System Security Virus log included

View previous topic View next topic Go down

System Security Virus log included

Post by kegan on 8th July 2009, 11:43 pm

Hello, the System Security Virus just opened on my computer a few days ago, without provocation. It's keeping me from opening anything, including virus removal programs such as malware removal tool.

Here's the hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:36:06 PM, on 7/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\16426564\16426564.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\Chris\LOCALS~1\Temp\spoolsv.exe
C:\DOCUME~1\Chris\LOCALS~1\Temp\services.exe
C:\DOCUME~1\Chris\LOCALS~1\Temp\lsass.exe
C:\DOCUME~1\Chris\LOCALS~1\Temp\svchost.exe
C:\DOCUME~1\Chris\LOCALS~1\Temp\csrss.exe
C:\DOCUME~1\Chris\LOCALS~1\Temp\winlogon.exe
C:\DOCUME~1\Chris\LOCALS~1\Temp\smss.exe
C:\Documents and Settings\Chris\Desktop\winlogon.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: C:\WINDOWS\system32\gsf83iujid.dll - {d76ab2a1-00f3-42bd-f434-00bbc39c8953} - C:\WINDOWS\system32\gsf83iujid.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] __"C:\Program Files\iTunes\iTunesHelper.exe"__
O4 - HKLM\..\Run: [16426564] C:\Documents and Settings\All Users\Application Data\16426564\16426564.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen] "C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" /nosplash
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [] C:\DOCUME~1\Chris\LOCALS~1\Temp\w1sn63ujt.exe
O4 - HKCU\..\Run: [hsf7husjnfg98gi498aejhiugjkdg4] C:\DOCUME~1\Chris\LOCALS~1\Temp\w1sn63ujt.exe
O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\Chris\LOCALS~1\Temp\smss.exe
O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\Chris\LOCALS~1\Temp\b.exe
O4 - Startup: Air Mouse.lnk = C:\Program Files\Air Mouse\Air Mouse\Air Mouse.exe
O4 - Startup: ihaupd32.exe
O4 - Startup: zqosys32.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BF8BF16-1F49-45CB-B322-31D0709A7DE7}: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{D51B91F2-FD70-4C0E-87D2-2D3904B18AFE}: Domain = ph.cox.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{D51B91F2-FD70-4C0E-87D2-2D3904B18AFE}: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{6BF8BF16-1F49-45CB-B322-31D0709A7DE7}: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CS2\Services\Tcpip\..\{6BF8BF16-1F49-45CB-B322-31D0709A7DE7}: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.6,85.255.112.20
O20 - AppInit_DLLs: ,C:\DOCUME~1\Chris\LOCALS~1\Temp\203650296749mxx.dll
O20 - Winlogon Notify: MacDrive-iTunes compatibility - C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll
O22 - SharedTaskScheduler: rtasgvfu76ew8ndkfno94 - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\gsf83iujid.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Seagate Scheduler2 Service (SgtSch2Svc) - Seagate - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 6507 bytes

kegan
Novice
Novice

Posts Posts : 6
Joined Joined : 2009-07-08
OS OS : XP
Points Points : 27108
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security Virus log included

Post by kegan on 9th July 2009, 12:01 am

I'm not sure it matters, but I left hijack this open, and my computer shut itself off... I'm not sure if that will change anything or not.

kegan
Novice
Novice

Posts Posts : 6
Joined Joined : 2009-07-08
OS OS : XP
Points Points : 27108
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security Virus log included

Post by Belahzur on 9th July 2009, 12:44 am

Hello.

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: C:\WINDOWS\system32\gsf83iujid.dll - {d76ab2a1-00f3-42bd-f434-00bbc39c8953} - C:\WINDOWS\system32\gsf83iujid.dll
    O4 - HKLM\..\Run: [iTunesHelper] __"C:\Program Files\iTunes\iTunesHelper.exe"__
    O4 - HKLM\..\Run: [16426564] C:\Documents and Settings\All Users\Application Data\16426564\16426564.exe
    O4 - HKCU\..\Run: [] C:\DOCUME~1\Chris\LOCALS~1\Temp\w1sn63ujt.exe
    O4 - HKCU\..\Run: [hsf7husjnfg98gi498aejhiugjkdg4] C:\DOCUME~1\Chris\LOCALS~1\Temp\w1sn63ujt.exe
    O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\Chris\LOCALS~1\Temp\smss.exe
    O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\Chris\LOCALS~1\Temp\b.exe
    O4 - Startup: Air Mouse.lnk = C:\Program Files\Air Mouse\Air Mouse\Air Mouse.exe
    O4 - Startup: ihaupd32.exe
    O4 - Startup: zqosys32.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6BF8BF16-1F49-45CB-B322-31D0709A7DE7}: NameServer = 85.255.115.6,85.255.112.20
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D51B91F2-FD70-4C0E-87D2-2D3904B18AFE}: Domain = ph.cox.net
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D51B91F2-FD70-4C0E-87D2-2D3904B18AFE}: NameServer = 85.255.115.6,85.255.112.20
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.6,85.255.112.20
    O17 - HKLM\System\CS1\Services\Tcpip\..\{6BF8BF16-1F49-45CB-B322-31D0709A7DE7}: NameServer = 85.255.115.6,85.255.112.20
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.6,85.255.112.20
    O17 - HKLM\System\CS2\Services\Tcpip\..\{6BF8BF16-1F49-45CB-B322-31D0709A7DE7}: NameServer = 85.255.115.6,85.255.112.20
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.6,85.255.112.20
    O20 - AppInit_DLLs: ,C:\DOCUME~1\Chris\LOCALS~1\Temp\203650296749mxx.dll
    O22 - SharedTaskScheduler: rtasgvfu76ew8ndkfno94 - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\gsf83iujid.dll


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security Virus log included

Post by Origin on 9th July 2009, 12:56 am

In had the exact same message Goofy word word Smile


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security Virus log included

Post by kegan on 9th July 2009, 1:09 am

Here's the log:

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 2

7/8/2009 5:58:50 PM
mbam-log-2009-07-08 (17-58-50).txt

Scan type: Quick Scan
Objects scanned: 79566
Time elapsed: 3 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 11
Registry Values Infected: 3
Registry Data Items Infected: 5
Folders Infected: 2
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\gsf83iujid.dll (Trojan.Ertfor) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Ertfor) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\aquaplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009 (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d51b91f2-fd70-4c0e-87d2-2d3904b18afe}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.6,85.255.112.20 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{d51b91f2-fd70-4c0e-87d2-2d3904b18afe}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.6,85.255.112.20 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{d51b91f2-fd70-4c0e-87d2-2d3904b18afe}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.6,85.255.112.20 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{d51b91f2-fd70-4c0e-87d2-2d3904b18afe}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.6,85.255.112.20 -> Quarantined and deleted successfully.

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\documents and settings\Chris\Start Menu\Programs\System Security (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\gsf83iujid.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\gaopdxlkkutrjq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\documents and settings\Chris\local settings\Temp\~TM9C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Chris\local settings\Temp\~TMA3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\components\iamfamous.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\autorun.inf (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\resycled\ntldr.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\documents and settings\Chris\start menu\Programs\system security\System Security (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\documents and settings\Chris\Desktop\System Security 2009.lnk (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\WINDOWS\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Chris\Local Settings\Temp\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv301246392343.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv751245771011.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Chris\Local Settings\Temp\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Chris\Local Settings\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Chris\Local Settings\Temp\winlogon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Chris\Local Settings\Temp\taskmgr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Chris\Local Settings\Temp\services.exe (Password.Stealer) -> Quarantined and deleted successfully.
c:\documents and settings\Chris\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\Chris\Application Data\wiaservg.log (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\Chris\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\gaopdxdukngyga.sys (Trojan.Agent) -> Quarantined and deleted successfully.


and I've just restarted my machine, and it's seemed to boot up just fine.

Thanks for all your help, you've really saved me--especially since the backups of my after effects projects were on this hard drive, and my originals are gone.

kegan
Novice
Novice

Posts Posts : 6
Joined Joined : 2009-07-08
OS OS : XP
Points Points : 27108
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security Virus log included

Post by Belahzur on 9th July 2009, 1:22 am

Hello.


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Avast)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security Virus log included

Post by kegan on 9th July 2009, 7:02 pm

the file is far too big to post. I even tried cutting it in half, and it's still too big. Any suggestions?

kegan
Novice
Novice

Posts Posts : 6
Joined Joined : 2009-07-08
OS OS : XP
Points Points : 27108
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security Virus log included

Post by Belahzur on 9th July 2009, 7:09 pm

Please upload it to rapidshare.com for me to see. Smile
It will give you a share link for you to copy/paste back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security Virus log included

Post by kegan on 9th July 2009, 7:48 pm

Here it is!!

[You must be registered and logged in to see this link.]

kegan
Novice
Novice

Posts Posts : 6
Joined Joined : 2009-07-08
OS OS : XP
Points Points : 27108
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security Virus log included

Post by Belahzur on 9th July 2009, 8:06 pm

Oh my, what a mess, this machine is badly damaged, I don't know why your still able to boot normally.

While I'm getting a fix ready, I want to uninstall a few things.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security Virus log included

Post by kegan on 9th July 2009, 8:24 pm

ABC Amber CHM Converter
Adobe After Effects 7.0
Adobe After Effects CS3
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Common File Installer
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Fonts All
Adobe Help Center 1.0
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS2
Adobe Reader 7.0.8
Adobe Setup
Adobe Stock Photos 1.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Video Profiles
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
Ahead NeroVision Express
Air Mouse Server
Alarm Clock Pro
AoA DVD Ripper
Apple Mobile Device Support
Apple Software Update
Athlon 64 Processor Driver
ATI - Software Uninstall Utility
ATI AVIVO Codecs
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control & Encoder
avast! Antivirus
Azureus
Bonjour
Catalyst Control Center - Branding
CCleaner (remove only)
ComicRack v0.9.15
Cucusoft PSP Video Converter 3.16
DarkCrusade
dBpoweramp m4a Codec
dBpoweramp m4b Audio book Encoder
dBpoweramp Music Converter
DiscWizard for Windows
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Doom 3
DVD-lab PRO 2.2
EAX Unified
EPSON Printer Software
Final Draft 7
Final Fantasy VII - Ultima Edition
Final Fantasy VII XP Patch
Gadwin PrintScreen
GenArts Sapphire Plug-ins Version 1.07 for After Effects
Genuine Fractals PrintPro
Google Talk (remove only)
Haali Media Splitter
Heroes of Might and Magic V Collector Edition
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
IObit SmartDefrag Beta4.03
iTunes
J2SE Runtime Environment 5.0 Update 6
JAP
MacDrive 6
Magic ISO Maker v5.4 (build 0247)
Malwarebytes' Anti-Malware
Matroska Pack
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
mIRC
MobileMe Control Panel
Monkey's Audio
Mozilla Firefox (3.0.7)
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MyVideoConverter 1.34
n52te Editor
Nero - Burning Rom
Netflix Movie Viewer
nik Color Efex Pro 2.0 IE
NVIDIA Drivers
PeerGuardian 2.0
PowerDVD
PSP Action Replay
Quake III Arena
QuickTime
Real Alternative 1.50
RealPlayer
Realtek High Definition Audio Driver
Seagate DiscWizard
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Shockwave
Simplify Media
Starcraft
Tablet
TMPGEnc DVD Author 3 with DivX Authoring
Trillian
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
WalkerFX 2.2 Professional Edition
Warhammer 40,000: Dawn Of War - Platinum Edition
Winamp
Winamp Remote
Winamp Toolbar
Windows Driver Package - Belkin (HidUsb) HIDClass (01/11/2007 1.0)
Windows Driver Package - MOTOROLA (uisp) USB (09/08/2006 1.2.0.0)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WinX Burner Master
WinZip
World of Warcraft
Xfire (remove only)
XviD 1.1 final uninstall

kegan
Novice
Novice

Posts Posts : 6
Joined Joined : 2009-07-08
OS OS : XP
Points Points : 27108
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security Virus log included

Post by Belahzur on 9th July 2009, 8:37 pm

I see that you are running Azerus and uTorrent.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

If Limewire is not removed, then I won't help you.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Azureus
    J2SE Runtime Environment 5.0 Update 6

Next, please download the [You must be registered and logged in to see this link.]

  • Visit the above page and select the second download button to get the system repair engineer.
  • Download the zip file to your Desktop, then extract it.
  • Next, double click to run SREngLdr.EXE, ignore any window alerts that appear in the corner of your screen.
  • Then press the "System Repair" button, and go into the "Advanced Repair" tab.
  • Press the "Restore Safe Mode", okay any prompts, then reboot normally.

After reboot, we need to run a CFScript.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
74c31953

File::
c:\windows\system32\drivers\74c31953.sys
C:\ctxl.exe
C:\rklrahe.exe

Folder::
c:\Program Files\Azureus
c:\Program Files\uTorrent

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Azureus\\Azureus.exe"=-
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50121:TCP"=-
"48212:UDP"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\Azureus\\Azureus.exe"=-
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\GloballyOpenPorts\List]
"50121:TCP"=-
"48212:UDP"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum