GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

Help Virus Unknown

View previous topic View next topic Go down

Help Virus Unknown

Post by michelle0201 on Mon Dec 22, 2008 1:49 am

Can someone help me. I can't get on websites without some adware stuff comes up and messes up my computer. I can't even download anti virus due to this as well



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:46:59 PM, on 12/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\DOCUME~1\user\LOCALS~1\Temp\winloggn.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\802.11g Wireless LAN\Monitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [jsf8j34rgfght] C:\DOCUME~1\user\LOCALS~1\Temp\winloggn.exe
O4 - HKLM\..\Run: [a017e528] rundll32.exe "C:\WINDOWS\system32\fylolrca.dll",b
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [jsf8j34rgfght] C:\DOCUME~1\user\LOCALS~1\Temp\winloggn.exe
O4 - HKUS\S-1-5-20\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Monitor.lnk = C:\Program Files\802.11g Wireless LAN\Monitor.exe
O8 - Extra context menu item: &Search - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antispyexpert.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.spyguardpro.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.antispyexpert.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.spyguardpro.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusremover2008.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [You must be registered and logged in to see this link.]
O18 - Filter hijack: text/html - {20151c04-6020-402e-aee8-5b23bc7a5d09} - C:\WINDOWS\system32\mst122.dll
O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8037 bytes

michelle0201
Beginner
Beginner

Status :
Online
Offline

Posts : 3
Joined : 2008-12-22
OS : xp
Points : 29020
# Likes : 0

View user profile

Back to top Go down

Re: Help Virus Unknown

Post by Belahzur on Mon Dec 22, 2008 1:50 am


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Help Virus Unknown

Post by michelle0201 on Mon Dec 22, 2008 2:15 am

ComboFix 08-12-16.03 - user 2008-12-21 20:07:05.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1749 [GMT -6:00]
Running from: c:\documents and settings\user\Desktop\combogpfix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\user\Application Data\FunWebProducts
c:\documents and settings\user\Application Data\FunWebProducts\Data\user\avatar.dat
c:\documents and settings\user\Application Data\FunWebProducts\Data\user\register.dat
c:\documents and settings\user\Application Data\FunWebProducts\Data\user\zbucks.dat
c:\documents and settings\user\Application Data\gadcom
c:\documents and settings\user\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Common\helper.dll
c:\program files\Common\helper.sig
C:\setup.exe
c:\windows\system32\acrlolyf.ini
c:\windows\system32\ceedgMoq.ini
c:\windows\system32\ceedgMoq.ini2
c:\windows\system32\drivers\TDSSmhlt.sys
c:\windows\system32\fylolrca.dll
c:\windows\system32\nzojvx.dll
c:\windows\system32\qoMgdeec.dll
c:\windows\system32\qoywpnke.dll
c:\windows\system32\TDSSarxx.dll
c:\windows\system32\TDSScfmn.dll
c:\windows\system32\TDSSkkai.log
c:\windows\system32\TDSSlxcp.dll
c:\windows\system32\TDSSmtve.dat
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoity.dll
c:\windows\system32\TDSSsahc.dll
c:\windows\system32\TDSSvoql.dll
c:\windows\system32\TDSSxhyf.log
c:\windows\system32\tyshb36rfjdf.dll

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-22 to 2008-12-22 )))))))))))))))))))))))))))))))
.

2008-12-21 19:44 . 2008-12-21 19:44 d-------- c:\program files\Trend Micro
2008-12-21 18:54 . 2008-12-21 18:54 d-------- c:\program files\Lavasoft
2008-12-21 18:54 . 2008-12-21 18:54 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-21 18:54 . 2008-12-21 18:54 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-21 18:46 . 2008-12-21 18:46 d-------- c:\program files\SpywareBlaster
2008-12-21 18:46 . 2005-04-15 20:58 1,071,088 --a------ c:\windows\system32\MSCOMCTL.OCX
2008-12-21 18:46 . 2005-08-25 19:18 118,784 --a------ c:\windows\system32\MSSTDFMT.DLL
2008-12-21 18:25 . 2008-12-21 18:31 d-------- c:\windows\SxsCaPendDel
2008-12-21 18:25 . 2008-12-21 18:25 0 --a------ c:\windows\nsreg.dat
2008-12-21 18:15 . 2008-12-21 18:15 d-------- c:\documents and settings\All Users\Application Data\SITEguard
2008-12-21 18:13 . 2008-12-21 18:13 d-------- c:\program files\Common Files\iS3
2008-12-21 18:13 . 2008-12-21 18:21 d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2008-12-21 13:26 . 2008-12-21 13:26 d-------- c:\documents and settings\All Users\Application Data\Kaspersky Anti-Virus Personal
2008-12-21 13:25 . 2008-12-21 13:25 d-------- c:\program files\Defender
2008-12-21 12:52 . 2008-12-21 12:52 57,856 --a------ c:\windows\system32\tuvWpNee.dll
2008-12-21 12:49 . 2008-12-21 12:49 d-------- c:\documents and settings\user\Application Data\Skype
2008-12-21 12:46 . 2008-12-21 12:46 57,856 --a------ c:\windows\system32\tuvSkIcc.dll
2008-12-21 12:38 . 2008-12-21 12:38 57,856 --a------ c:\windows\system32\pmnoLcbb.dll
2008-12-21 12:38 . 2008-12-21 12:38 45,056 --a------ c:\windows\system32\ddccCRjH.dll
2008-12-15 15:51 . 2008-12-21 20:07 d-------- c:\program files\Common
2008-12-14 20:40 . 2008-12-14 20:40 151 --a------ c:\windows\PhotoSnapViewer.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-17 23:04 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-14 02:15 --------- d-----w c:\program files\Shockwave.com
2008-11-14 02:15 --------- d-----w c:\documents and settings\All Users\Application Data\Shockwave
2008-11-14 01:04 --------- d-----w c:\documents and settings\user\Application Data\cerasus.media
2008-11-06 00:15 --------- d-----w c:\documents and settings\user\Application Data\Microsoft Games
2008-11-06 00:15 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Games
2008-11-06 00:13 --------- d-----w c:\program files\Microsoft Games
2008-10-27 01:43 --------- d-----w c:\documents and settings\user\Application Data\Aveyond II
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 10:37 659,456 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40AB7707-3AF4-4F7C-BDB9-8F02B1BA2875}]
2008-12-21 20:11 292352 --a------ c:\windows\system32\awtsPGWn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
2008-12-21 12:38 57856 --a------ c:\windows\system32\pmnoLcbb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-18 8720384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-12 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-12 81920]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-14 155648]
"a017e528"="c:\windows\system32\itthomlg.dll" [2008-12-21 95744]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-04-12 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-18 8720384]

c:\documents and settings\user\Start Menu\Programs\Startup\
Monitor.lnk - c:\program files\802.11g Wireless LAN\Monitor.exe [2004-12-02 917504]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\pmnoLcbb.dll" [2008-12-21 57856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnoLcbb]
2008-12-21 12:38 57856 c:\windows\system32\pmnoLcbb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\awtsPGWn

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R1 Klmc;Klmc;c:\windows\system32\drivers\klmc.sys [2004-06-23 9939]
S3 PciCon;PciCon;\??\D:\PciCon.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-12-22 c:\windows\Tasks\iutlljbm.job
- c:\windows\system32\rundll32.exe [2006-02-28 06:00]
.
- - - - ORPHANS REMOVED - - - -

BHO-{9AC34F41-52B5-4903-9DBF-45EB642A53D3} - c:\windows\system32\qoMgdeec.dll
BHO-{D5BF49A2-94F1-42BD-F434-3604812C807D} - c:\windows\system32\tyshb36rfjdf.dll
SharedTaskScheduler-{D5BF49A2-94F1-42BD-F434-3604812C807D} - c:\windows\system32\tyshb36rfjdf.dll


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Search - [You must be registered and logged in to see this link.]
Trusted Zone: *.amaena.com
Trusted Zone: *.antimalwareguard.com
Trusted Zone: *.antispyexpert.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.gomyhit.com
Trusted Zone: *.imageservr.com
Trusted Zone: *.imagesrvr.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.spyguardpro.com
Trusted Zone: *.storageguardsoft.com
Trusted Zone: *.virusremover2008.com
Trusted Zone: *.virusschlacht.com
Trusted Zone: *.amaena.com
Trusted Zone: *.antimalwareguard.com
Trusted Zone: *.antispyexpert.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.gomyhit.com
Trusted Zone: *.imageservr.com
Trusted Zone: *.imagesrvr.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.spyguardpro.com
Trusted Zone: *.storageguardsoft.com
Trusted Zone: *.trustedantivirus.com
Trusted Zone: *.virusremover2008.com
Trusted Zone: *.virusschlacht.com

O16 -: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.0.inf
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\jysowtdi.default\
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-21 20:11:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\user\LOCALS~1\Temp\NEW3.tmp 3021 bytes
c:\windows\system32\nWGPstwa.ini 369 bytes
c:\windows\system32\nWGPstwa.ini2 369 bytes

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\pmnoLcbb.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2008-12-21 20:13:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-22 02:13:47

Pre-Run: 234,681,655,296 bytes free
Post-Run: 235,047,612,416 bytes free

226 --- E O F --- 2008-12-18 09:00:45

michelle0201
Beginner
Beginner

Status :
Online
Offline

Posts : 3
Joined : 2008-12-22
OS : xp
Points : 29020
# Likes : 0

View user profile

Back to top Go down

Re: Help Virus Unknown

Post by Belahzur on Mon Dec 22, 2008 2:20 am

Hello.
Looking better, but still some crap to get rid of.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
PciCon

File::
c:\windows\system32\tuvWpNee.dll
c:\windows\system32\tuvSkIcc.dll
c:\windows\system32\pmnoLcbb.dll
c:\windows\system32\ddccCRjH.dll
c:\windows\system32\awtsPGWn.dll
c:\windows\system32\pmnoLcbb.dll
c:\windows\system32\itthomlg.dll
c:\windows\Tasks\iutlljbm.job
c:\docume~1\user\LOCALS~1\Temp\NEW3.tmp
c:\windows\system32\nWGPstwa.ini
c:\windows\system32\nWGPstwa.ini2
D:\PciCon.sys

Folder::
c:\program files\Common

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40AB7707-3AF4-4F7C-BDB9-8F02B1BA2875}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"a017e528"=-
[-hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnoLcbb]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"="msv1_0"

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

Please post a new Hijack This log too.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Help Virus Unknown

Post by michelle0201 on Mon Dec 22, 2008 2:31 am

ComboFix 08-12-16.03 - user 2008-12-21 20:25:08.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1505 [GMT -6:00]
Running from: c:\documents and settings\user\Desktop\combogpfix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFscript.txt
* Created a new restore point

FILE ::
c:\docume~1\user\LOCALS~1\Temp\NEW3.tmp
c:\windows\system32\awtsPGWn.dll
c:\windows\system32\ddccCRjH.dll
c:\windows\system32\itthomlg.dll
c:\windows\system32\nWGPstwa.ini
c:\windows\system32\nWGPstwa.ini2
c:\windows\system32\pmnoLcbb.dll
c:\windows\system32\tuvSkIcc.dll
c:\windows\system32\tuvWpNee.dll
c:\windows\Tasks\iutlljbm.job
D:\PciCon.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common
c:\windows\system32\awtsPGWn.dll
c:\windows\system32\ddccCRjH.dll
c:\windows\system32\dhpmnb.dll
c:\windows\system32\erphvusq.dll
c:\windows\system32\glmohtti.ini
c:\windows\system32\itthomlg.dll
c:\windows\system32\nWGPstwa.ini
c:\windows\system32\nWGPstwa.ini2
c:\windows\system32\pmnoLcbb.dll
c:\windows\system32\tuvSkIcc.dll
c:\windows\system32\tuvWpNee.dll
c:\windows\Tasks\iutlljbm.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PCICON
-------\Service_PciCon


((((((((((((((((((((((((( Files Created from 2008-11-22 to 2008-12-22 )))))))))))))))))))))))))))))))
.

2008-12-21 20:20 . 2008-12-21 20:20 d-------- c:\program files\Spybot - Search & Destroy
2008-12-21 20:20 . 2008-12-21 20:27 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-21 19:44 . 2008-12-21 19:44 d-------- c:\program files\Trend Micro
2008-12-21 18:54 . 2008-12-21 18:54 d-------- c:\program files\Lavasoft
2008-12-21 18:54 . 2008-12-21 18:54 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-21 18:54 . 2008-12-21 18:54 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-21 18:46 . 2008-12-21 18:46 d-------- c:\program files\SpywareBlaster
2008-12-21 18:46 . 2005-04-15 20:58 1,071,088 --a------ c:\windows\system32\MSCOMCTL.OCX
2008-12-21 18:46 . 2005-08-25 19:18 118,784 --a------ c:\windows\system32\MSSTDFMT.DLL
2008-12-21 18:25 . 2008-12-21 18:31 d-------- c:\windows\SxsCaPendDel
2008-12-21 18:25 . 2008-12-21 18:25 0 --a------ c:\windows\nsreg.dat
2008-12-21 18:15 . 2008-12-21 18:15 d-------- c:\documents and settings\All Users\Application Data\SITEguard
2008-12-21 18:13 . 2008-12-21 18:13 d-------- c:\program files\Common Files\iS3
2008-12-21 18:13 . 2008-12-21 18:21 d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2008-12-21 13:26 . 2008-12-21 13:26 d-------- c:\documents and settings\All Users\Application Data\Kaspersky Anti-Virus Personal
2008-12-21 13:25 . 2008-12-21 13:25 d-------- c:\program files\Defender
2008-12-21 12:49 . 2008-12-21 12:49 d-------- c:\documents and settings\user\Application Data\Skype
2008-12-14 20:40 . 2008-12-14 20:40 151 --a------ c:\windows\PhotoSnapViewer.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-17 23:04 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-14 02:15 --------- d-----w c:\program files\Shockwave.com
2008-11-14 02:15 --------- d-----w c:\documents and settings\All Users\Application Data\Shockwave
2008-11-14 01:04 --------- d-----w c:\documents and settings\user\Application Data\cerasus.media
2008-11-06 00:15 --------- d-----w c:\documents and settings\user\Application Data\Microsoft Games
2008-11-06 00:15 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Games
2008-11-06 00:13 --------- d-----w c:\program files\Microsoft Games
2008-10-27 01:43 --------- d-----w c:\documents and settings\user\Application Data\Aveyond II
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 10:37 659,456 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-18 8720384]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-12 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-12 81920]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-14 155648]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-04-12 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-18 8720384]

c:\documents and settings\user\Start Menu\Programs\Startup\
Monitor.lnk - c:\program files\802.11g Wireless LAN\Monitor.exe [2004-12-02 917504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=dhpmnb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_SZ msv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R1 Klmc;Klmc;c:\windows\system32\drivers\klmc.sys [2004-06-23 9939]
.
- - - - ORPHANS REMOVED - - - -

BHO-{33ef43f2-13ee-4479-b8a0-5d9d223b6c51} - c:\windows\system32\dhpmnb.dll
BHO-{FCDFBE4A-876C-46A0-85C1-C74CD6F7F695} - c:\windows\system32\awtsPGWn.dll


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Search - [You must be registered and logged in to see this link.]
Trusted Zone: *.amaena.com
Trusted Zone: *.antimalwareguard.com
Trusted Zone: *.antispyexpert.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.gomyhit.com
Trusted Zone: *.imageservr.com
Trusted Zone: *.imagesrvr.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.spyguardpro.com
Trusted Zone: *.storageguardsoft.com
Trusted Zone: *.virusremover2008.com
Trusted Zone: *.virusschlacht.com
Trusted Zone: *.amaena.com
Trusted Zone: *.antimalwareguard.com
Trusted Zone: *.antispyexpert.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.gomyhit.com
Trusted Zone: *.imageservr.com
Trusted Zone: *.imagesrvr.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.spyguardpro.com
Trusted Zone: *.storageguardsoft.com
Trusted Zone: *.trustedantivirus.com
Trusted Zone: *.virusremover2008.com
Trusted Zone: *.virusschlacht.com
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\jysowtdi.default\
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-21 20:27:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2008-12-21 20:29:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-22 02:29:43
ComboFix2.txt 2008-12-22 02:13:53

Pre-Run: 234,951,430,144 bytes free
Post-Run: 234,936,078,336 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

204 --- E O F --- 2008-12-18 09:00:45

michelle0201
Beginner
Beginner

Status :
Online
Offline

Posts : 3
Joined : 2008-12-22
OS : xp
Points : 29020
# Likes : 0

View user profile

Back to top Go down

Re: Help Virus Unknown

Post by Belahzur on Mon Dec 22, 2008 4:19 pm

Hello.


  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.


Please post a fresh Hijack This log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Help Virus Unknown

Post by Doctor Inferno on Sat Jan 24, 2009 10:19 am

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64
Points : 104564
# Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum