I'm pretty sure I'm heavily infected

View previous topic View next topic Go down

I''m pretty sure I''m heavily infected

Post by bball1210 on 13th May 2009, 11:13 pm

I don't know what's going on in my PC at this point. When I turn it on and log into XP, it freezes after a few moments. I tried getting into safe mode, and it shuts down in the middle of the process. I know its required for me to post HiJackThis logs and such, but I cannot even access my computer at this point. Something has really adversely affected my computer, and I don't know what to do. Any guidance would greatly be appreciated.

bball1210
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2008-12-06
OS OS : Windows XP
Points Points : 29281
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm pretty sure I'm heavily infected

Post by Belahzur on 13th May 2009, 11:15 pm

If normal/safe mode aren't working, can you try a last known good configuration? it's in the same F8 menu as the safe mode option.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I'm pretty sure I'm heavily infected

Post by bball1210 on 13th May 2009, 11:19 pm

I just tried last known good configuration, a bunch of viruses popped up in my antivirus program, and then I got a blue screen eventually saying "fatal system error - the system has been shut down". Honestly I have no idea what happened....please help if possible.

bball1210
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2008-12-06
OS OS : Windows XP
Points Points : 29281
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm pretty sure I'm heavily infected

Post by Belahzur on 13th May 2009, 11:20 pm

Well, at least you were able to boot.
I suspect the malware caused that BSOD, so try to boot again, at least until stable enough to get a log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I'm pretty sure I'm heavily infected

Post by bball1210 on 13th May 2009, 11:23 pm

Ok I got it somewhat stabilized:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:21:53 PM, on 5/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\lxcicoms.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Documents and Settings\Rohit\Desktop\hijackgpthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: {1fa464fd-8d9f-d37a-43a4-0976af0fa4f3} - {3f4af0fa-6790-4a34-a73d-f9d8df464af1} - C:\WINDOWS\system32\kmypld.dll (file missing)
O2 - BHO: (no name) - {492D77CB-4873-4F2C-9BAD-F51800E41206} - C:\WINDOWS\system32\hgGywWqq.dll (file missing)
O2 - BHO: (no name) - {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - C:\WINDOWS\system32\bYomjJya.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7e700404-c334-48db-8207-c25bb679d070} - C:\WINDOWS\system32\peguzidi.dll (file missing)
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"
O4 - HKLM\..\Run: [gusiyafize] Rundll32.exe "C:\WINDOWS\system32\dagewoyo.dll",s
O4 - HKLM\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
O4 - HKCU\..\Run: [net] "C:\WINDOWS\system32\net.net"
O4 - HKCU\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKCU\..\Run: [ptidle] "C:\Documents and Settings\Rohit\Application Data\ptidle\ptidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O8 - Extra context menu item: Download linked FLV with GetFLV - C:\Program Files\GetFLV\iemenu\DownloadLinkFLV.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Save with Download Manager... - [You must be registered and logged in to see this link.] Files\J River\Media Center 11\DMDownload.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: kmypld.dll,C:\WINDOWS\system32\lutuhafa.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: bYomjJya - bYomjJya.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxci_device - - C:\WINDOWS\system32\lxcicoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

--
End of file - 7342 bytes

bball1210
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2008-12-06
OS OS : Windows XP
Points Points : 29281
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm pretty sure I'm heavily infected

Post by Belahzur on 13th May 2009, 11:30 pm

Hello. Messy vundo infection you have there.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: {1fa464fd-8d9f-d37a-43a4-0976af0fa4f3} - {3f4af0fa-6790-4a34-a73d-f9d8df464af1} - C:\WINDOWS\system32\kmypld.dll (file missing)
    O2 - BHO: (no name) - {492D77CB-4873-4F2C-9BAD-F51800E41206} - C:\WINDOWS\system32\hgGywWqq.dll (file missing)
    O2 - BHO: (no name) - {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - C:\WINDOWS\system32\bYomjJya.dll (file missing)
    O2 - BHO: (no name) - {7e700404-c334-48db-8207-c25bb679d070} - C:\WINDOWS\system32\peguzidi.dll (file missing)
    O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"
    O4 - HKLM\..\Run: [gusiyafize] Rundll32.exe "C:\WINDOWS\system32\dagewoyo.dll",s
    O4 - HKLM\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
    O4 - HKCU\..\Run: [net] "C:\WINDOWS\system32\net.net"
    O4 - HKCU\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
    O4 - HKCU\..\Run: [ptidle] "C:\Documents and Settings\Rohit\Application Data\ptidle\ptidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
    O20 - AppInit_DLLs: kmypld.dll,C:\WINDOWS\system32\lutuhafa.dll
    O20 - Winlogon Notify: bYomjJya - bYomjJya.dll (file missing)


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I'm pretty sure I'm heavily infected

Post by bball1210 on 13th May 2009, 11:42 pm

Malwarebytes' Anti-Malware 1.36
Database version: 2128
Windows 5.1.2600 Service Pack 3

5/13/2009 7:41:58 PM
mbam-log-2009-05-13 (19-41-58).txt

Scan type: Quick Scan
Objects scanned: 95518
Time elapsed: 4 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 27

