Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Computer infected with Worm.Win32.Netsky [RESOLVED]

Started by bronc4294x4 , Jan 26 2008 08:00 PM

  • This topic is locked This topic is locked

#1
bronc4294x4
Posted 26 January 2008 - 08:00 PM

bronc4294x4

    New Member

  • Member
  • Pip
  • 7 posts
I got the red screen of death on one of our computers. I did a search and found the same virus in a topic here that was resolved. I followed that post and ran, Spybot Search & Destroy. Downloaded OTMoveIt.exe, but haven't used it. Ran SmitfraudFix.exe. After which the red screen of death was gone.
This morning I got up to the same red screen of death, so I followed the malware cleaning guide to do prior to posting a HijackThisLog. Once again the red screen of death is gone, but i would like for someone to look at my HJTlog and see IF there is anything that I may need to fix and also see IF the is anything that I may have missed.
Thanks for all the help.

bronc


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:30 PM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presari...t...c01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.100
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: The elfwgps - {27A4FA11-A0B1-4AB7-9A78-BD411FDEAA0D} - C:\WINDOWS\elfwgps.dll (file missing)
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {76CA9BF9-9868-4249-862D-6F454A48A9CE} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1195842223656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1195844887640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: bqxomdo - {883C3755-1332-49E2-B94D-496CF04AD7B3} - C:\WINDOWS\bqxomdo.dll (file missing)
O21 - SSODL: aswmklt - {C46D63D0-9463-4FDC-834D-BDC314E156FB} - C:\WINDOWS\aswmklt.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 5485 bytes



Here is a SuperAntiSpyware log

SUPERAntiSpyware Scan Log
Generated 01/26/2008 at 03:19 PM

Application Version : 3.6.1000

Core Rules Database Version : 3389
Trace Rules Database Version: 1383

Scan type : Complete Scan
Total Scan Time : 01:37:36

Memory items scanned : 322
Memory threats detected : 0
Registry items scanned : 4461
Registry threats detected : 15
File items scanned : 67787
File threats detected : 36

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{8FC29A8D-F29D-477E-B428-0F942E23A960}
HKCR\CLSID\{8FC29A8D-F29D-477E-B428-0F942E23A960}
HKCR\CLSID\{8FC29A8D-F29D-477E-B428-0F942E23A960}
HKCR\CLSID\{8FC29A8D-F29D-477E-B428-0F942E23A960}\InprocServer32
HKCR\CLSID\{8FC29A8D-F29D-477E-B428-0F942E23A960}\InprocServer32#ThreadingModel
HKCR\CLSID\{8FC29A8D-F29D-477E-B428-0F942E23A960}\ProgID
HKCR\CLSID\{8FC29A8D-F29D-477E-B428-0F942E23A960}\Programmable
HKCR\CLSID\{8FC29A8D-F29D-477E-B428-0F942E23A960}\TypeLib
HKCR\CLSID\{8FC29A8D-F29D-477E-B428-0F942E23A960}\VersionIndependentProgID
C:\WINDOWS\DPVTPORFGP.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Zachary\Cookies\zachary@doubleclick[1].txt
C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\michael@adinterax[1].txt
C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\michael@adknowledge[1].txt
C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\[email protected][1].txt
C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\[email protected][1].txt
C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\michael@anycracks[1].txt
C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\michael@atwola[1].txt
C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\michael@azjmp[2].txt
C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\michael@bizrate[2].txt
C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\[email protected][1].txt
C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\michael@cracks[1].txt
C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\[email protected][1].txt
C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\michael@friendfinder[2].txt
C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\[email protected][2].txt
C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\michael@mscracks[1].txt
C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\michael@nextag[2].txt
C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\michael@offeroptimizer[2].txt
C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\michael@partner2profit[1].txt
C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\michael@partypoker[1].txt
C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\michael@rightmedia[1].txt
C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\[email protected][2].txt
C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\[email protected][2].txt
C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\[email protected][2].txt
C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\[email protected][1].txt
C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\[email protected][1].txt

Trojan.Net-MSV/VPS
HKCR\MSVPS.MSVPSApp
HKCR\MSVPS.MSVPSApp\CLSID
HKCR\MSVPS.MSVPSApp\CurVer

Desktop Hijacker.AboutYourPrivacy
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\images
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\privacy_danger

Trojan.Media-Codec/V4
HKCR\videoPl.chl
HKCR\videoPl.chl\CLSID

Rogue.XP AntiVirus
HKU\S-1-5-21-3826821714-1779672970-72185382-1006\Software\Microsoft\Windows\CurrentVersion\Run#XP Antivirus [ C:\Program Files\XP Antivirus\xpa2008pro.exe ]
C:\Program Files\XP Antivirus

Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\ZACHARY\DESKTOP\DN STUFF\FAVORITES AND COOKIES\FAVORITES\REG CLEAN.URL

Adware.SXGAdvisor
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6CAC8781-D14A-4E3D-BB38-7856283498EC}\RP3\A0000012.DLL



here is the Activescan log


Incident Status Location

Adware:Adware/VideoPlugin Not disinfected C:\WINDOWS\aswmklt.dll
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Zachary\Application Data\Mozilla\Firefox\Profiles\fqp63vzc.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Zachary\Cookies\[email protected][2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\michael@cgi-bin[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\michael@cgi-bin[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\michael@com[1].txt
Spyware:Cookie/Qsrch Not disinfected C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\[email protected][1].txt
Spyware:Cookie/MyWay Not disinfected C:\Documents and Settings\Zachary\Desktop\DN stuff\favorites and cookies\Cookies\[email protected][1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Zachary\Desktop\SmitfraudFix\Process.exe
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Zachary\Desktop\SmitfraudFix\Reboot.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Zachary\Desktop\SmitfraudFix\restart.exe
Adware:Adware/VideoAddon Not disinfected C:\Documents and Settings\Zachary\My Documents\setup to youtube.exe[²ÜÇ\barf.dll]
  • 0

Advertisements

#2
loophole
Posted 30 January 2008 - 08:10 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi and sorry for the delay

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
bronc4294x4
Posted 30 January 2008 - 03:59 PM

bronc4294x4

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here they are. Thanks for the help.

ComboFix 08-01-30.6 - Zachary 2008-01-30 15:49:46.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.283 [GMT -6:00]
Running from: C:\Documents and Settings\Zachary\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Zachary\Application Data\AntiSpywareBot
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt

----- BITS: Possible infected sites -----

hxxp://softworldnetwork.com
hxxp://onsafepro.com
hxxp://softworldnetwork2.com
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.

2008-01-27 10:49 . 2008-01-27 10:49 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-01-26 15:59 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-26 15:39 . 2008-01-26 16:59 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-26 15:39 . 2008-01-26 15:39 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-26 15:39 . 2008-01-26 15:39 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-26 15:39 . 2008-01-26 15:39 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-26 11:44 . 2008-01-26 11:44 <DIR> d-------- C:\Documents and Settings\Zachary\Application Data\Grisoft
2008-01-26 11:43 . 2008-01-26 11:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-26 11:43 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-26 10:45 . 2008-01-30 14:06 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-26 10:45 . 2008-01-26 10:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-26 10:45 . 2008-01-26 10:45 <DIR> d-------- C:\Documents and Settings\Zachary\Application Data\SUPERAntiSpyware.com
2008-01-26 10:45 . 2008-01-26 10:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-25 22:20 . 2001-09-20 07:56 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-01-25 22:15 . 2008-01-25 22:23 816 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-25 19:21 . 2008-01-25 21:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-25 19:08 . 2008-01-25 19:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-25 18:43 . 2007-09-10 14:00 18,672 --a------ C:\WINDOWS\system32\drivers\antispyfilter.sys
2008-01-25 18:24 . 2008-01-25 21:48 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-25 00:51 . 2008-01-25 00:51 <DIR> d-------- C:\Documents and Settings\Zachary\Application Data\Yahoo!
2008-01-25 00:51 . 2008-01-25 00:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-24 19:48 . 2008-01-24 19:48 <DIR> d-------- C:\Program Files\MediaEntertainmentCodec
2008-01-24 19:47 . 2008-01-24 13:50 229,376 --a------ C:\WINDOWS\aswmklt.dll
2008-01-24 19:47 . 2008-01-24 13:50 98,304 --a------ C:\WINDOWS\fvqkfsp.exe
2008-01-23 23:10 . 2008-01-23 23:13 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-20 15:26 . 2008-01-20 15:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-20 15:21 . 2008-01-20 15:25 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-03 14:21 . 2005-10-27 15:06 356,096 --a------ C:\WINDOWS\system32\rt61.sys
2008-01-03 14:21 . 2005-10-20 15:00 243,328 --a------ C:\WINDOWS\system32\rt2500.sys
2008-01-03 14:21 . 2008-01-03 14:21 20,747 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-01-03 14:21 . 2005-11-07 03:51 7,878 --a------ C:\WINDOWS\system32\RT2500.CAT
2008-01-03 14:21 . 2005-11-09 04:41 7,870 --a------ C:\WINDOWS\system32\rt61.cat
2008-01-03 14:20 . 2008-01-26 16:35 <DIR> d-------- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor
2008-01-03 14:20 . 2008-01-03 14:20 890 --a------ C:\WINDOWS\system32\WLAN.INI
2007-12-20 17:55 . 2007-12-20 17:55 126,976 --a------ C:\WINDOWS\War3Unin.exe
2007-12-20 17:55 . 2007-12-20 17:55 18,127 --a------ C:\WINDOWS\War3Unin.dat
2007-12-20 17:55 . 2007-12-20 17:55 2,829 --a------ C:\WINDOWS\War3Unin.pif
2007-12-20 17:51 . 2007-12-20 18:23 <DIR> d-------- C:\Program Files\Warcraft III

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 01:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-03 20:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:39 230,912 ------w C:\WINDOWS\system32\wmasf.dll
2007-10-11 06:13 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
{27A4FA11-A0B1-4AB7-9A78-BD411FDEAA0D}

[HKEY_CLASSES_ROOT\clsid\{27a4fa11-a0b1-4ab7-9a78-bd411fdeaa0d}]
[HKEY_CLASSES_ROOT\elfwgps.ToolBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{B45B9F9A-BA41-405F-B99B-3A846DB7E9BE}]
[HKEY_CLASSES_ROOT\elfwgps.ToolBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-11-17 09:33 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2002-08-14 17:48 167936 C:\WINDOWS\system32\pctspk.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-11-17 09:33 3022848]
"nwiz"="nwiz.exe" [2003-11-17 09:33 753664 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 19:47 8720384]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bqxomdo"= {883C3755-1332-49E2-B94D-496CF04AD7B3} - C:\WINDOWS\bqxomdo.dll [ ]
"aswmklt"= {C46D63D0-9463-4FDC-834D-BDC314E156FB} - C:\WINDOWS\aswmklt.dll [2008-01-24 13:50 229376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

S1 EACMOS;EACMOS;C:\WINDOWS\system32\drivers\EACMOS.SYS []
S2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2002-08-14 17:48]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 22:31]
S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 12:48]
S3 Gcr432;Gcr432;C:\WINDOWS\system32\Drivers\gcr432.sys [2001-05-10 14:54]
S3 ndxgthk;ndxgthk;C:\DOCUME~1\Zachary\LOCALS~1\Temp\ndxgthk.sys []
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 07:28]

*Newly Created Service* - GTNDIS5
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 15:52:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-30 15:53:14
ComboFix-quarantined-files.txt 2008-01-30 21:52:50
.
2008-01-23 01:34:34 --- E O F ---






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:56:25 PM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presari...t...c01&lc=0409
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.100
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: The elfwgps - {27A4FA11-A0B1-4AB7-9A78-BD411FDEAA0D} - C:\WINDOWS\elfwgps.dll (file missing)
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {76CA9BF9-9868-4249-862D-6F454A48A9CE} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1195842223656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1195844887640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: bqxomdo - {883C3755-1332-49E2-B94D-496CF04AD7B3} - C:\WINDOWS\bqxomdo.dll (file missing)
O21 - SSODL: aswmklt - {C46D63D0-9463-4FDC-834D-BDC314E156FB} - C:\WINDOWS\aswmklt.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 4480 bytes
  • 0

#4
loophole
Posted 31 January 2008 - 05:31 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello

Open notepad and copy/paste the text in RED below into it:


File::
C:\WINDOWS\aswmklt.dll
C:\WINDOWS\fvqkfsp.exe
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bqxomdo"=-
"aswmklt"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{27A4FA11-A0B1-4AB7-9A78-BD411FDEAA0D}"=-

Save this as CFScript.txt, in the same location as ComboFix.exe (desktop)

Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt, and a new Hijack log

Thank you
  • 0

#5
bronc4294x4
Posted 31 January 2008 - 06:10 AM

bronc4294x4

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I know that helped a lot, computer is not as slow now. Here they are. Thanks


ComboFix 08-01-30.6 - Zachary 2008-01-31 6:02:41.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.296 [GMT -6:00]
Running from: C:\Documents and Settings\Zachary\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Zachary\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\aswmklt.dll
C:\WINDOWS\fvqkfsp.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\aswmklt.dll
C:\WINDOWS\fvqkfsp.exe

----- BITS: Possible infected sites -----

hxxp://onsafepro.com
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-27 10:49 . 2008-01-27 10:49 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-01-26 15:59 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-26 15:39 . 2008-01-26 16:59 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-26 15:39 . 2008-01-26 15:39 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-26 15:39 . 2008-01-26 15:39 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-26 15:39 . 2008-01-26 15:39 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-26 11:44 . 2008-01-26 11:44 <DIR> d-------- C:\Documents and Settings\Zachary\Application Data\Grisoft
2008-01-26 11:43 . 2008-01-26 11:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-26 11:43 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-26 10:45 . 2008-01-30 14:06 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-26 10:45 . 2008-01-26 10:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-26 10:45 . 2008-01-26 10:45 <DIR> d-------- C:\Documents and Settings\Zachary\Application Data\SUPERAntiSpyware.com
2008-01-26 10:45 . 2008-01-26 10:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-25 22:20 . 2001-09-20 07:56 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-01-25 22:15 . 2008-01-25 22:23 816 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-25 19:21 . 2008-01-25 21:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-25 19:08 . 2008-01-25 19:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-25 18:43 . 2007-09-10 14:00 18,672 --a------ C:\WINDOWS\system32\drivers\antispyfilter.sys
2008-01-25 18:24 . 2008-01-25 21:48 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-25 00:51 . 2008-01-25 00:51 <DIR> d-------- C:\Documents and Settings\Zachary\Application Data\Yahoo!
2008-01-25 00:51 . 2008-01-25 00:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-24 19:48 . 2008-01-24 19:48 <DIR> d-------- C:\Program Files\MediaEntertainmentCodec
2008-01-23 23:10 . 2008-01-23 23:13 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-20 15:26 . 2008-01-20 15:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-20 15:21 . 2008-01-20 15:25 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-03 14:21 . 2005-10-27 15:06 356,096 --a------ C:\WINDOWS\system32\rt61.sys
2008-01-03 14:21 . 2005-10-20 15:00 243,328 --a------ C:\WINDOWS\system32\rt2500.sys
2008-01-03 14:21 . 2008-01-03 14:21 20,747 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-01-03 14:21 . 2005-11-07 03:51 7,878 --a------ C:\WINDOWS\system32\RT2500.CAT
2008-01-03 14:21 . 2005-11-09 04:41 7,870 --a------ C:\WINDOWS\system32\rt61.cat
2008-01-03 14:20 . 2008-01-26 16:35 <DIR> d-------- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor
2008-01-03 14:20 . 2008-01-03 14:20 890 --a------ C:\WINDOWS\system32\WLAN.INI
2007-12-20 17:55 . 2007-12-20 17:55 126,976 --a------ C:\WINDOWS\War3Unin.exe
2007-12-20 17:55 . 2007-12-20 17:55 18,127 --a------ C:\WINDOWS\War3Unin.dat
2007-12-20 17:55 . 2007-12-20 17:55 2,829 --a------ C:\WINDOWS\War3Unin.pif
2007-12-20 17:51 . 2007-12-20 18:23 <DIR> d-------- C:\Program Files\Warcraft III

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 01:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-03 20:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:39 230,912 ------w C:\WINDOWS\system32\wmasf.dll
2007-10-11 06:13 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-11-17 09:33 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2002-08-14 17:48 167936 C:\WINDOWS\system32\pctspk.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-11-17 09:33 3022848]
"nwiz"="nwiz.exe" [2003-11-17 09:33 753664 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 19:47 8720384]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

S1 EACMOS;EACMOS;C:\WINDOWS\system32\drivers\EACMOS.SYS []
S2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2002-08-14 17:48]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 22:31]
S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 12:48]
S3 Gcr432;Gcr432;C:\WINDOWS\system32\Drivers\gcr432.sys [2001-05-10 14:54]
S3 ndxgthk;ndxgthk;C:\DOCUME~1\Zachary\LOCALS~1\Temp\ndxgthk.sys []
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 07:28]

*Newly Created Service* - GTNDIS5
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 06:05:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-31 6:06:13
ComboFix-quarantined-files.txt 2008-01-31 12:05:51
ComboFix2.txt 2008-01-30 21:53:16
.
2008-01-23 01:34:34 --- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:07:09 AM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presari...t...c01&lc=0409
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.100
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {76CA9BF9-9868-4249-862D-6F454A48A9CE} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1195842223656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1195844887640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 4214 bytes
  • 0

#6
loophole
Posted 31 January 2008 - 06:59 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Looking a lot better

lets get the recovery console installed before we go any farther.

also what does your desktop background look like (ie. is it still red, or white or normal)

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System. (xp sp2)


Download the file & save it as it's originally named, next to ComboFix.exe.



Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
  • 0

#7
bronc4294x4
Posted 31 January 2008 - 07:32 AM

bronc4294x4

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here is the log. Thanks

sorry, it has normal screen


WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

Edited by bronc4294x4, 31 January 2008 - 07:34 AM.

  • 0

#8
loophole
Posted 31 January 2008 - 07:39 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
That is perfect :)

lets go to the final clean up

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit. Please post the log with a new Hijack log

  • 0

#9
bronc4294x4
Posted 31 January 2008 - 02:51 PM

bronc4294x4

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
When Dr. Web was complete, I chose "Select All" and then "Cure". But, when I selected cure it ask to Delete, move or rename, so I selected move. Anyway, here is the log file. Thanks again.

Process.exe;C:\Documents and Settings\Zachary\Desktop\SmitfraudFix;Tool.Prockill;Moved.;
restart.exe;C:\Documents and Settings\Zachary\Desktop\SmitfraudFix;Tool.ShutDown.11;Moved.;
A0000179.bat;C:\System Volume Information\_restore{6CAC8781-D14A-4E3D-BB38-7856283498EC}\RP10;Probably BATCH.Virus;Moved.;
A0000220.bat;C:\System Volume Information\_restore{6CAC8781-D14A-4E3D-BB38-7856283498EC}\RP11;Probably BATCH.Virus;Moved.;
A0000121.bat;C:\System Volume Information\_restore{6CAC8781-D14A-4E3D-BB38-7856283498EC}\RP9;Probably BATCH.Virus;Moved.;



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:25 PM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presari...t...c01&lc=0409
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.100
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKUS\S-1-5-21-3826821714-1779672970-72185382-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-3826821714-1779672970-72185382-1003\..\Run: [MoneyStartUp] c:\Program Files\Microsoft Money\System\Money Startup.exe (User '?')
O4 - HKUS\S-1-5-21-3826821714-1779672970-72185382-1003\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {76CA9BF9-9868-4249-862D-6F454A48A9CE} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1195842223656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1195844887640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 4640 bytes
  • 0

#10
loophole
Posted 31 January 2008 - 03:24 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Good

Follow These directions for flushing system restore

How is everything running?
  • 0

#11
bronc4294x4
Posted 31 January 2008 - 03:39 PM

bronc4294x4

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Done.

Seems to be running a lot better. This is a computer in my boys room. Going to have to invest in a Parental Control Program.lol

Thanks for the help
  • 0

#12
loophole
Posted 31 January 2008 - 03:58 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts

Going to have to invest in a Parental Control Program.lol

:)

Good luck to you, and good luck with the boys.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here
  • 0

#13
loophole
Posted 31 January 2008 - 04:21 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP