Options

Still Infected

Unknown
edited July 2004 in Spyware & Virus Removal
:banghead:
Prime... i still dont know what to do. If your busy and going to get back to my other message later, please disregard this. Thank you again for your time and effort.

heres latest log

Logfile of HijackThis v1.98.0
Scan saved at 12:35:43 PM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msko32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ghdym.dll/sp.html#12802
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ghdym.dll/index.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ghdym.dll/index.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ghdym.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ghdym.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ghdym.dll/index.html#12802
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {CC74E0B9-F6BF-A716-4F9A-98CC5AAEA235} - C:\WINDOWS\sdkhp32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

:banghead: :bawling: :rant::zombie::mean:

Comments

  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited July 2004
    Get rid of the following:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ghdym.dll/sp.html#12802
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ghdym.dll/index.html#12802
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ghdym.dll/index.html#12802
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ghdym.dll/sp.html#12802
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ghdym.dll/sp.html#12802
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ghdym.dll/index.html#12802
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {CC74E0B9-F6BF-A716-4F9A-98CC5AAEA235} - C:\WINDOWS\sdkhp32.dll

    Do you have a windows XP disk that you can boot off of, or is this an OEM computer (Compaq, HP, Gateway, something like that) that came with a "system recovery" disk?

    What I'm getting at is I'd like to boot off of Windows XP cd and get into Recovery Console and delete the DLLs from there.
  • wOnkaMaddness
    edited July 2004
    Yes i have a windows xp disk.... and i will delete the entries you listed.... however... they will return... i was up until about 4 in the morning rebooting deleting rebooting safemode troubleshoot scanning rebooting :banghead:
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited July 2004
    right, but in recovery console, we can see all hidden DLLs. What we're gonna do is some logic exercises and pattern analysis to determine where the hidden reloader is.

    For example, when we get you into recovery console, and type CD WINDOWS, CD SYSTEM32 and then DIR *.DLL we'll be able to use patterns to find out "what doesn't belong in this picture"... Things like randomly named DLLs, or relatively recent DLLs, things of that nature.

    maybe you should bring the computer to my office.....
  • wOnkaMaddness
    edited July 2004
    In addition, my virus scanner updatd today and found a bunch of new stuff. Now whenever i open my computer or just about any window, it finds a *.exe file. Trojan horse downloader agent.2.Q ????

    thx for your time
Sign In or Register to comment.