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\seneka (Rootkit.Trace) -> Quarantined and deleted successfully.
KHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prnet (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Rohit\Application Data\ptidle (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.Data) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\prnet.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ovfsthotqvbbuxxgphesmkypqduxanloyjitrs.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ovfsthrkvoakygkywdomktotevwlktifsrdqlx.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\ovfsthdoudjcobbjgtompdnlvrjnpjyowldgql.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rohit\Local Settings\temp\33.exe (Trojan.Vundo.V) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rohit\Local Settings\temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rohit\Local Settings\temp\c.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rohit\Local Settings\temp\rasesnet.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rohit\Local Settings\temp\VqSSkqsw.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rohit\Local Settings\temp\wesornmaxc.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rohit\Local Settings\temp\xpre.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rohit\Local Settings\temp\nwerxmcosa.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rohit\Local Settings\temp\ovfsthlqfqriuthx.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rohit\Local Settings\temp\ovfsthqeesxytbya.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rohit\Local Settings\temp\ovfsthrvxwwbtmfk.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\A820BDD2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rohit\Local Settings\Temporary Internet Files\Content.IE5\SJOIL0ZN\33[1].exe (Trojan.Vundo.V) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rohit\Application Data\ptidle\ptidle.exe542 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ovfsthxekxnsvuyjiyuorllygxvrllatqdwlmy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ovfsthrovmgufwyugrmchshaqsfymjnhmppkfj.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ovfsthydtveuuklujccfbvjtfbxguuoowcjmnp.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rohit\Local Settings\temp\mousehook.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rohit\Local Settings\temp\ntdll64.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

bball1210
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2008-12-06
OS OS : Windows XP
Points Points : 29281
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm pretty sure I'm heavily infected

Post by Belahzur on 13th May 2009, 11:45 pm

Wow, you also got yourself the ovfsth variant of TDSS.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I'm pretty sure I'm heavily infected

Post by bball1210 on 13th May 2009, 11:48 pm

DDS (Ver_09-05-14.01) - NTFSx86
Run by Rohit at 19:47:04.73 on Wed 05/13/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1345 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\lxcicoms.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Rohit\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Catcher Class: {adecbed6-0366-4377-a739-e69dfba04663} - c:\program files\moyea\flv downloader\MoyeaCth.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [LXCICATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCItime.dll,_RunDLLEntry@16
mRun: [lxcimon.exe] "c:\program files\lexmark 7300 series\lxcimon.exe"
mRun: [EzPrint] "c:\program files\lexmark 7300 series\ezprint.exe"
IE: Download linked FLV with GetFLV - c:\program files\getflv\iemenu\DownloadLinkFLV.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Save with Download Manager... - [You must be registered and logged in to see this link.] files\j river\media center 11\DMDownload.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\hgGywWqq

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rohit\applic~1\mozilla\firefox\profiles\7qdh1rpk.default\
FF - prefs.js: browser.search.selectedEngine - Smogon
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-6 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-6 27784]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-11-17 55024]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-6 298776]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
R3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\AmdTools.sys [2006-7-24 31744]
R3 lxci_device;lxci_device;c:\windows\system32\lxcicoms.exe -service --> c:\windows\system32\lxcicoms.exe -service [?]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-11-17 7408]
S0 zaxpahop;zaxpahop;c:\windows\system32\drivers\gumi.sys --> c:\windows\system32\drivers\gumi.sys [?]
S1 e444f507;e444f507;c:\windows\system32\drivers\e444f507.sys [2009-1-25 0]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 AlcrFilt;Alcor Micro Corp;c:\windows\system32\drivers\AlcrFilt.sys [2003-2-24 22860]
S3 gbalink;GBA Link Driver (gbalink.sys);c:\windows\system32\drivers\gbalink.sys [2007-1-6 19677]

=============== Created Last 30 ================

2009-05-13 19:04 57,472 a------- c:\windows\system32\drivers\nhsjbb.sys

==================== Find3M ====================

2009-05-10 11:14 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-10 11:14 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-08-17 19:52 47,360 a---h--- c:\docume~1\rohit\applic~1\pcouffin.sys
2006-09-10 11:52 81,920 a---h--- c:\docume~1\rohit\applic~1\ezpinst.exe
2009-02-05 14:36 437,850 a--sh--- c:\windows\system32\qqWwyGgh.ini2
2008-12-20 19:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122020081221\index.dat

============= FINISH: 19:47:38.46 ===============

bball1210
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2008-12-06
OS OS : Windows XP
Points Points : 29281
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm pretty sure I'm heavily infected

Post by Belahzur on 13th May 2009, 11:53 pm

Hello. Where did you get yourself this? you've also got a spambot rootkit.

  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
zaxpahop
e444f507

Files to delete:
C:\WINDOWS\system32\drivers\e444f507.sys
C:\WINDOWS\system32\drivers\nhsjbb.sys
c:\windows\system32\qqWwyGgh.ini2

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I'm pretty sure I'm heavily infected

Post by bball1210 on 14th May 2009, 12:00 am

I have no idea how any of this happened. Guess this is what happens when you leave a desktop to a 10 year old sibling haha.

Seems to be a problem. I followed the above steps, and after Avenger rebooted my system, the computer froze on the XP start-up screen, before all the user accounts are shown. What should I do now?

Edit: Nevermind, it is just loading really really slowly. I'll copy the log in the next post.

bball1210
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2008-12-06
OS OS : Windows XP
Points Points : 29281
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm pretty sure I'm heavily infected

Post by Belahzur on 14th May 2009, 12:02 am

Try safe mode/last known good config again. I've known a machine to crash on a run of the avenger, sometimes it works in safe mode/last known good.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I'm pretty sure I'm heavily infected

Post by bball1210 on 14th May 2009, 12:08 am

Even on last good known config, the user account list loads really slowly. For some reason, the toolbar at the bottom was gone as well (start icon, etc). I'm retrying now, and its not loading up at all, hanging on the user account list. I'll try safe mode afterwards.

bball1210
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2008-12-06
OS OS : Windows XP
Points Points : 29281
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm pretty sure I'm heavily infected

Post by bball1210 on 14th May 2009, 12:12 am

Sorry for double posting, but I got it to load. My desktop has no start menu or the bottom toolbar for that matter. Here is the avenger log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "zaxpahop" deleted successfully.
Driver "e444f507" deleted successfully.
File "C:\WINDOWS\system32\drivers\e444f507.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\nhsjbb.sys" deleted successfully.
File "c:\windows\system32\qqWwyGgh.ini2" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

bball1210
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2008-12-06
OS OS : Windows XP
Points Points : 29281
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm pretty sure I'm heavily infected

Post by Belahzur on 14th May 2009, 12:14 am

Hello.
Open the Task Manager by alt/ctrl/del.

Go into the "Applications" tab, press "New Task..."
Type in "Explorer" and hit okay.

Does your Task Bar load now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I'm pretty sure I'm heavily infected

Post by bball1210 on 14th May 2009, 12:17 am

Nope, there is already an explorer.exe process running. After adding another Explorer process, some new window opened (My Documents in a tree-like orientation).

bball1210
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2008-12-06
OS OS : Windows XP
Points Points : 29281
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm pretty sure I'm heavily infected

Post by Belahzur on 14th May 2009, 12:19 am

Might just need to reboot one/two more times to clear the run of the avenger. Sometimes helps.

Anyhow, how is the machine running now? no more popups?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I'm pretty sure I'm heavily infected

Post by bball1210 on 14th May 2009, 12:25 am

Well its still a bit slow, I'm gonna reboot a few times to see if I can fix this start menu thing. Are all the malware / trojans gone?

Edit: I still have the startup issue, where it hangs on the thing right before all the user-accounts pop up. Can this be fixed? It looks like Avenger has messed up some of the boot-up things...


Last edited by bball1210 on 14th May 2009, 12:27 am; edited 1 time in total

bball1210
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2008-12-06
OS OS : Windows XP
Points Points : 29281
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm pretty sure I'm heavily infected

Post by Belahzur on 14th May 2009, 12:26 am

Well you had a very messy infection, I'n not suprised that's it's left a mark or two on your machine, but other than that, the logs looks good to me.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I'm pretty sure I'm heavily infected

Post by bball1210 on 14th May 2009, 12:30 am

Start-up issue is still unsolved. It seems like Avenger left some marks, the most notable being the star menu gone (along with the entire bottom toolbar as a whole). Additionally, the machine loads up really slowly on boot-up. It takes forever for my user-account to load, and it also takes quite some time for XP to list the user accounts on the machine.

bball1210
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2008-12-06
OS OS : Windows XP
Points Points : 29281
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm pretty sure I'm heavily infected

Post by Belahzur on 14th May 2009, 12:34 am

Not always the tools fault, some malware don't like being removed that easily and tend to fight back. That's why I chose the avenger, the rootkit I had to delete in that script is called Zrizbi, it can be rather stubborn sometimes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I'm pretty sure I'm heavily infected

Post by bball1210 on 14th May 2009, 12:41 am

Well is there anyway to fix this start-up issue? I feel like some of the tools removed the malware while also messing with some start-up processes. Like I said, it loads really slowly now and there is no Start Menu or Taskbar. Additionally, I can't drag and drop anything on the desktop anymore (for example, I can't drag stuff period into the recycle bin). Seems like some bad was removed, and more bad has been added...

bball1210
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2008-12-06
OS OS : Windows XP
Points Points : 29281
# Likes # Likes : 0

View user profile

Back to top Go down

Re: I'm pretty sure I'm heavily infected

Post by Belahzur on 14th May 2009, 10:36 am

We can try to kill some startup items/services that are un-needed, but I already said, this was quite the messy infection and it doesn't always like being removed.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

Re: I'm pretty sure I'm heavily infected

Post by bball1210 on 15th May 2009, 4:24 am

I've solved the problem using ComboFix. My Start Menu and Taskbar are back, as well as the other problematic functions. At this point I'm gonna run a clean-install of XP again because I feel that the computer needs to start fresh.

Thanks for your help as always.

bball1210
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2008-12-06
OS OS : Windows XP
Points Points : 29281
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum