Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Windows Security Center (virus) [CLOSED]

Started by khalid150 , May 24 2008 10:48 AM

  • This topic is locked This topic is locked

#1
khalid150
Posted 24 May 2008 - 10:48 AM

khalid150

    New Member

  • Member
  • Pip
  • 1 posts
Hi,

I am having some sort of virous with a ballon popups (Windows Security Center) in the bottom bar and it shows (UltimateFixer, SystemDefender, SysCleaner)

I used ComboFix based on someone else's post and the is my ComboFix logs:

ComboFix 08-05-21.3 - xp 2008-05-24 19:32:54.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1256.966.1033.18.180 [GMT 3:00]
Running from: C:\Documents and Settings\xp\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.

2008-05-24 13:18 . 2008-05-24 13:18 <DIR> d-------- C:\Program Files\Uniblue
2008-05-24 13:18 . 2008-05-24 13:18 <DIR> d-------- C:\Documents and Settings\xp\Application Data\Uniblue
2008-05-24 13:10 . 2008-05-24 13:32 3,366 --a------ C:\avexport.bat
2008-05-24 00:07 . 2008-05-24 00:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-05-24 00:01 . 2008-05-24 00:01 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-24 00:00 . 2008-05-24 13:05 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-24 00:00 . 2008-05-24 00:00 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-05-24 00:00 . 2008-05-24 13:05 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-23 23:59 . 2008-05-23 23:59 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-23 23:59 . 2008-05-23 23:59 <DIR> d-------- C:\Program Files\AVG
2008-05-23 23:59 . 2008-05-23 23:59 <DIR> d-------- C:\Documents and Settings\xp\Application Data\AVGTOOLBAR
2008-05-23 23:59 . 2008-05-23 23:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-23 23:59 . 2008-05-24 00:00 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-23 23:56 . 2008-05-23 23:56 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-23 20:51 . 2008-05-23 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-05-23 15:31 . 2008-05-23 15:31 <DIR> d-------- C:\Documents and Settings\xp\Application Data\Grisoft
2008-05-23 15:30 . 2008-05-23 15:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-23 15:30 . 2007-05-30 15:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-05-23 15:29 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-23 15:29 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-23 15:29 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-23 15:20 . 2008-05-23 15:20 <DIR> d-------- C:\Documents and Settings\xp\Application Data\Simply Super Software
2008-05-23 15:20 . 2008-05-23 15:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-05-23 15:20 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-05-23 15:20 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-05-23 15:20 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-05-23 15:20 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-05-23 15:11 . 2008-05-23 15:11 <DIR> d-------- C:\Documents and Settings\xp\Application Data\SysCleaner
2008-05-23 14:57 . 2008-05-23 14:58 2,606 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-23 14:54 . 2008-05-23 14:54 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-30 15:02 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-30 15:02 . 2008-05-01 10:54 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-04-30 14:47 . 2008-04-30 14:47 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-29 17:15 . 2008-04-29 17:15 <DIR> d--h----- C:\WINDOWS\system32\.6026b471
2008-04-29 17:15 . 2008-04-29 17:15 249,344 --a------ C:\WINDOWS\system32\rhdcxmnc.dll
2008-04-29 16:42 . 2008-04-29 16:43 64 --a------ C:\WINDOWS\Tafsserlib2005.ldb
2008-04-24 12:50 . 2008-04-24 12:50 <DIR> d-------- C:\Program Files\RegCure
2008-04-24 12:48 . 2008-04-24 12:48 306,432 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-04-24 12:41 . 2008-04-24 12:41 <DIR> d-------- C:\Program Files\XoftSpySE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 14:05 --------- d-----w C:\Program Files\Google
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-24_19.08.35.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-24 14:46:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-24 16:11:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-24 14:50:32 40,326 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-24 16:15:52 40,326 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-24 14:50:32 311,938 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-24 16:15:52 311,938 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-05-24 13:05 2051328 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-05-24 13:05 2051328]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-05-24 13:05 2051328]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:56 15360]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2008-05-05 12:22 1923352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 21:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 21:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 21:10 114688]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-09 16:35 180269]
"SlipStream"="C:\Program Files\iZone Internet Turbo\izone.exe" [2006-11-25 17:15 241664]
"Zooming"="ZoomingHook.exe" [2005-06-06 09:58 24576 C:\WINDOWS\system32\ZoomingHook.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 10:31 118784]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008-05-23 15:40 6731312]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-24 13:05 1177368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 21:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
iZone Internet Turbo.lnk - C:\Program Files\iZone Internet Turbo\izgui.exe [2007-08-28 16:45:26 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rhdcxmnc]
rhdcxmnc.dll 2008-04-29 17:15 249344 C:\WINDOWS\system32\rhdcxmnc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\6026b471]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-03 21:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Device Detector]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:55 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-08-09 16:35 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-05-24 00:00]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-24 00:00]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-23 23:59]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-24 13:05]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-24 13:05]
S2 6026b471;Microsoft DDE+ server;C:\WINDOWS\system32\.6026b471\6026b471.exe []
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-04-24 12:48]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-24 00:00:50 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-05-24 16:11:58 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-05-15 02:10:54 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-05-24 16:11:54 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-24 19:34:23
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\rhdcxmnc.dll
.
Completion time: 2008-05-24 19:34:58
ComboFix-quarantined-files.txt 2008-05-24 16:34:54
ComboFix3.txt 2008-05-24 16:08:58
ComboFix2.txt 2008-05-24 16:29:32

Pre-Run: 12,049,563,648 bytes free
Post-Run: 12,040,011,776 bytes free

171 --- E O F --- 2008-05-23 12:28:04


Assistance will be appreciated


Sincerly,

KHALID

Edited by khalid150, 24 May 2008 - 11:04 AM.

  • 0

Advertisements

#2
koko_crunch
Posted 28 May 2008 - 12:05 PM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Hello khalid150 and Welcome to Geeks to Go!

Sorry for the long wait, busy week.

After checking your log, I found signs of malware on your system.
Please stick with me until we get you cleaned up. :)

Please read this post completely before proceeding with the fix. If you have questions, don't hesitate to ask.

Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Then

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

Please post back with required logs.

- HijackThis log
- Smitfraudfix log
  • 0

#3
koko_crunch
Posted 05 June 2008 - 06:27 AM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP