Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Lots of viruses and malware [RESOLVED]

Started by MatrixEquilibrium , Apr 01 2008 10:26 AM

  • This topic is locked This topic is locked

#16
MatrixEquilibrium
Posted 03 April 2008 - 07:02 PM

MatrixEquilibrium

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 329 posts
Hello again :)

I'll post the two logs in separate posts to make it easier.

Smit log:

SmitFraudFix v2.309

Scan done at 21:00:10.56, Thu 04/03/2008
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\tmp???????.exe FOUND !
C:\Program Files\tmp?.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 68.87.77.130
DNS Server Search Order: 68.87.72.130

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A90CBBE5-BF0D-415E-974D-EF5AD7631891}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A90CBBE5-BF0D-415E-974D-EF5AD7631891}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A90CBBE5-BF0D-415E-974D-EF5AD7631891}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

Advertisements

#17
MatrixEquilibrium
Posted 03 April 2008 - 07:18 PM

MatrixEquilibrium

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 329 posts
As for the other program, no log tab appeared at the top and no file names showed up.
  • 0

#18
harrythook
Posted 03 April 2008 - 07:33 PM

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Boot to safemode (restart then F8 on startup)
run smitfraudfix, using option #2. allow it to repair any registry items if it is requested.
sorry for the sloppy reply, working on something :)
Post results
  • 0

#19
MatrixEquilibrium
Posted 03 April 2008 - 07:47 PM

MatrixEquilibrium

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 329 posts
It's all good
:)

By the way, instead of doing all this, wouldn't a system restore point been more efficient? I'm not sure exactly how it works, but does it remove all new files/settings, etc.?

SmitFraudFix v2.309

Scan done at 21:40:23.64, Thu 04/03/2008
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Program Files\tmp???????.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A90CBBE5-BF0D-415E-974D-EF5AD7631891}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A90CBBE5-BF0D-415E-974D-EF5AD7631891}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A90CBBE5-BF0D-415E-974D-EF5AD7631891}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#20
harrythook
Posted 03 April 2008 - 07:55 PM

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts

By the way, instead of doing all this, wouldn't a system restore point been more efficient?

Nope, restore points get corrupted with some malware, and if something is resident on your machine that does not want to be moved on sys restore, it's there to stay.



Give the machine a reboot, poke around a bit on the web. If there is a security popup get the name of whats flagged and let me know.

H :)
  • 0

#21
MatrixEquilibrium
Posted 03 April 2008 - 08:10 PM

MatrixEquilibrium

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 329 posts
Thanks for explaining, I knew if system restore was the correct way then you'd have thought of it. :)

Anyway, I poked around, nothing big.
However, I quick-scanned with AGV and Spybot and found these names:
TrackingCookie.YieldManager
TrackingCookie.Statcounter
TrackingCookie.Adbrite
TrackingCookie.Questionmarket
TrackingCookie.Imrworldwide
TrackingCookie.Tribalfusion
TrackingCookie.Atdmt
TrackingCookie.2o7
TrackingCookie.Euroclick
TrackingCookie.Pointroll
TrackingCookie.Serving-sys
TrackingCookie.Overture
TrackingCookie.Realmedia
TrackingCookie.Revsci
TrackingCookie.Tacoda

Any idea what these are..?
  • 0

#22
harrythook
Posted 04 April 2008 - 06:06 PM

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts

Any idea what these are..?

Just a bit of cookies that get loaded, ATF or SAS gets rid of them.

Mind if I keep you on hold for a bit, got some work to do. Use the machine and let me know :)

Harry
  • 0

#23
MatrixEquilibrium
Posted 04 April 2008 - 10:17 PM

MatrixEquilibrium

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 329 posts
ok

How long is 'hold' exactly? :) I really need to get this running smooth again, its really REALLY laggy and slow.
  • 0

#24
harrythook
Posted 05 April 2008 - 05:13 AM

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Hey Matrix,
Lets run Combofix one more time so I can see the log, then we will unload some of the tools we used.
First run ATF:
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Then run Combofix, post that log and a fresh HJT.

Harry
  • 0

#25
harrythook
Posted 12 April 2008 - 12:52 PM

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Err, still there Matrix???
  • 0

Advertisements

#26
MatrixEquilibrium
Posted 20 April 2008 - 11:54 AM

MatrixEquilibrium

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 329 posts
Oh...my god.

I am SO sorry. The last time I received a message from notifications about the response posted, I checked and didn't see anything. I think it was because I only looked at the first page and didnt think about it. I thought you were putting me on 'hold' so I didnt say anything. I apologize Harry!

Computer's been running great since, I really appreciate it. Here's a fresh HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:53:57 PM, on 4/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 3260 bytes
  • 0

#27
harrythook
Posted 20 April 2008 - 02:36 PM

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
No worries MatrixEquilibrium,
We just kinda hang around and wait for a reply, I have to put a post in every now and then or the thread gets closed.
Log looks good, and if theres nothing else going on there I am going to close this one.
I know you know how to get me if there are other problems :)

Let me know.

Harry
  • 0

#28
MatrixEquilibrium
Posted 20 April 2008 - 02:37 PM

MatrixEquilibrium

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 329 posts
Ok, thanks for everything Harry. :)

Maybe in the future I'll be on your side, lol. I'm going into Computer Engineering I think. Still didn't decide.

Thanks again. :)
  • 0

#29
harrythook
Posted 20 April 2008 - 02:52 PM

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP