RNESTOR\Application Data\Google
2006-08-05 16:12 -------- d---s---- C:\Documents and Settings\Nestor L Rodriguez.RNESTOR\Application Data\Microsoft
2006-08-05 15:28 -------- d-------- C:\Documents and Settings\Nestor L Rodriguez.RNESTOR\Application Data\Adobe
2006-08-05 15:26 -------- d-------- C:\Program Files\Adobe
2006-08-05 15:17 -------- d-------- C:\Program Files\Microsoft Office
2006-08-05 15:13 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-08-05 15:09 75304 --a------ C:\WINDOWS\system32\VetRedir.dll
2006-08-05 15:09 590190 --a------ C:\WINDOWS\system32\drivers\VetEFile.sys
2006-08-05 15:09 26787 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2006-08-05 15:09 21031 --a------ C:\WINDOWS\system32\drivers\Vet-Filt.sys
2006-08-05 15:09 15735 --a------ C:\WINDOWS\system32\drivers\VetFDDNT.sys
2006-08-05 15:09 15478 --a------ C:\WINDOWS\system32\drivers\Vet-Rec.sys
2006-08-05 15:09 116264 --a------ C:\WINDOWS\UnVet32.exe
2006-08-05 15:09 112168 --a------ C:\WINDOWS\AVShlExt.dll
2006-08-05 15:09 102398 --a------ C:\WINDOWS\system32\drivers\VetEBoot.sys
2006-08-05 15:09 -------- d-------- C:\Program Files\CA
2006-08-04 19:04 -------- d-------- C:\Program Files\WinRAR
2006-08-04 19:03 -------- d-------- C:\Program Files\DVD Shrink
2006-08-04 19:03 -------- d-------- C:\Program Files\DVD Decrypter
2006-08-04 19:02 -------- d-------- C:\Program Files\DVDFab Decrypter
2006-08-04 17:13 -------- d-------- C:\Program Files\Common Files\Blizzard Entertainment
2006-08-04 16:45 -------- d-------- C:\Program Files\BroadJump
2006-08-04 16:34 -------- d-------- C:\Program Files\Windows Media Player
2006-08-04 16:33 -------- d-------- C:\Program Files\Ahead
2006-08-04 16:10 -------- d-------- C:\Program Files\Messenger
2006-08-04 16:10 -------- d-------- C:\Documents and Settings\Nestor L Rodriguez.RNESTOR\Application Data\Identities
2006-08-04 16:08 -------- d--h----- C:\Program Files\WindowsUpdate
2006-08-04 11:52 62 --ahs---- C:\Documents and Settings\Nestor L Rodriguez.RNESTOR\Application Data\desktop.ini
2006-07-20 12:24 14872 --a------ C:\WINDOWS\system32\SBBD.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.4156\\GoogleToolbarNotifier.exe"
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"AudioDeck"="C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf"
"CaAvTray"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust EZ Antivirus\\CAVTray.exe\""
"CAVRID"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust EZ Antivirus\\CAVRID.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"Krait"="C:\\Program Files\\Razer\\Krait\\razerhid.exe"
"win3207721485717"="C:\\WINDOWS\\win3207721485717.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Completion time: Tue 09/26/2006 18:50:06.17
ComboFix.txt

Thank you in advance

infectedguy

Sep 28 2006, 12:13 PM

Such great response, thanks.

No need to worry about my problem though. Like I said before, I've learned a lot from stopping by and was able to finish locating and fixing my malware problem. No more duce6, searchassistant, no more pop ups and my programs constantly closing on their own.
I do thank you though for the tools you have shared here that made it possible for me to actually fix my problem along with the knowledge I gained.

LS CalamityJane

Oct 4 2006, 10:57 PM

Hi ,

Apologies for the late reply, we've been quite swamped in here as you can probably see.

We answer unanswered topics from oldest to newest and we're about 5-6 days backed up.

Are you still needing help?

I'm now subscribed to this topic so I will receive a notice from the board as soon as you reply, so I can be here much more quickly than it has taken to get to your new topic.

If you still need help, please post a fresh HijackThis log so I can see where you are at this point

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.