Dyfuca - Coolweb and more - help please HJT log attached

If anyone could help me disinfect I'd appreciate it. I've run AdAware and Kaspersky 5.0 and still can't get rid of this. Here is my latest HJT logfile:

 

Welcome to MG

I am sure one of the "pros" will delete your inline log as you are 1. Wait to be asked to attach your HJT log & 2. Only after being asked then you are supposed to Attach it as an Attachment

Hijack this is NOT the first step in resolving spyware problems what you need to do first is the following..

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

After doing ALL of the above if you still have a problem: make sure that you post back letting us know what you could and couldn't complete in the Read Me First guide and what problems still exist and in the meantime while we are reviewing what problems still exist please read the following guide and then wait for us to ask you to post your HJT log as an attachment.

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread
NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.
Place it in its own folder,for example C:\Program Files\HJT

Again after you post back to let us know if you are still having the problems please be as specific as possible as to what you couldn't complete and as to what problems still exist as the more information we have the better we will be able to help you.

Please also be patient in waiting for replies and responses as there are a limited number of people who are able to help you and as you can see by the posts on this forum there are many people out there who have questions/problems. Thanks and again welcome to MG

sw

 

sorry - i've tried numerous forums and no-one has helped me. this is the first response i've had in the past 6 days of posting to forums. i've tried to follow all the steps. again, i'm sorry - i just wish i could get some assistance to steer me in the right direction. thanks again - and i'm still infected, but will wait to post my HJT logfile when directed. thanks everyone.

 

attached is my new log file - thanks for the help!

 

Hang in there Murray. You have one of the really hard to remove baddies, among other things. Somebody will look at your log when time permits - likely tonight. Please be patient as there are only a few volunteers working this forum

PP

 

Thanks Phillie. This virus is so frustrating.

 

Please download DelDomains and unzip it to your desktop. Do not run it yet.

Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Exit Browsers now before continuing and unplug your cable. And do not reconnect or run any browsers until told to do so.

First Step:

Scan with HijackThis and Check the Boxes for the following:

Again, make sure All Browser Windows are Closed when you Click FIX.

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe

O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

O4 - HKLM\..\Run: [uxdlemu] c:\windows\system32\uxdlemu.exe

O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe

O15 - Trusted Zone: *.finefind.nettraffic2cash.biz

O15 - Trusted IP range: 206.161.125.149

O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone

O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\Xhrmy.exe

c:\windows\system32\uxdlemu.exe

C:\WINDOWS\isrvs <--- This Whole Folder!


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Second Step:

While still in safe mode. Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.


Third Step:

With cable still unplugged run HJT again and post a new log, name is HJTLOG2 and attach the new log to your post. Exit HJT

Now plug your cable back in and open one browser and then close it. Now get another HJT log and call it HJTLOG3

Now come back here and post both HJT logs and provide feedback on what happen while doing these steps.

 

Thanks BigGarrick! I'm now posting this on my desktop - the computer that's infected is my roommate's laptop. After following all the steps you suggested, I can not restore the wireless connection on the laptop. We're using a Linksys Broadband Router through my desktop (which is not infected) and a Linksys wireless-G network card on the laptop. These logfiles were transfered by CDROM in order to post.

I've attached 3 logfiles. HJTLOG4 is the log after rebooting in normal mode. HJTLOG3 is the log you told me to name in Step 3.

Additional notes:

In step 1 - c:windows\Xhrmy.exe - - did not exist
c:windows\system32\uxdlemu.exe - - did not exist

In step 2 - after clicking install on deldodmains.zip - i got screen flicker and that's all - i'm hoping that's correct.

 

final log attached as mentioned in last post - this is HJTLOG4

 

Everything looks ok in the last log you posted. Now, let’s troubleshoot your not being able to browser. When I said unplug the cable, what did you unplug?

 

I unplugged the network card.

After I rebooted the laptop - this "Warning you're infected" screen remains which I can't get rid of.

Thanks for helping! I hope we can resolve this.

 

What type of screen?

Is it similiar to the one I attached??

 

no - the background of the monitor goes black and in the middle -

Warning!
You're in Danger!
All you do with computer is stored forever in your hard disk. when you vist sites, send emails...all your actions are logged. and it is impossible to remove them with standard tools. your data is still available for forensics.

then it says i could be broke for life.

thanks again. seems like there are a ton of problems huh?

 

First:

Run TrendMicro's Online Virus Scan

Second:

Download Ad-Aware SE 1.05

Install Ad-Aware SE, Before scanning click "Check For Updates" update is necessary.

NOTE: The latest update SE1R28


After you have updated your definitions, Click Start

Choose "Full System Scan" and remove all found infections.

Third:

Download SpyBot S&D

Install, update and use the Immuzation feature.

Run a full scan and remove all found entries.


This should take care of your problem.

Let me know how things are running after this is complete.

 

will do - thanks - i'm still trying to get the laptop back on the network so i can access the web to download those files and run the scan.

 

If it doesn't, then try this:

RightClick your Desktop and select Properties > Desktop Tab > Customize Desktop > Web and make sure nothing is selected in the box labeled "Web Pages." Namely, make sure that the My Current Home Page Box is unchecked.
Also, let BJ know if there are other entries in the Web Pages box.

If still no joy, then look for this file - C:\WINDOWS\desktop.html - and delete it, if found.

PP

 

Okay - the bad screen is now gone - thanks for that Phillie.

Now the problem is that I can't get back online on the laptop still so i can't run the online scan or get the new ad-aware.

 

more good news - i'm back online on the laptop now. i will do the steps BJ suggested and let ya'll know. i'll post a final HJT-log after the steps BJ suggested.

 

Ok, glad your back online