Please help...computer infected.

Welcome to Major Geeks!

You saved BitDefender exactly how the READ ME says to save it.

While I look thru all of your logs get started with the below.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to CWShredder Service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now repeat the above to Stop and Disable the below two Services (if you do not find them or get any errors, just continue):
  • DomainService
• Click OK until you get back to Windows.

 

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O2 - BHO: (no name) - {0D5691EA-1B24-4763-99A6-5FC23CB0A4B2} - C:\WINDOWS\system32\eudnxfsn.dll (file missing)
O2 - BHO: (no name) - {1D6D392D-536C-4239-99C0-8AD4DD5B634b} - C:\WINDOWS\system32\auuuwxpv.dll
O2 - BHO: (no name) - {4B51C603-1C70-4930-B095-1EB6A1BBFA7A} - C:\WINDOWS\system32\dxmas.dll
O2 - BHO: sys-addon - {4CF7C596-C8FF-41d5-88A5-0F1A1A92DDE1} - C:\Program Files\sys-addon\sys-addon.dll
O2 - BHO: tsdiscon - {74EEB5D8-D301-4B03-9F05-0C663FC9B96B} - C:\WINDOWS\system32\tsdiscon.dll (file missing)
O2 - BHO: (no name) - {B172841B-B022-49C0-8797-4F20DD404463} - C:\WINDOWS\system32\efcyw.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\dsiwlgpr.dll",sitypnow
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O20 - Winlogon Notify: ddccday - ddccday.dll (file missing)
O20 - Winlogon Notify: efcyw - C:\WINDOWS\system32\efcyw.dll



After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

 

I'll edit the previous fix to change the HJT part and also the Avenger part since there is a new file. Give me a few minutes. I'll post back another message when I finish editing.

 

Okay I'm finished editing the previous instructions. Please follow them now. After you attach your new follow up logs. Do not reboot or power down your PC.

 

You're welcome. After attaching your logs remember to not power down or reboot until you here from me.

 

We still have some more to do.

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {4B51C603-1C70-4930-B095-1EB6A1BBFA7A} - C:\WINDOWS\system32\dxmas.dll
O2 - BHO: (no name) - {B172841B-B022-49C0-8797-4F20DD404463} - C:\WINDOWS\system32\efcyw.dll (file missing)
O3
After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

 

Your infection spread again.

Question: When you applied the fixME.reg patch, did you get a success message?


Don't forget the new HJT log.

 

Did you see message # 15?

 

Uninstall AVG Antispyware. I want to make sure it is not getting in our way. Do this now!

Take a look in your C:\Windows\system32 folder. Do you see anything like the below file:

Code:

IExplorer.dll                                                              .dbt

Also do you see the below file?
C:\WINDOWS\system32\dxmas.dll

Also can you put the below two files into a ZIP file and attach it here:
C:\WINDOWS\system32\drivers\kwxeowsx.dat
C:\WINDOWS\system32\drivers\npnadciv.dat

 

First try the below.

See if you can delete the below files I mentioned before. Some or all may be denied. Tell me later what happens at this point.
IExplorer.dll .dbt
dxmas.dll
dxmas.1
dxmas.2
dxmas.3
dxmas.4

No matter what happens when you try to delete the above, just continue on with the below.


Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {4B51C603-1C70-4930-B095-1EB6A1BBFA7A} - C:\WINDOWS\system32\dxmas.dll
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

 

After completing my previous instructions and attaching the new logs, continue onto the below.


Download Registry Search (see the link titled RegSearch Download Link)

• Extract the files from Regsearch.zip into a folder.
• Doubleclick regsearch.exe to start the program.
• Enter kwxeowsx in the top area of the form and then click "OK".
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file now before doing the next search below.

Now repeat the above search but this time search for npnadciv
Attach this second log too.

 

Darn!!!! The Avenger fix in message #21 got messed up. I just fixed it. Please re-read if not too late.

 

Okay take another look right now. Does the dxmas.dll file still exist? Did any of the others return?

What is the file date and time on dxmas.dll

 

Please delete the below file. Make sure you ONLY delete the one in the system32 folder and not in c:\Windows


C:\WINDOWS\system32\explorer.exe

Did it delete?

 

You forgot to tell me the date and time on the file.

This one is a valid Windows system file. It Windows Media Source Filter.


Do you have your Windows XP boot CD?

 

Please give the below a run and tell me what if anything is found:

BitDefender RootkitUncover

 

Do a file scan on dxmas.dll using the below site:

http://virusscan.jotti.org/

Post back the results.

Not good! Malware issues is one of a few issues why a boot CD is an absolute must.

 

Okay let's try a different more comprehensive rootkit scan. Run the below and attach the requested log:

Running GMER to detect rootkits


Let's also try the below to remove the below O2 - BHO key:

O2 - BHO: (no name) - {4B51C603-1C70-4930-B095-1EB6A1BBFA7A} - C:\WINDOWS\system32\dxmas.dll


Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

Run Registrar Lite navigate to the following key and take ownership of it:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

• To take ownership of the key do the following
• Click-on the above Registry Key
• Click-on Security in the Menu
• Select Take Ownership
• Now locate the below key under the Browser Helper Objects key and select it then right click on it and select delete:

{4B51C603-1C70-4930-B095-1EB6A1BBFA7A}

• After deleting it exit Registrar Lite and attach a new HJT log.

 

Sorry about that. Uninstall the version you now have installed and download and install the below version which will work.

http://downloads.bjgarrick.com/files/RegistrarLite.zip

 

Try again after booting into safe mode. Also make sure that no browser sessions are running.

 

Print the below instructions because at a point during them you MUST (this is can be critical) shutdown all browsers. I will tell you when to exit the browsers during the muti-part procedure.

• Download this file - combofix.exe directly to your Desktop. Do not run it!
  • **Note: It is important that it is saved directly to your desktop**
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as ComboFix-Do.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have the below icons on your Desktop (double click the thumbnail to expand it)

• Now refer to the above image and use your mouse to drag ComboFix-Do.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now attach the below new logs and tell me how the above steps went.

1. ComboFix log
2. new GetRunKey
3. new ShowNew
4. new HJT

Make sure you tell me how things are working now!

 

Try renaming the ComboFix-Do.txt to CFScript.txt and use it in the procedure.
Also shutdown all protection software before doing the procedure.