Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Spyware, Malware(Hacking tools and rootkits), and Popup Issues. [CLOSE

Started by xooma , Jun 05 2007 09:52 PM

This topic is locked

#1
xooma

Posted 05 June 2007 - 09:52 PM

New Member

Member
8 posts

My computer had been running slow, some weird dialogs opened up, and some odd popups trying to get me to download software when I'm using a web browser. I also seem to have more processes running than normal (as well as some suspicious ones)

I ran the Lavasoft Ad-Aware and removed some "WINANTIVIRUSPRO" things. Ran the Panda ActiveScan, it detected and removed 2 viruses. It also told me I had 9 Spywares and 4 Hacking tools and rootkits (It did not disinfect them).

I've been getting some weird sites popping up from "Amaena.." Although they haven't shown up since I've ran the scans.

I ran Windows Defender and removed some process thing It considered dangerous.

Did a system restore. Ran the Windows Defender again. Turned up clean. Ran Panda ActiveScan again. 8 Spywares and 3 Hacking tools and rootkits. There's still a problem.

Here is the HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 8:51:24 PM, on 6/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\vcdplayx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\mshta.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Van Hofwegen Family\Desktop\HijackThis-2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com/"); (C:\Documents and Settings\Van Hofwegen Family\Application Data\Mozilla\Profiles\default\4g6ruq4y.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Van Hofwegen Family\Application Data\Mozilla\Profiles\default\4g6ruq4y.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {165F8FF0-FEE2-4A9E-9207-B9DA25671ADf} - C:\WINDOWS\system32\duskrhwd.dll
O2 - BHO: (no name) - {41262378-77C3-4E8F-8269-2E4B06909A4E} - C:\WINDOWS\system32\awtqn.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\jfesumqs.dll
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Van Hofwegen Family\Local Settings\Temp\TICHD003.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Office12\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai...cat-no-eula.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1141096466296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1148497382057
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: awtqn - C:\WINDOWS\system32\awtqn.dll
O20 - Winlogon Notify: rqrstro - C:\WINDOWS\SYSTEM32\rqrstro.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Here is the Ad-Aware Quarantine Log: (Stuff I removed)
ArchiveData(auto-quarantine- 2007-06-05 21-46-15.bckp)
Referencefile : SE1R174 04.06.2007
======================================================

WINANTIVIRUSPRO
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=RegKey : interface\{2e01311b-c322-4b0a-bd77-b90cfdc8dce7}
obj[1]=RegKey : interface\{50ea08b0-dd1b-4664-9a50-c2f40f4bd79a}
obj[2]=RegKey : interface\{50ea08b1-dd1b-4664-9a50-c2f40f4bd79a}
obj[3]=RegKey : interface\{50ea08b2-dd1b-4664-9a50-c2f40f4bd79a}
obj[4]=RegKey : interface\{50ea08b3-dd1b-4664-9a50-c2f40f4bd79a}
obj[5]=RegKey : interface\{50ea08b4-dd1b-4664-9a50-c2f40f4bd79a}
obj[6]=RegKey : interface\{50ea08b5-dd1b-4664-9a50-c2f40f4bd79a}
obj[7]=RegKey : interface\{50ea08b6-dd1b-4664-9a50-c2f40f4bd79a}
obj[8]=RegKey : interface\{50ea08b7-dd1b-4664-9a50-c2f40f4bd79a}
obj[9]=RegKey : interface\{50ea08b8-dd1b-4664-9a50-c2f40f4bd79a}
obj[10]=RegKey : interface\{50ea08b9-dd1b-4664-9a50-c2f40f4bd79a}
obj[11]=RegKey : interface\{50ea08ba-dd1b-4664-9a50-c2f40f4bd79a}
obj[12]=RegKey : interface\{50ea08bb-dd1b-4664-9a50-c2f40f4bd79a}
obj[13]=RegKey : interface\{50ea08bc-dd1b-4664-9a50-c2f40f4bd79a}
obj[14]=RegKey : interface\{50ea08bd-dd1b-4664-9a50-c2f40f4bd79a}
obj[15]=RegKey : interface\{50ea08be-dd1b-4664-9a50-c2f40f4bd79a}
obj[16]=RegKey : interface\{c90352f5-643c-4fbc-bb23-e996eb2d51fd}
obj[17]=RegKey : interface\{fa4bb38c-faf9-4cca-9302-d1dd0fe520db}
obj[18]=RegKey : system\controlset001\services\vxd
obj[19]=RegKey : system\currentcontrolset\services\vxd
obj[20]=RegKey : system\controlset003\services\vxd
obj[21]=File : C:\Documents and Settings\Van Hofwegen Family\Application Data\Mozilla\Firefox\Profiles\Default User\Cache(6)\A23E4567d01
obj[22]=File : C:\Documents and Settings\Van Hofwegen Family\Local Settings\Temporary Internet Files\Content.IE5\944KSFFD\NewSoftware2007Install[1].cab
obj[23]=File : C:\WINDOWS\system32\mfc71.dll

Here is the Panda ActiveScan log:
(going to post when the scan is finished)

Thank you so much for your time and help.

Edited by xooma, 05 June 2007 - 11:40 PM.

#2
Crustyoldbloke

Posted 06 June 2007 - 02:56 AM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello xooma and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

ALL staff here at Geeks To Go are volunteers, please bear that in mind if I don’t answer your post as quickly as you’d like; I give what time I can.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions! (Click the Options drop down near the upper right of the topic. Select Print this topic.)

You have a mixture of malware with Trojans including the dreaded Virtumonde (Vundo) and ConHook infections. Let’s see what we can do. I will target Vundo first of all and then clean the rest in later fixes.

Firstly could you please disable Windows Defender from running during the fix, it may just hinder our attempts to change anything. Open Windows Defender, click Tools, click Options, under Real-time protection options, clear the Use real-time protection check box, click Save

To disable AdWatch Open AdAware SE > AdWatch User Interface > Tools and Preferences. At the bottom of the screen you will see 2 options Active and Automatic. Uncheck both options. You can enable these after resolving your problem.

You do not appear to have any antivirus programme running on your PC; we must correct that immediately.

Download: AVG ANTIVIRUS 7.5 FREE EDITION

Install AVG, update its virus definitions and perform a full system scan before proceeding any further.

Please download VundoFix.exe to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log, from normal mode, in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Now that the automated Vundofix has run a check against its internal database, please try running it bit differently, with the manual additions as below for the ConHook:

Double-click VundoFix.exe to run it.
You will receive a message saying Vundofix will close and re-open in a minute or less. Click OK.
When VundoFix re-opens, click Scan for Vundo button.
Once the scan is complete, right-click inside the listbox (white box) and click Add more files?
Copy & paste the 2 entries below into the top 2 boxes:
- C:\WINDOWS\system32\awtqn.dll
- C:\WINDOWS\system32\nqtwa.*
Click Add Files and click Close Window.
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a fresh HiJackThis log, from normal mode.

#3
xooma

Posted 06 June 2007 - 02:21 PM

New Member

Topic Starter
Member
8 posts

Thanks for the fast reply! :whistling:

So I disabled Ad-Aware & Windows Defender.

Download AVG, updated the definitions, ran a scan. Removed 2 Trojan "threats."

I downloaded Vundofix, ran it. Came up with nothing. Restarted computer, ran it again. Nada. Still nothing found to remove. So I right clicked and added the 2 files you told me to. Clicked remove, and it rebooted the computer.

Current HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 1:26:40 PM, on 6/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\vcdplayx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Van Hofwegen Family\Desktop\HijackThis-2.exe
C:\Program Files\Mozilla Firefox\firefox.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com/"); (C:\Documents and Settings\Van Hofwegen Family\Application Data\Mozilla\Profiles\default\4g6ruq4y.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Van Hofwegen Family\Application Data\Mozilla\Profiles\default\4g6ruq4y.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Office12\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai...cat-no-eula.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1141096466296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1148497382057
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by xooma, 06 June 2007 - 02:35 PM.

#4
Crustyoldbloke

Posted 06 June 2007 - 02:33 PM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello again

I am impressed with AVG antivirus taking out both Vundo and ConHook, but I don't trust Vundo, so I will need to be convinced it has gone.

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)

Click on Fix Checked when finished and exit HijackThis.

Please download this file: combofix.exe to your Desktop

Do NOT run this tool in safe mode.

Double click combofix.exe & follow the prompts.

When it has finished, it will produce a log. Please post that log in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

#5
xooma

Posted 06 June 2007 - 04:00 PM

New Member

Topic Starter
Member
8 posts

I removed the file from HJK. No problems.

Downloaded combofix.exe. Ran it, and it tried to automatically reboot the computer. It shut down, but wouldn't restart. Now It won't even start up. I can't even start it in safe mode. It will get the the safe mode menu, but won't start in safe mode. I'm posting from an alternate computer. The computer just keeps cycling... trying to reboot, then shutting down. It doesn't get further than the safe mode menu. What can I do? It's seriously messed up.

Edit: tried relfashing the BIOS. Didn't affect it.

Edited by xooma, 06 June 2007 - 04:10 PM.

#6
Crustyoldbloke

Posted 06 June 2007 - 06:03 PM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello again

I didn't think your PC was that badly infected for this to happen.

1. Restart your computer, and keep tapping F8 during the initial start-up until you get options, select Safe Mode with a Command Prompt then press enter.

2. Log on to your computer with an administrator account or with an account that has administrator credentials.

3. Type the following command at a command prompt, and then press ENTER:

%systemroot%\system32\restore\rstrui.exe

4. Follow the instructions that appear on the screen to restore your computer to an earlier state.

Look for the most recent system checkpoint created before the errors to restore from.

#7
xooma

Posted 06 June 2007 - 06:11 PM

New Member

Topic Starter
Member
8 posts

No matter what safe mode startup I select, it won't reboot. I can't even start up into safe mode, can't start it up at all. I get to the menu by pressing F8, but it doesn't work. It just goes through a cycle.. shutting down when I select the startup mode and then trying to reboot. Any ideas as to what the problem might be/how I can fix it?

Edited by xooma, 06 June 2007 - 06:12 PM.

#8
Crustyoldbloke

Posted 06 June 2007 - 06:19 PM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Sounds like a catastrophic failure. I may have to pass you over to other experts but let's try a repair first.

Please follow this link to instructions on repairing Windows XP. I would advise you to print a copy for easy reference.

Repair Windows XP Topic

#9
xooma

Posted 06 June 2007 - 06:46 PM

New Member

Topic Starter
Member
8 posts

I'm reparing it now and it seems to be working smoothly.. I'll update you once the process is over. If it works I'll post a new HJT log. Thanks for your help, it's appreciated. I thought I'd have to start over, but things are looking somewhat more hopeful now.. :/

I just son't want to lose all my data. Hope this works..

#10
Crustyoldbloke

Posted 07 June 2007 - 01:25 AM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

I hope so too.

When you are up and running, can I suggest that you do a disk scan?

Go to START > RUN > type in cmd > click ENTER > at the prompt type in chkdsk > press ENTER. Windows will either check the HDD now or at next reboot (likely). This is the sort of symptom I would expect from HDD failure.

The hard drive life is roughly 10,000 hours (4 years in a business environment).

#11
xooma

Posted 07 June 2007 - 12:22 PM

New Member

Topic Starter
Member
8 posts

Ok so when I went to reinstall, at the installation screen, it had the combofix log, opened in a notepad type screen. Very weird. I exited out and went ahead with the reinstallation, (hindered some because I had to call up MS for product key--lost my old one). It accepted the code, but not all the files could be found off the disk, which is weird because it's not scratched, and was in the drive correctly. I just clicked to continue installation without those files. It seemed successful, but won't let me install any service pack updates. I can't even install the updater. I haven't lost my data (yet) though, so that's good.

I scanned the HD liike you said and it didn't reboot. The HD doesn't doesn't seem to be the problem.

Here's the *suspicious* combofix log. I think the combofix may have screwed my computer, because it was after I ran that program that my computer refused to reboot. That combofix program tried to reboot it automatically, but afterwards it never successfully reboot until I did that Windows Repair you suggested (thanks for the tip). I'm also posting a new HJT log.

I'm considering reformatting my HD, starting over clean. I've never, ever, in my history of computers have had a serious problem such as this. I've dealt with malware before.. I've never reformatted any of my computers either. I like to keep my old junk, and like to try to keep my computers clean for the most part so that a reformat isn't necessary. I might back up all my old data (thankful I didn't lose) and settings/drivers/password/network info/internet stuff, etc. and wipe it clean, do a reinstall.

I still don't know why this all happened. It boggles me.

Combofix Log:

01/26/2006 19:49	  767	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\VANHOF~1\Desktop\Internet Explorer.lnk.vir
06/06/2007 13:45	  1016	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_IPRIP.reg.cf
06/06/2007 13:45	  3674	--a------	C:\Qoobox\Quarantine\Registry_backups\services_Iprip.reg.cf


Folder PATH listing
Volume serial number is 71FAE346 884C:D47D
C:\QOOBOX
\---Quarantine
	+---C
	|   +---avenger
	|   \---DOCUME~1
	|	   \---VANHOF~1
	|		   \---Desktop
	|				   Internet Explorer.lnk.vir
	|				   
	\---Registry_backups
			LEGACY_IPRIP.reg.cf
			services_Iprip.reg.cf

HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 11:19, on 2007-06-07
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
D:\QuickBooks Basic\qbw32.exe
D:\QUICKB~1\QBDBMgr.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Van Hofwegen Family\Desktop\HijackThis-2.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com/"); (C:\Documents and Settings\Van Hofwegen Family\Application Data\Mozilla\Profiles\default\4g6ruq4y.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Van Hofwegen Family\Application Data\Mozilla\Profiles\default\4g6ruq4y.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Office12\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai...cat-no-eula.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1181237452062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1181237439015
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by xooma, 07 June 2007 - 12:22 PM.

#12
Crustyoldbloke

Posted 07 June 2007 - 01:31 PM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello again

I too would like to see the ComboFix log as I think it is highly unlikely to have caused this problem. You should find it at C:\ComboFix.txt

Please paste it into your reply for analysis.

Also, please check for the existence of these files:

C:\Windows\ERDNT\sUBs\system
C:\Windows\ERDNT\sUBs\software
C:\Windows\System32\Config\System.bak
C:\Windows\System32\Config\Software.bak

Those are backups of your previous registry. If they're there, please zip & then upload them to sUBs at:

http://www.bleepingc...e.php?channel=4

Thanks.

Edited by Crustyoldbloke, 07 June 2007 - 02:08 PM.

#13
xooma

Posted 07 June 2007 - 02:13 PM

New Member

Topic Starter
Member
8 posts

"Van Hofwegen Family" - 2007-06-06 13:42:26 Service Pack 2 NTFS
ComboFix 07-06-06 - Running from: ""

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\VANHOF~1\Desktop.\internet explorer.lnk

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_IPRIP
-------\Iprip

((((((((((((((((((((((((( Files Created from 2007-05-06 to 2007-06-06 )))))))))))))))))))))))))))))))

2007-06-06 17:50 56,576 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-06-06 17:48 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-06-06 17:47 38,024 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2007-06-06 17:46 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-06-06 17:46 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-06-06 17:46 10,496 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2007-06-06 17:45 71,168 --a------ C:\WINDOWS\system32\storprop.dll
2007-06-06 13:44 <DIR> d-------- C:\Odd Files Under C
2007-06-06 13:42 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-06 12:50 <DIR> d-------- C:\VundoFix Backups
2007-06-05 20:17 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-05 19:27 1,612,945 ---hs---- C:\WINDOWS\system32\nqtwa.bak1
2007-06-05 19:21 <DIR> d-------- C:\Temp\x2b
2007-06-05 19:21 <DIR> d-------- C:\Temp
2007-06-01 01:49 8,667,136 --a------ C:\DOCUME~1\VANHOF~1\ntuser.dat

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-06 20:33:59 -------- d-----w C:\Program Files\Windows Defender
2007-06-06 20:33:43 -------- d-----w C:\Program Files\Windows Desktop Search
2007-06-06 05:44:28 -------- d-----w C:\Program Files\7-Zip
2007-06-06 04:56:37 -------- d-----w C:\Program Files\SmartFTP Client 2.0
2007-06-06 04:17:21 -------- d-----w C:\Program Files\GoPets Ltd
2007-03-21 23:00:09 34 ----a-w C:\WINDOWS\system32\BD5240.DAT

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [03/02/2001 13:02]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [06/18/2002 03:44 C:\WINDOWS\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [11/18/2002 15:15 C:\WINDOWS\system32\nwiz.exe]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07/09/2006 13:42]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 19:20]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [06/06/2007 07:26]
"USRpdA"="C:\WINDOWS\SYSTEM32\USRmlnkA.exe" [08/29/2002 05:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [06/06/2007 07:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"="C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [10/19/2006 15:53]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

*Newly Created Service* - BEEP

Contents of the 'Scheduled Tasks' folder
2007-06-06 20:28:45 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-06 17:50:13
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\mscwphbk.exe
C:\WINDOWS\system32\drivers\ccdmcast.sys

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\RpcDICA]
"ImagePath"="\??\C:\WINDOWS\System32\drivers\ccdmcast.sys"

Completion time: 06/06/2007 17:51:13 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 06/06/2007 17:50

--- E O F ---

#14
Crustyoldbloke

Posted 07 June 2007 - 02:47 PM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello again

Here's what I see in that log.

scanning hidden files ...

C:\WINDOWS\system32\mscwphbk.exe
C:\WINDOWS\system32\drivers\ccdmcast.sys

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\RpcDICA]
"ImagePath"="\??\C:\WINDOWS\System32\drivers\ccdmcast.sys"

These are the probable cause. Rootkits !!

The rootkits probably won't have survived the repair install but it never hurts to check if the physical files still exist.

If you find the files, I would like samples of them sent to sUBs at the address previously given.

C:\WINDOWS\system32\mscwphbk.exe
C:\WINDOWS\system32\drivers\ccdmcast.sys

Depending upon what you are going to do with your PC really impinges on my advice. If you are to continue with it, I would like to scan for rootkits. Please advise.

#15
xooma

Posted 07 June 2007 - 03:19 PM

New Member

Topic Starter
Member
8 posts

Before we get any further, I'd really like to back up my most important data, if that's alright. If anything should happen I don't want it to be gone forever.

How do I attach the "C:\WINDOWS\system32\drivers\ccdmcast.sys" file? What program should I open it with? I don't want to mess things up. It couldn't find the other file.

I'm not sure If I want to reformat. I'll have to if I'm unable to install SP2. I would appreciate your advice on how to remove the rootkits/rest of the malware.

Thanks :whistling: