Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

TROJAN VIRUS PSW.ONLINE GAMES Infection in my PC.Help! [RESOLVED]


  • This topic is locked This topic is locked

#16
kuihkociboy

kuihkociboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Good morning ,lad

1) Below here is the Combofix Log:-


ComboFix 08-02-25.3 - Administrator 2008-02-27 10:44:18.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.148 [GMT 8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-27 to 2008-02-27 )))))))))))))))))))))))))))))))
.

2008-02-27 01:40 . 2008-02-27 01:40 <DIR> d-------- C:\fixwareout
2008-02-26 23:00 . 2008-02-26 23:00 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-26 23:00 . 2008-02-26 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-26 21:56 . 2008-02-26 21:56 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-26 21:51 . 2008-02-25 15:14 <DIR> d-------- C:\SDFix
2008-02-26 12:35 . 2008-02-26 12:35 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 09:40 34,904 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-28 19:41 13312]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" [ ]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RAM Idle"="C:\Program Files\Customizer XP\RAMIdle.exe" [2002-05-01 12:29 104960]
"SbUsb AudCtrl"="sbusbdll.dll" [2005-05-26 17:52 128000 C:\WINDOWS\system32\sbusbdll.dll]
"WMC_AutoUpdate"="" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2005-12-26 08:20 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2005-12-25 16:27 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

R3 ati2mtaa;ati2mtaa;C:\WINDOWS\System32\DRIVERS\ati2mtaa.sys [2002-08-28 23:16]
S2 MSDCOMClient16;DCOM Service Process Manager;C:\WINDOWS\System32\svchost.exe [2001-08-23 04:00]
S3 sbusb;Sound Blaster USB Audio Driver;C:\WINDOWS\System32\DRIVERS\sbusb.sys [2005-06-10 09:39]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
MSDCOMClient16
enqe
MSDCOMClient32

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-27 10:46:18
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-27 10:47:23
ComboFix-quarantined-files.txt 2008-02-27 02:47:20
ComboFix4.txt 2008-02-26 04:51:16
ComboFix3.txt 2008-02-26 14:16:22
ComboFix2.txt 2008-02-26 17:30:58

2) This the Malwarebytes' Anti-MalWare log :-

Malwarebytes' Anti-Malware 1.05
Database version: 414

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 37688
Time elapsed: 10 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\newsadvpusher.brlogic (Adware.CPush) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\newsadvpusher.brlogic.1 (Adware.CPush) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\newscocomediumspop.popcoco (Adware.CPush) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\newscocomediumspop.popcoco.1 (Adware.CPush) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\Program Files\Common Files\CPUSH\Uninst.exe.vir (Malware.Trace) -> Quarantined and deleted successfully.

3) For the Ice Sword application , I did not find any messages or words red in colour? Is that good news? By theway ,below here are the indivual results of each category:-

a) Processes
Process:

System Idle Process
System
C:\Documents and Settings\Administrator\Desktop\IceSword.exe
C:\WINDOWS\System32\SMSS.EXE
C:\WINDOWS\System32\CSRSS.EXE
C:\WINDOWS\System32\WINLOGON.EXE
C:\WINDOWS\System32\SERVICES.EXE
C:\WINDOWS\System32\LSASS.EXE
C:\WINDOWS\System32\SVCHOST.EXE
C:\WINDOWS\System32\SVCHOST.EXE
C:\WINDOWS\System32\SVCHOST.EXE
C:\WINDOWS\System32\SVCHOST.EXE
C:\WINDOWS\System32\SPOOLSV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\Program Files\Customizer XP\RAMIdle.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\CTFMON.EXE
C:\Program Files\Grisoft\AVG7\AVGAMSVR.EXE
C:\Program Files\Grisoft\AVG7\AVGUPSVC.EXE
C:\Program Files\Grisoft\AVG7\AVGEMC.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
C:\WINDOWS\System32\DEVLDR32.EXE
C:\WINDOWS\System32\SVCHOST.EXE
C:\WINDOWS\System32\WDFMGR.EXE

B)Services

Started Service:

Service Name:AudioSrv Display Name:Windows Audio
Service Name:Avg7Alrt Display Name:AVG7 Alert Manager Server
Service Name:Avg7UpdSvc Display Name:AVG7 Update Service
Service Name:AVGEMS Display Name:AVG E-mail Scanner
Service Name:Browser Display Name:Computer Browser
Service Name:CryptSvc Display Name:Cryptographic Services
Service Name:Dhcp Display Name:DHCP Client
Service Name:dmserver Display Name:Logical Disk Manager
Service Name:Dnscache Display Name:DNS Client
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:Eventlog Display Name:Event Log
Service Name:EventSystem Display Name:COM+ Event System
Service Name:helpsvc Display Name:Help and Support
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:MDM Display Name:Machine Debug Manager
Service Name:Messenger Display Name:Messenger
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PolicyAgent Display Name:IPSEC Services
Service Name:ProtectedStorage Display Name:Protected Storage
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RemoteRegistry Display Name:Remote Registry
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:seclogon Display Name:Secondary Logon
Service Name:SENS Display Name:System Event Notification
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:Spooler Display Name:Print Spooler
Service Name:srservice Display Name:System Restore Service
Service Name:SSDPSRV Display Name:SSDP Discovery Service
Service Name:stisvc Display Name:Windows Image Acquisition (WIA)
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:UMWdf Display Name:Windows User Mode Driver Framework
Service Name:uploadmgr Display Name:Upload Manager
Service Name:W32Time Display Name:Windows Time
Service Name:WebClient Display Name:WebClient
Service Name:winmgmt Display Name:Windows Management Instrumentation
Service Name:wuauserv Display Name:Automatic Updates
Service Name:WZCSVC Display Name:Wireless Zero Configuration

C) Start up

Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RAM Idle
C:\Program Files\Customizer XP\RAMIdle.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SbUsb AudCtrl
RunDll32 sbusbdll.dll,RCMonitor

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WMC_AutoUpdate


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AVG7_CC
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\System32\ctfmon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
BitComet
"C:\Program Files\BitComet\BitComet.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
BitTorrent
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini


C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk
C:\Program Files\Microsoft Office\Office10\OSA.EXE (Remark£ºMicrosoft Office StartUp)

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
desktop.ini


4) SSDT -there are no red highlighted words, and I could not create a log file (don't know why).By the way, I have a screenshot of this category ,please have a look...
SSDT.JPG

5) Message Hook -same as SSDt ,there are re entries. I could not create alog as well. So, I did another screenshot just for your information.There are some Process Paths that are labelledWH_KEYBOARD under Type column .They are....

C/WINDOWS/EXPLORER.EXE
C/WINDOWS/System32/RUNDLL32.exe
C/WINDOWS/System32/CTFMON.exe
C/Program Files/Customizer XP/RAMIdle.exe
C/WINDOWS/System32/DEVLDR32.exe

message_hook.JPG

What's next , i really hope to solve this matter by today ,if possible!

Thanks again ,your continous effort to help me!

Kuihkociboy
  • 0

Advertisements


#17
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean ! We need to do a few things

Now lets uninstall Combofix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
The above procedure will do the following:
  • Delete ComboFix and its associated files and folders.
  • Delete VundoFix backups, if present
  • Delete the C:\Deckard folder, if present
  • Delete the C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#18
kuihkociboy

kuihkociboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi Rorshach!

Sorry for my late reply ,my internet connection was bad last night,so i couldn't surf the internet.

Are you sure my PC is already cleaned up ?,cos my AVG Virus Vault is still filled with 336 viruses.Should i do another AVG scan again???I'm using Maxthon browser.Do you think it's okay?
  • 0

#19
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Yes your PC is clean

Are you having any problems ?

Don't worry about the infections in AVG's virus vault
  • 0

#20
kuihkociboy

kuihkociboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi,

The computer is fine,no more poped-up error before my Desktop appears

I have bad news, I did a AVG scan, and I found a virus named TORJAN HORSE GENERIC DOWNLOADER GENERIC 6.ZUB .I am still waiting to complete the scan. So,what I shall do next ?I have to be away for 2hours after this post,because I have to attend my tuition class.I'll be back assoon as I can to resolve this issue.You can post your reply anytime soon.By the way,I have done a screen shot of the scan,have a look;-

bad_girl.JPG

I really appreciate your assistance so far.

Kuihkociboy

Edited by kuihkociboy, 27 February 2008 - 06:24 PM.

  • 0

#21
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, delete the file C:\windows\system32\d99er4p.dll


Reboot and tell me if the file is there in Normal Mode


Also tell me how your PC is running
  • 0

#22
kuihkociboy

kuihkociboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi ,rorschach 112
I have more bad news for both of us. MyAVG Scan completed the whole scan and found 14 viruses of which 13 has been deleted one moved to virus vault. My computer is quite slow in opening files or the internet browser (i don't know if it is because of the viruses, or my computer is really damned already!!

I am afraid these viruses would replicate again. By the way ,here are some screen shots for you to see.
1.JPG 2.JPG
I haven't preformed your latest request of deleting the torjan generic file because I want to accumalete and scan for more viruses. I will keep you updated on my current situation.Please inform me what to do next. Thank you.
  • 0

#23
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
I wouldn't worry about those, they are files we have fixed with the other tools. If you followed my previous steps they would be deleted.

So please follow my steps in Post #17 and #21
  • 0

#24
kuihkociboy

kuihkociboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi Rorschach 112,

I did the request as Post #17 . For Post #21, But I cannot seem to find the infected file C:\windows\system32\d99er4p.dll in safe mode.Has it been deleted by the AVG Scanner???I think it is in the Virus Vault.

So is everything back to normal again???

And,just wanna ask few questions about the ohter softwares besides the Combofix, can I uninstall them?

Anyway , I would thank you very very very much. You did a really good and quick job on assisiting me. :) :) :) Without you , I think I would have trashed my computer into the rubbish dump!

You are a genius, since you are only 3 years older than me,but you are a malware specialist!!! :) Unfortunately, I am planning to pursue my studies in the Science field ,if not maybe you can me my GURU!

I would also like to thank Geeks2go forum for giving me to post my problem and giving me an opportunity to fix my PC.

Keep on doing what you guys are doing!!! Geeks rule!!

Kuihkociboy :) Too happy!
  • 0

#25
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Yes everything is back to normal

few questions about the ohter softwares besides the Combofix, can I uninstall them?

Yes


Thank you for the kind words

Let me know if you have any more questions, will close the thread if you don't
  • 0

Advertisements


#26
kuihkociboy

kuihkociboy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
.Just one more last question, then you can close the thread.

I have just completed my AVG SCAN and found a file named hosts with has a blue icon ,and it's labelled under Results/Infection column as Change.Is it okay???

Yeah , I think that's about it .If there is any other recurring problem (hopefully not),can I contact you ,it is okay? Thanks again!
  • 0

#27
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Yes that is fine

Feel free to contact me if you have any visible problems
  • 0

#28
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP