how-to block ads
|
icex _
Premium
join:2004-05-22
USA
clubs:
 ·Colane Cable
| [Virus] Virus's and spyware! Hello all,
I've been working on my friends computer since last monday, cleaning out spyware and virus's. I've cleared most out, but I still think theres more left. I've used Spybot search and destroy, ad-aware, avast!, and AVG. This computer has two accounts. On the "Mom" account it seems fine. On the other account, (their both admin accounts by the way) all is not fine, and it keeps giving the Blue screen of death on the other account. I'm not sure why, but the recent blue screen was something about xpdx.sys. I found xpdx.sys, but I can't delete it, because it says it cant find the file, and it says its 0 kbs, when its 60kb.
Heres a hijack this log:
Logfile of HijackThis v1.99.0
Scan saved at 21:51, on 2007-07-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Watch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\catchme.exe
C:\hjt\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Watch.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{448C6F08-0701-1033-0826-020409200001}] "C:\Program Files\Common Files\{448C6F08-0701-1033-0826-020409200001}\Update.exe" te-110-12-0000282
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Startup: winlogon.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - »housecall60.trendmicro.com/house···an60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - »www.kaspersky.com/downloads/kws/···code.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···1267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - »spaces.msn.com/PhotoUpload/MsnPU···,0,911,0
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - »software-dl.real.com/237ef6a9f56···E601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »update.microsoft.com/windowsupda···52978812
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - »a840.g.akamai.net/7/840/537/2004···an53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - »chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - »messenger.msn.com/download/MsnMe···ader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - »messenger.zone.msn.com/binary/ZI···2846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - »messenger.zone.msn.com/binary/Ba···1267.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - »www.verizon.net/checkmypc/includ···Qual.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown - C:\WINDOWS\System32\ScsiAccess.EXE (file missing)
I also ran SDfix. Heres the log of that:
SDFix: Version 1.88
Run by Beth on 2007-07-01 at 22:03
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
DP1112
windev-6401-3e37
ImagePath:
\??\C:\WINDOWS\System32\Drivers\DP.sys
\??\C:\WINDOWS\System32\windev-6401-3e37.sys
DP1112 - Deleted
windev-6401-3e37 - Deleted
Modified Winlogon.exe Found!
Winlogon Files Found:
C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\dllcache\winlogon.exe
Infected Files Listed Below:
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\dllcache\winlogon.exe
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service
Rebooting...
Service runtime2 - Deleted after Reboot
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\WINDOWS\system32\windev-6401-3e37.sys - Deleted
C:\DOCUME~1\BETH\APPLIC~1\MICROS~1\20509.DAT - Deleted
C:\WINDOWS\system32\pfnlet\winlogon.ini - Deleted
C:\Documents and Settings\Beth\Start Menu\Programs\Startup\winlogon.lnk - Deleted
C:\WINDOWS\system32\1_exception.nls - Deleted
C:\WINDOWS\system32\cssrss.exe - Deleted
C:\WINDOWS\system32\nso12k.sys - Deleted
C:\WINDOWS\system32\unsvchosts.lzma - Deleted
C:\WINDOWS\system32\vexg4am1et2.exe - Deleted
C:\WINDOWS\system32\vexga4m1et4.exe - Deleted
C:\WINDOWS\system32\windev-peers.ini - Deleted
C:\WINDOWS\system32\windows_log.txt - Deleted
C:\WINDOWS\tcb.pmw - Deleted
C:\WINDOWS\Temp\startdrv.exe - Deleted
C:\WINDOWS\system32\xpdx.sys - Deleted
C:\WINDOWS\system32\drivers\runtime2.sys - Deleted
Removing Temp Files...
ADS Check:
Checking C:\WINDOWS
C:\WINDOWS
No streams found.
Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.
Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Listing Files with Hidden Attributes:
C:\Documents and Settings\Beth\Application Data\U3\temp\Launchpad Removal.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Program Files\Microsoft Office\Office\Shortcut Bar\Off2.tmp
C:\Program Files\Microsoft Office\Office\Shortcut Bar\Off3.tmp
C:\WINDOWS\java\classes\srakba.tmp
C:\WINDOWS\java\classes\srakba.tmp2
C:\WINDOWS\system32\tstwa.tmp
Listing User Accounts:
Administrator Beth Guest
HelpAssistant Owner SUPPORT_388945a0
Finished
How does the hijack this log look to you security folks? Anything else to run? Im tired of working on this computer.. it's been a week now of cleaning out this mess.
--
Team Discovery | |
| 
icex _
Premium
join:2004-05-22
USA
clubs: | Re: [Virus] Virus's and spyware! By the way, SDFix is catchme.exe | |
| 
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| Yuk! All of those files found by SDFix are really malicious rootkits and remote access trojans
Are are you aware of the complications and security risks of such a compromise?
What is a backdoor or remote access trojan?
Read this article.
Danger: Remote Access Trojans
»www.microsoft.com/technet/securi···rat.mspx
When should I re-format? How should I reinstall?
»Security »When should I re-format? How should I reinstall?
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
»Security »How to report ID theft, fraud, drive-by installs, hijacking and malware?
Basically, your system has been compromised. Anyone may have had access to anything on your system or done whatever they want to it and hidden it from you. The rootkit makes it worse as your system is no longer trustworthy.
It's a trivial matter to clean up the rootkit itself, most rootkits and all botnet clients are Remote Access Trojans (RATs), and SDFIX has done that but....
A RAT is a program that allows a remote user to connect to the computer and issue commands.
Unless you can be sure that a remote user did not connect to the machine and run commands on it (which is almost always impossible to ascertain), you cannot know what damage the bad guy has done above and beyond installing the rootkit.
That unknown is what accounts for the recommendation to rebuild the machine.
--
It takes a disaster to make a woman out of a femaleMicrosoft MVP/Windows Security 2003-2007Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
| |
icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable
1 edit | Re: [Virus] Virus's and spyware! Thank you for your reply.
Yes, I know all about backdoors and remote access trojans, their nasty and hard to deal with. I'd like to get this computer cleaned up, because my friend doesent have format disks for this computer. Its a 2001 dell dimension 2300..
Is the only solution to format ? Or can it be cleaned up? | |
| |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
1 edit | The problem lies in the cleanup because of system changes that may have been made that are not detectable by any scanners. There could be hidden ways for an intruder to get back into that machine and I wouldn't trust it even if you think you can clean it. Sure, you've deleted the infected files, but how would you know what has been done to lower system security?
Not much else you can do but warn them that a system compromise is like leaving your house unlocked and allowing anyone to walk in and steal information and then give them a duplicate key so they can come back if they missed anything.
Anything in the System Volume Information folder is the backups of System restore and those can be easily reset but wndows won't allow 3rd party apps to delete them. You'll need to reset system restore thusly to clear them:
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Put a Checkmark in the box next to "Turn off System Restore".
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Remove the checkmark next to "Turn off System Restore".
Click Apply, and then click OK.
How to Turn On and Turn Off System Restore in Windows XP
»support.microsoft.com/default.as···s;310405
...........................
This file...send it to me to examine please:
C:\Windows\itpbb_4.exe\Compinst1.exe\installfile1.exe
Here is how:
Please go here to upload a suspicious file for analysis.
»www.uploadmalware.com/
* Enter your username from this forum as: icex _ at DSLR
* Copy and paste the link to this thread:
* Click "Browse" on the 1. field.
Browse to the following file and click the file with your mouse, press "Open"
C:\Windows\itpbb_4.exe\Compinst1.exe\installfile1.exe
* In the comments, please mention that I asked you to upload this file:
* Click on Send File
--
It takes a disaster to make a woman out of a femaleMicrosoft MVP/Windows Security 2003-2007Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
| |
icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable
| Re: [Virus] Virus's and spyware! CalamityJane,
Thank you for your reply.
I tried uploading C:\Windows\itpbb_4.exe\Compinst1.exe\installfile1.exe but it would not upload. It uploaded C:\Windows\itpbb_4.exe.
--
Team Discovery | |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| Let's run this tool next, please:
1. Download this file - combofix.exe
2. Double click on combofix.exe & follow the prompts.
Do NOT click on the window while the fix is running, because that will cause your system to hang and the fix to stall.
3. When finished, it shall produce a log for you, Combofix.txt. Post that log in your next reply
--
It takes a disaster to make a woman out of a femaleMicrosoft MVP/Windows Security 2003-2007Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
| |
icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable
| Re: [Virus] Virus's and spyware! Here is the log, sorry for the slow reply.
Start Time= 2007-07-02 13:01:38.50
QuickScan did not find any signs of infected files
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-02 00:56:04 ( .D... ) "C:\Program Files\GRISOFT"
2007-07-02 00:43:56 64 ( A.... ) "C:\ComboFix.txt.bat"
2007-07-01 00:58:28 517120 ( A.... ) "C:\WINDOWS\system32\winlogon.exe"
2007-06-28 04:06:28 ( .D... ) "C:\Program Files\Alwil Software"
2007-06-27 14:44:10 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2007-06-27 14:07:26 ( .D... ) "C:\Program Files\CCleaner"
2007-06-26 12:45:26 ( .D... ) "C:\Program Files\Common Files\{448C6F08-0702-1033-0826-020409200001}"
2007-06-07 21:52:46 14359 ( A.... ) "C:\WINDOWS\system32\a3dx8.dll"
2007-06-05 20:30:22 134353 ( A.... ) "C:\WINDOWS\system32\alt.exe"
2007-06-05 08:24:04 87552 ( A.... ) "C:\WINDOWS\catchme.exe"
2007-06-03 19:07:48 12800 ( A.... ) "C:\WINDOWS\system32\svchost.exe"
2007-06-03 18:42:46 220349 ( A.... ) "C:\WINDOWS\itpb_4.exe"
2007-06-03 13:42:58 ( .D... ) "C:\Documents and Settings\Beth\Application Data\U3"
2007-06-01 22:55:06 2 ( A.... ) "C:\WINDOWS\system32\wnscpsv32.exe"
2007-06-01 11:19:20 17664 ( A.... ) "C:\WINDOWS\system32\vxddsk.exe"
2007-06-01 11:19:18 32256 ( A.... ) "C:\WINDOWS\system32\SUSP.exe"
2007-06-01 11:19:18 14848 ( A.... ) "C:\WINDOWS\system32\wml.exe"
2007-06-01 11:19:14 16640 ( A.... ) "C:\WINDOWS\system32\satmat.exe"
2007-06-01 11:19:12 30464 ( A.... ) "C:\WINDOWS\system32\Biprep.exe"
2007-06-01 11:19:08 21248 ( A.... ) "C:\WINDOWS\7search.dll"
2007-06-01 11:19:06 31744 ( A.... ) "C:\WINDOWS\flt.dll"
2007-06-01 11:19:00 31488 ( A.... ) "C:\WINDOWS\764.exe"
2007-06-01 11:18:56 27136 ( A.... ) "C:\WINDOWS\pbar.dll"
2007-06-01 11:18:48 29440 ( A.... ) "C:\WINDOWS\stcloader.exe"
2007-06-01 11:18:42 27648 ( A.... ) "C:\WINDOWS\voiceip.dll"
2007-06-01 11:18:38 20224 ( A.... ) "C:\WINDOWS\bokja.exe"
2007-06-01 11:18:38 19968 ( A.... ) "C:\WINDOWS\swin32.dll"
2007-06-01 11:18:38 13312 ( A.... ) "C:\WINDOWS\cdsm32.dll"
2007-06-01 11:18:36 29440 ( A.... ) "C:\WINDOWS\mspphe.dll"
2007-06-01 11:18:30 14848 ( A.... ) "C:\WINDOWS\bjam.dll"
2007-06-01 11:18:26 24832 ( A.... ) "C:\WINDOWS\system32\MSIXU.DLL"
2007-06-01 11:18:22 31488 ( A.... ) "C:\WINDOWS\system32\WER8274.DLL"
2007-06-01 11:18:16 27392 ( A.... ) "C:\WINDOWS\system32\salm.exe"
2007-06-01 11:18:16 11520 ( A.... ) "C:\WINDOWS\system32\180ax.exe"
2007-06-01 11:18:12 20224 ( A.... ) "C:\WINDOWS\system32\updatetc.exe"
2007-06-01 11:18:06 9984 ( A.... ) "C:\WINDOWS\saiemod.dll"
2007-06-01 11:17:34 25088 ( A.... ) "C:\WINDOWS\system32\msdn_lib.dll"
2007-06-01 11:06:34 34816 ( A.... ) "C:\WINDOWS\rau001978.exe"
2007-05-10 19:00:26 ( .D... ) "C:\Program Files\Common Files\Java"
2007-04-30 11:46:10 745600 ( A.... ) "C:\WINDOWS\system32\aswBoot.exe"
2007-04-30 11:35:28 95872 ( A.... ) "C:\WINDOWS\system32\AvastSS.scr"
2007-04-27 16:45:12 14970328 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2007-04-17 01:47:36 33624 ( A.... ) "C:\WINDOWS\system32\wups.dll"
2007-04-17 01:45:54 1710936 ( A.... ) "C:\WINDOWS\system32\wuaueng.dll"
2007-04-17 01:45:48 549720 ( A.... ) "C:\WINDOWS\system32\wuapi.dll"
2007-04-17 01:45:42 325976 ( A.... ) "C:\WINDOWS\system32\wucltui.dll"
2007-04-17 01:45:36 203096 ( A.... ) "C:\WINDOWS\system32\wuweb.dll"
2007-04-17 01:45:28 92504 ( A.... ) "C:\WINDOWS\system32\cdm.dll"
2007-04-17 01:45:20 53080 ( A.... ) "C:\WINDOWS\system32\wuauclt.exe"
2007-04-17 01:45:20 43352 ( A.... ) "C:\WINDOWS\system32\wups2.dll"
2007-04-02 17:21:28 428032 ( A.... ) "C:\WINDOWS\system32\swreg.exe"
((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"AWMON"="\"C:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Watch.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"{448C6F08-0701-1033-0826-020409200001}"="\"C:\\Program Files\\Common Files\\{448C6F08-0701-1033-0826-020409200001}\\Update.exe\" te-110-12-0000282"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"ares"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"
"Creative Detector"="C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe /R"
"updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_9"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ares"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTDetect"
"hkey"="HKCU"
"command"="C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe /R"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="\" /WinStart"
"hkey"="HKCU"
"command"="\"\\\" /WinStart"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_9"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSASCui"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{448C6F08-0701-1033-0826-020409200001}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Update"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\{448C6F08-0701-1033-0826-020409200001}\\Update.exe\" te-110-12-0000282"
"inimapping"="0"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\85D491DD93E32F55.job
C:\WINDOWS\tasks\AAF587AF918A3BEF.job
Completion time: 2007-07-02 13:03:11.35
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt
--
Team Discovery | |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| I got it - it's adware. Delete the file if possible.
Run the ComboFix tool in my last reply
And, finally, did you run the AVG Antispyware program that is in the FAQ (Step 1d)?
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
If not, do that now please after the ComboFix which won't take very long and will give me a comprehensive log to look at. Then run the AVG antispyware program after updating it.
--
It takes a disaster to make a woman out of a femaleMicrosoft MVP/Windows Security 2003-2007Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
| |
icex _
Premium
join:2004-05-22
USA
clubs: | Re: [Virus] Virus's and spyware! Deleted.
I will download AVG Antispyware now and run it.. it'll take a few.
--
Team Discovery | |
| | |
icex _
Premium
join:2004-05-22
USA
clubs: | Re: [Virus] Virus's and spyware! This will takee about 2 hours for me to download, because unfortunatly, I'm 28k dial up lol.
--
Team Discovery | |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| The free version of AVG ANtispyware is on the far right. Here is the direct download link (be sure you get the updates first before scanning with it)
--
It takes a disaster to make a woman out of a femaleMicrosoft MVP/Windows Security 2003-2007Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| Ok, no problem. I've got to go to bed myself now.
We can pick this up tomorrow?
The combofix log doesn't look right.
The top part should begin with something like this:
quote:
ComboFix 07-06-18.2 - C:\Documents and Settings\Compaq_Administrator\Desktop\ComboFix.exe
"Compaq_Administrator" - 2007-07-02 1:08:45 - Service Pack 2 NTFS
It would be located here:
C:\ComboFix.txt
--
It takes a disaster to make a woman out of a femaleMicrosoft MVP/Windows Security 2003-2007Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
| |
icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable
1 edit | Re: [Virus] Virus's and spyware! Sure, I'll post results tonight and I'll be on at 11 or 12.
Combofix: Nope, it starts with Start time:
Would you like me to rerun it?
Edit: Reran it with same results.
Also the clock is screwed up. It shows 13:38, even though I set it to eastern time.. and it doesent show am/pm :S lol | |
| | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| Re: [Virus] Virus's and spyware!I found the problem with ComboFix. The download link I gave you is an old version. My apologies.
Delete that ComboFix.exe and replace it with this one please:
Run a fresh scan with that one and post the results please.
The clock format is reset by the tool so that one of the logs will be produced properly. As soon as we're done with the fixing, it can be reset back to preferred settings as follows:
Here is a link that shows how to change the clock settings and what the symbols mean.
»www.howtogeek.com/howto/windows-···s-vista/
That is for Vista but would be similar in win2k and XP. If you go to the control panel and choose "regional & language settings"
Then choose "customize" and the "time" tab you can set the clock display in a number of ways as desired.
How did you make out with the AVG Antispyware scan?
--
It takes a disaster to make a woman out of a femaleMicrosoft MVP/Windows Security 2003-2007Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
| | | |
icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable
| Re: [Virus] Virus's and spyware! Sorry I dident get to post the log last night. I left the scanner on and went to bed.
Here is the log, and I'll repost the combofix after this:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 15:49 2007-07-02
+ Scan result:
HKU\S-1-5-21-1482476501-1326574676-1801674531-1004\Software\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} -> Adware.Generic : Ignored.
HKLM\SOFTWARE\Classes\AppID\{4F5E5D72-C915-4f3b-908B-527D064B0FAA} -> Adware.SysProtect : Ignored.
C:\SDFix\backups\backups.zip/backups/nso12k.sys -> Downloader.Agent.bnz : Ignored.
C:\Program Files\Common Files\qwkr\qwkrd\vocabulary -> Downloader.TSUpdate.j : Ignored.
C:\Documents and Settings\Beth\setup1.exe -> Downloader.VB.axs : Ignored.
C:\SDFix\backups\backups.zip/backups/xpdx.sys -> Hijacker.Costrat.e : Ignored.
C:\SDFix\backups\backups.zip/backups/cssrss.exe -> Proxy.Agent.mv : Ignored.
C:\WINDOWS\system32\qvcvafpf.exe -> Trojan.Agent.ny : Ignored.
C:\WINDOWS\system32\msorcl32.exe -> Trojan.Renos.nbf : Ignored.
C:\WINDOWS\system32\wnscpsv32.exe -> Trojan.Small : Ignored.
C:\SDFix\backups\backups.zip/backups/windev-6401-3e37.sys -> Trojan.Tibs.ab : Ignored.
C:\WINDOWS\system32\alt.exe -> Trojan.Tibs.y : Ignored.
::Report end
--
Team Discovery | |
| | | | |
icex _
Premium
join:2004-05-22
USA
clubs: | Re: [Virus] Virus's and spyware! I'm not sure why the log says ignored, because I selected delete on all of them. I'm rerunning the scanner to make sure it's gone..
--
Team Discovery | |
| | | | | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| Re: [Virus] Virus's and spyware! said by icex _  :I'm not sure why the log says ignored, because I selected delete on all of them. I'm rerunning the scanner to make sure it's gone.. That's ok. It does that when you generate the log before you have finished - we see that a lot.
.......
Please turn OFF the Spybot Teatimer while we are running fixes and diagnostics. That could interfere with the things we are trying to fix. You can turn it back on for protection AFTER we get the system cleaned up.
re: Winlogon error. I need to see a fresh Hijackthis log and a fresh scan with the new ComboFix tool (new version)
--
It takes a disaster to make a woman out of a femaleMicrosoft MVP/Windows Security 2003-2007Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
| | | | | | |
icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable
| Re: [Virus] Virus's and spyware! Well, heres an update.
She sent the disks to me today, and told me to just get her pictures, word perfect documents and music and wipe it clean. So thats what I am doing now =)
--
Team Discovery | |
| | | | | | | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| Re: [Virus] Virus's and spyware! That's a good idea. Backup any documents to removable media and be sure that you scan them with a number of anti-malware apps before putting them onto a clean computer.
SO you do have reinstall disks?
As for getting paid - there is no payment requested nor expected here for the advice we give in cleanups. We are volunteers giving freely of our own time. In fact, we rather resent using our volunteer time to help others if you are going to turn around and charge someone for it so I sure hope you do NOT include any of the time we have spent here! The other thing is that you need to be sure that in your cleaning you keep in mind the total needs of the person you are helping. In the best interest of this person's computer, good security advice would entail letting them know the risks involved and the total picture of future security. As I said earlier, it is a trivial matter in this case to clean off infected files and remove symptoms of the infection, but learning what exactly what that infection has done is important to relay back to the user so they can make an informed decision that will ensure minimal risk of future exposure. Cleaning is not always the ideal remediation. A PC as infected as this one with the most malicious types of malware - it is a prime example of when cleaning is not a recommendation.
--
It takes a disaster to make a woman out of a femaleMicrosoft MVP/Windows Security 2003-2007Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
| | | | | | | | |
icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable
1 edit | Re: [Virus] Virus's and spyware! No, I do not mean paying anyone at dslreports.com. I have worked on this computer before and never accepted payment, but she gave me $25 for working on it anyway. She asked me how much I would charge and I said I'll see.
I don't realy have time to work on computers hardly anymore. Last year when I worked on this computer that was all I done, was worked on computers, because I enjoyed it. Now, I workout everyday, and I enjoy doing other things, not working on computers much anymore. I hope this post doesent sound sarcastic or anything.
She told me these problems have been going on for along time, and she could only use her daughters account. I am guessing there has been alot of stuff on here -- and it has downloaded all of this new stuff.
Thank you for taking your time to help me though. I realy do appreciate it. If I was still into computers like I use to be, then I probaly wouldent care to fix it for nothing. But like I said, I workout everday and like doing other things. We just got a boat, but I'm trying to fix this, which is taking time from me.
I'm not going to rip someone off when I fix their computer. When I use to work on computers, I never asked for anything, and still don't, they just ask me for a price. I try to be fair; computer shops would charge atleast $120 for what I am doing right now. I hope you understand, and thank you again for your help.
Edit to add: I always give a speech to people about security, and show them how to use their anti virus/anti spyware when I install it. | |
| | | | | | | | | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| Re: [Virus] Virus's and spyware! You're welcome. You sound like good guy so I think you would not take advantage of our volunteer services here. My biggest concern is the severe nature of the infections found on this PC. If it has been going on a while that makes it even worse.
--
It takes a disaster to make a woman out of a femaleMicrosoft MVP/Windows Security 2003-2007Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
| | | | | | | | | |
icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable
1 edit | Re: [Virus] Virus's and spyware! I'm only 16 to be honest. Started doing computer work when I was eleven pretty much, got tired of it last year.
Yes, I don't know if she will or not, but I told her to contact the debit card company, and to watch her credit report for awhile.
And, no I won't take advantage of anyone here. I realy wasent planning on comming here; because I've fixed about 3 computers before with the exact problem, except they dident have backdoors and all that. But this computer is so bad, I had to get professional advice. | |
| | | | | | | | | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL | Re: [Virus] Virus's and spyware! Glad we could help icex_  | |
| | | | | | | | | |
icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable
| Re: [Virus] Virus's and spyware! I just want to ask one more thing.
So far I have installed Avast! antivirus, AVG anti spyware, Spybot - Search and destroy, Tea-timer, and Ad-aware. Does avast have automatic protection like AVG? I'm getting ready to install AVG for the real-time protection, if Avast! doesent.
--
Team Discovery | |
| | | | | | | | | |
icex _
Premium
join:2004-05-22
USA
clubs: | Re: [Virus] Virus's and spyware! Ok, Avast! does have a real-time protection scanner. Is there anything else I should install? I don't want this to happen to this computer again.
--
Team Discovery | |
| | | | | | | | | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| Re: [Virus] Virus's and spyware! Yes, both Avast and AVG antivirus do have realtime protection. But only use one running realtime (not good to have 2 antiviruses running at the same time). You can have multiple antispyware programs (and you had mentioned AVG antispyware which is different from the AV program they also offer).
Protection software is a really good idea, but your users also need to understand that one can't expect software to catch 100% of everything. THey need to practice some safer computer habits. I think I noticed a P2P program installed - do they realize the danger in downloading files from a P2P network?
I can't stress enough the importance of having your Windows critical Security Updates. Most malware today uses exploits on unpatched systems to creep onto your system without your even doing anything but visiting an infected webpage!!
Watch what you download, be careful where you surf, and don't trust attachments or even links in email and Instant messages. Even if they come from a buddy, that buddy could be the one infected and it is the virus sending that link from his account. You click on it thinking he is trusted, and *boom* you're infected.
Many "Phishing" attempts are made by cleverly crafted email to look like it is coming from an "official" source (like Microsoft, or your bank, or some other provider). Don't click on links in those. Go directly to the site instead and navigate the menus - don't trust email you think came from a "safe source" unless you are expecting it! There is more in the link I will provide below, but those are the choice avenues of infection these days.
Stay far AWAY from cracks and warez sites - you're sure to get infected files there, and the same can be said for files downloaded from p2p (more than half are usually infected and probably not detectable by your current security software - the newest nasties are always released in those venues).
A word about shared computers and networks.
Share Your PC
»www.microsoft.com/windowsxp/usin···tro.mspx
Not all users need to have Admin Accounts. It is much safer to have most of your users on a shared system running as Limited User accounts. That way, if there is "an accident", it will only affect one user's account and not the entire system.
Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help .
How do I prevent Browser Hijacks and Spyware?
»Security Cleanup FAQ »How do I prevent Browser Hijacks and Spyware?
I'm happy to see you have SP2 installed. That will address numerous security issues in your Operating System and IE
Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!
Windows Update
»update.microsoft.com/microsoftupdate/
And see this link for instructions on how to configure the enhanced security features in SP2:
»www.microsoft.com/technet/securi···cxp.mspx
I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.
MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
»www.microsoft.com/technet/securi···ome.mspx
Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.
Also visit this Free Online Scanner from Microsoft for PC Health and Safety
»safety.live.com/site/en-US/default.htm
and Microsoft Security At Home
»www.microsoft.com/athome/securit···ult.mspx
for tips to Protect your Pc, Protect yourself and Protect your Family.
--
It takes a disaster to make a woman out of a femaleMicrosoft MVP/Windows Security 2003-2007Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
| | | | | | | | | |
icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable
| Re: [Virus] Virus's and spyware! Yes, I noticed that avast has realtime protection, so I uninstalled AVG since avast! detected more virus's than avg did.
Yep, they had ares installed, about the worst program to install realy. Its gone though, formated. =) It doesent have the service pack 2 anymore, but when I take it back to her, I'm going to immediatly download all updates on her dsl connection.
--
Team Discovery | |
| | | | | | | | | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL | Re: [Virus] Virus's and spyware! Good job, icex_! | |
| | | | | | | | | | | | | | | | | |
icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable
| It's got the about:blank spyware/adware I think.
Spybot teamtimer popped up saying the new website start page had been changed to about:blank ..
Combofix said something about the findstring being too long.. but anyway..
Heres the combofix log:
"Beth" - 2007-07-03 2:13:41 - ComboFix 07-06-27.7 - Service Pack 2 NTFS
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Program Files\Common Files\{348C6~1
C:\Program Files\Common Files\{448C6~1
C:\Program Files\Common Files\{448C6~2
C:\Program Files\Common Files\crosof~1.net
C:\Program Files\Common Files\curity~1
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\tn3
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\flt.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\rau001978.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\180ax.exe
C:\WINDOWS\system32\a3dx8.dll
C:\WINDOWS\system32\biprep.exe
C:\WINDOWS\system32\ecurit~1
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\msdn_lib.dll
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\salm.exe
C:\WINDOWS\system32\satmat.exe
C:\WINDOWS\system32\susp.exe
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\updatetc.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\voiceip.dll
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_NET_AGENT
((((((((((((((((((((((((( Files Created from 2007-06-03 to 2007-07-03 )))))))))))))))))))))))))))))))
2007-07-02 14:40 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-02 00:56 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-07-02 00:43 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-07-02 00:35 d-------- C:\VundoFix Backups
2007-07-01 21:13 444 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-06-28 04:06 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-28 04:06 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-28 04:06 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-28 04:06 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-28 04:06 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-28 04:06 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-28 04:06 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-28 04:06 d-------- C:\Program Files\Alwil Software
2007-06-27 16:52 d--h----- C:\WINDOWS\PIF
2007-06-27 14:44 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-27 14:07 d-------- C:\Program Files\CCleaner
2007-06-25 19:17 d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
2007-06-07 21:54 0 --a------ C:\WINDOWS\system32\kgctini.dat
2007-06-03 19:06 8,246 --a------ C:\DOCUME~1\Beth\win321.exe
2007-06-03 19:05 969 --a------ C:\DOCUME~1\Beth\dvvln2MBxL.exe
2007-06-03 18:43 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-06-03 13:42 d-------- C:\DOCUME~1\Beth\APPLIC~1\U3
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-01 08:24:14 -------- d-----w C:\Program Files\QuickTime
2007-07-01 04:58:26 517,120 ----a-w C:\WINDOWS\system32\winlogon.exe
2007-06-28 08:22:20 -------- d-----w C:\DOCUME~1\Beth\APPLIC~1\The Flag
2007-06-28 05:45:02 -------- d-----w C:\Program Files\Ares
2007-06-27 07:00:24 12 ----a-w C:\WINDOWS\system32\sl.bin
2007-06-27 06:59:55 4 ----a-w C:\WINDOWS\system32\stfv.bin
2007-06-27 05:17:49 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-27 05:17:49 -------- d-----w C:\Program Files\Online Services
2007-06-26 05:22:23 -------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-06-26 02:44:06 -------- d-----w C:\Program Files\Common Files\qwkr
2007-06-03 23:12:26 -------- d-----w C:\DOCUME~1\Beth\APPLIC~1\ZangoToolbar
2007-06-03 23:07:47 12,800 ----a-w C:\WINDOWS\system32\svchost.exe
2007-06-01 19:52:25 -------- d-----w C:\DOCUME~1\Beth\APPLIC~1\Image Zone Express
2007-05-20 14:37:55 -------- d-----w C:\DOCUME~1\Beth\APPLIC~1\AdobeUM
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 19:39]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 06:43]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4}=C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll [2004-08-13 21:42]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll [2006-01-17 20:04]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 19:44]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 06:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 06:43]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Watch.exe" [2007-06-27 22:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 13:36]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-06-23 16:57]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2005-10-19 11:59]
"{448C6F08-0701-1033-0826-020409200001}"="C:\Program Files\Common Files\{448C6F08-0701-1033-0826-020409200001}\Update.exe" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-01-24 15:37]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 04:04]
"ares"="C:\Program Files\Ares\Ares.exe" [2005-04-28 22:29]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 22:23]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 12:18]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wsmsge]
wsmsge.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\mswsag.sys]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares\Ares.exe" -h
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
"\" /WinStart
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{448C6F08-0701-1033-0826-020409200001}]
"C:\Program Files\Common Files\{448C6F08-0701-1033-0826-020409200001}\Update.exe" te-110-12-0000282
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F146C9B1-VMVQ-A9RC-NUFL-D02300B4E999}
C:\WINDOWS\system32\tmrsrv32.exe
Contents of the 'Scheduled Tasks' folder
2007-07-03 06:00:01 C:\WINDOWS\tasks\85D491DD93E32F55.job
2007-07-03 06:00:02 C:\WINDOWS\tasks\AAF587AF918A3BEF.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, »www.gmer.net
Rootkit scan 2007-07-03 02:23:25
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
? [520]
? [1060]
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\mswsag.sys
C:\WINDOWS\system32\wsmsge.dll
C:\WINDOWS\system32\wsmsge.sys
C:\WINDOWS\system32\qo.dll
C:\WINDOWS\system32\qo.sys
C:\WINDOWS\system32\nmk4.dat
**************************************************************************
Completion time: 2007-07-03 2:31:31 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-03 02:30
C:\ComboFix2.txt ... 2007-07-02 13:33
--- E O F ---
--
Team Discovery | |
| | | | |
icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable
| Re: [Virus] Virus's and spyware! Logfile of HijackThis v1.99.0
Scan saved at 5:13:47 AM, on 7/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Watch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\hjt\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.103:6588
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Watch.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [{448C6F08-0701-1033-0826-020409200001}] "C:\Program Files\Common Files\{448C6F08-0701-1033-0826-020409200001}\Update.exe" te-110-12-0000282
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - »housecall60.trendmicro.com/house···an60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - »www.kaspersky.com/downloads/kws/···code.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···1267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - »spaces.msn.com/PhotoUpload/MsnPU···,0,911,0
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - »software-dl.real.com/237ef6a9f56···E601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »update.microsoft.com/windowsupda···52978812
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - »a840.g.akamai.net/7/840/537/2004···an53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - »chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - »messenger.msn.com/download/MsnMe···ader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - »messenger.zone.msn.com/binary/ZI···2846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - »messenger.zone.msn.com/binary/Ba···1267.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - »www.verizon.net/checkmypc/includ···Qual.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown - C:\WINDOWS\System32\ScsiAccess.EXE (file missing)
--
Team Discovery | |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| This is probably one of the worst infected computers I've seen in a long while. It's still got yet another rootkit
Download haxfix.exe.
»users.telenet.be/marcvn/tools/haxfix.exe
Save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
Checkmark "Create a desktop icon".
Click "Next".
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
Click "Finish".
A red "dos window" (dos box) will open.
Select option 1. Make logfile by typing 1 and then pressing Enter.
Haxfix will start scanning the computer. When it is finished a logfile will open.
Copy the contents of that logfile and paste it into this thread.
Note: Please do not run any fix options until I've had a chance to review the log. This tool is capable of finding legitimate file as well as infected files, so a log review first is very important and I may not get to that until morning.
--
It takes a disaster to make a woman out of a femaleMicrosoft MVP/Windows Security 2003-2007Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
| |
icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable
| Re: [Virus] Virus's and spyware! This computer is so slow, I'm guessing because of the infection and the fact it only has 256mbs of ram.
Heres the log:
HAXFIX logfile - by Marckie
version 4.47
Tue 07/03/2007 11:44:43.79
--- Checking for Haxdoor ---
checking for a3d files
a3d files not found
checking for matching notify keys
no matching notify keys found
checking for matching services
matching services found
mswsag
checking for matching safeboot services
matching safeboot services found
mswsag.sys
checking for other Haxdoor-files
no other Haxdoor-files found
--- Checking for Goldun ---
checking for SSODL keys
Upperhost
checking for notify keys
no notify keys found
checking for services
no services found
checking for other Goldun-files
no other Goldun-files found
checking iexplore.exe
iexplore.exe is not infected
--- Catchme logfile - thank you Gmer ---
catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, »www.gmer.net
Rootkit scan 2007-07-03 11:44:54
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
? [516]
? [1052]
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\Documents and Settings\Beth\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat:KAVICHS 132 bytes hidden from API
C:\Documents and Settings\Beth\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG:KAVICHS 36 bytes hidden from API
C:\Documents and Settings\Beth\ntuser.dat.LOG:KAVICHS 68 bytes hidden from API
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat:KAVICHS 36 bytes hidden from API
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG:KAVICHS 36 bytes hidden from API
C:\Documents and Settings\LocalService\NTUSER.DAT:KAVICHS 36 bytes hidden from API
C:\Documents and Settings\LocalService\ntuser.dat.LOG:KAVICHS 36 bytes hidden from API
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat:KAVICHS 36 bytes hidden from API
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG:KAVICHS 36 bytes hidden from API
C:\Documents and Settings\NetworkService\NTUSER.DAT:KAVICHS 36 bytes hidden from API
C:\Documents and Settings\NetworkService\ntuser.dat.LOG:KAVICHS 36 bytes hidden from API
C:\WINDOWS\system32\mswsag.sys
C:\WINDOWS\system32\wsmsge.dll
C:\WINDOWS\system32\wsmsge.sys
C:\WINDOWS\system32\qo.dll
C:\WINDOWS\system32\qo.sys
C:\WINDOWS\system32\nmk4.dat
scan completed successfully
hidden processes: 2
hidden services: 0
hidden files: 17
--- Analysing Catchme logfile ---
matching notify key found: wsmsge
matching service found: mswsag
matching safeboot services found: mswsag.sys
matching service found: wsmsge
Finished!
--
Team Discovery | |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| Run Haxfix again.
A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix
Select option 2. Run auto fix by typing 2 and then pressing Enter
If an infection is found, you'll get a message to close all other open windows.
Close all open windows except the red dos window from haxfix and then press Enter
The computer will reboot
After reboot a logfile will open > (c:\haxfix.txt)
Post the contents of that logfile along with a new HijackThis log.
............
Then please also scan with ComboFix and post a new log from it as well
--
It takes a disaster to make a woman out of a femaleMicrosoft MVP/Windows Security 2003-2007Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
| |
icex _
Premium
join:2004-05-22
USA
clubs:
·Colane Cable
| Re: [Virus] Virus's and spyware! Haxfix log:
HAXFIX logfile - by Marckie
version 4.47
Tue 07/03/2007 21:21:33.48
--- Auto Haxdoorfix ---
searching for files:
searching for services....
service mswsag found
[SWSC] DeleteService SUCCESS
--- Goldunfix ---
searching for files:
checking iexplore.exe
iexplore.exe is not infected
searching for SSODLkeys:
no SSODLkeys found
searching for notifykeys:
no notifykeys found
searching for services:
no services found
.....rebooting the computer.....
searching for ssodlkeys
not needed
searching for notifykeys
not needed
searching for services
service mswsag not found
searching for safeboot services
safeboot service mswsag.sys not found
searching for files
mswsag.sys exists
deleting mswsag.sys
mswsag.sys has been deleted
wsmsag.sys exists
deleting wsmsag.sys
wsmsag.sys has been deleted
checking for other files
kgctini.dat exists
deleting kgctini.dat
kgctini.dat has been deleted
qo.dll exists
deleting qo.dll
qo.dll has been deleted
qo.sys exists
deleting qo.sys
qo.sys has been deleted
nmk4.dat exists
deleting nmk4.dat
nmk4.dat has been deleted
checking for a3d files
no a3d files found
--- Catchme logfile - thank you Gmer ---
catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, »www.gmer.net
Rootkit scan 2007-07-03 21:28:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\Documents and Settings\Beth\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat:KAVICHS 132 bytes hidden from API
C:\Documents and Settings\Beth\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG:KAVICHS 36 bytes hidden from API
C:\Documents and Settings\Beth\ntuser.dat.LOG:KAVICHS 68 bytes hidden from API
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat:KAVICHS 36 bytes hidden from API
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG:KAVICHS 36 bytes hidden from API
C:\Documents and Settings\LocalService\NTUSER.DAT:KAVICHS 36 bytes hidden from API
C:\Documents and Settings\LocalService\ntuser.dat.LOG:KAVICHS 36 bytes hidden from API
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat:KAVICHS 36 bytes hidden from API
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG:KAVICHS 36 bytes hidden from API
C:\Documents and Settings\NetworkService\NTUSER.DAT:KAVICHS 36 bytes hidden from API
C:\Documents and Settings\NetworkService\ntuser.dat.LOG:KAVICHS 36 bytes hidden from API
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 11
Finished
I will paste the other logs when I get back from the gym.
--
Team Discovery | |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| I have a really bad feeling that by helping you remove the infected files, that I'm giving you a false sense of security and that the original owner of this PC will be left in the dark about how serious this breach of their computer has been and the security implications with running this as a trusted machine in the future.
quote:
This computer has two accounts. On the "Mom" account it seems fine. On the other account, (their both admin accounts by the way) all is not fine
Has "Mom" been informed fully that this computer has been hosed to the point that there is no guarantee that these "fixes" will keep their info and data safe in the future and, more importantly, the very real possibility that any sensitive data stored on this PC is now at risk and could very well be in the hands of an attacker?
Some points to note as we are removing infected files and you may NOT notice symptoms of system changes by the attacker:
said by Jesper M. Johansson, Ph.D., CISSP, MCSE, MCP+I,
Security Program Manager,Microsoft Corporation, Published: May 7, 2004 :
So, you didn’t protect the system and it got hacked. What to do? Well, let’s see:
• You can’t clean a compromised system by patching it. Patching only removes the vulnerability. Upon getting into your system, the attacker probably ensured that there were several other ways to get back in.
• You can’t clean a compromised system by removing the back doors. You can never guarantee that you found all the back doors the attacker put in. The fact that you can’t find any more may only mean you don’t know where to look, or that the system is so compromised that what you are seeing is not actually what is there.
• You can’t clean a compromised system by using some “vulnerability remover.” Let’s say you had a system hit by Blaster. A number of vendors (including Microsoft) published vulnerability removers for Blaster. Can you trust a system that had Blaster after the tool is run? I wouldn’t. If the system was vulnerable to Blaster, it was also vulnerable to a number of other attacks. Can you guarantee that none of those have been run against it? I didn’t think so.
• You can’t clean a compromised system by using a virus scanner. To tell you the truth, a fully compromised system can’t be trusted. Even virus scanners must at some level rely on the system to not lie to them. If they ask whether a particular file is present, the attacker may simply have a tool in place that lies about it. Note that if you can guarantee that the only thing that compromised the system was a particular virus or worm and you know that this virus has no back doors associated with it, and the vulnerability used by the virus was not available remotely, then a virus scanner can be used to clean the system. For example, the vast majority of e-mail worms rely on a user opening an attachment. In this particular case, it is possible that the only infection on the system is the one that came from the attachment containing the worm. However, if the vulnerability used by the worm was available remotely without user action, then you can’t guarantee that the worm was the only thing that used that vulnerability. It is entirely possible that something else used the same vulnerability. In this case, you can’t just patch the system.
• You can’t clean a compromised system by reinstalling the operating system over the existing installation. Again, the attacker may very well have tools in place that tell the installer lies. If that happens, the installer may not actually remove the compromised files. In addition, the attacker may also have put back doors in non-operating system components.
• You can’t trust any data copied from a compromised system. Once an attacker gets into a system, all the data on it may be modified. In the best-case scenario, copying data off a compromised system and putting it on a clean system will give you potentially untrustworthy data. In the worst-case scenario, you may actually have copied a back door hidden in the data.
• You can’t trust the event logs on a compromised system. Upon gaining full access to a system, it is simple for an attacker to modify the event logs on that system to cover any tracks. If you rely on the event logs to tell you what has been done to your system, you may just be reading what the attacker wants you to read.
• You may not be able to trust your latest backup. How can you tell when the original attack took place? The event logs cannot be trusted to tell you. Without that knowledge, your latest backup is useless. It may be a backup that includes all the back doors currently on the system.
• The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).
The above quote taken from this page:
»www.microsoft.com/technet/commun···504.mspx
Not having the original install disk and/or backups prior to the compromise makes this option pretty much impossible. However, continuing to use this PC on the internet as a trusted machine is a risk for future use. It might be time for a new computer and retire this one.
I can tell you that I would not use it after this serious a breach. Give your friend this link if they do not understand what happens when your computer is wide open and under control of a remote access trojan:
Invasion of the Computer Snatchers
»www.washingtonpost.com/wp-dyn/co···342.html
That is the reality of what we are dealing with here. This PC has been so seriously compromised that I do not want to mislead you into thinking that this "cleaning" will reverse the potential of the damage already done. The fact that it was hosting Multiple rootkits and backdoor trojans makes the breach pretty much a worst case scenerio, with many of these problems you have seen thus far trying to "clean" the system.
Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
»www.microsoft.com/technet/commun···704.mspx
quote:
with a rootkit on the system that makes the system no longer trustworthy. Windows Explorer and the command line will no longer show you the files that are actually on the system. The registry editor is now lying. Account manager tools will not show you all the users. At this stage of an intrusion, you can no longer trust the system to tell you about itself. That’s where you get into a flatten and rebuild (some people call it "nuke and pave") scenario. The system is now completely compromised.
--
It takes a disaster to make a woman out of a femaleMicrosoft MVP/Windows Security 2003-2007Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
| |
See 6 replies to this post | |
| | | (topic locked) | |
|
