WnPc Virus: How do I get rid of it when Malaware is hijacked?

View previous topic View next topic Go down

WnPc Virus: How do I get rid of it when Malaware is hijacked?

Post by jacknivison on 24th May 2009, 7:19 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:06:35 PM, on 5/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell AIO 810\dlcgmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Security Solutions Antivirus\bin\ClamTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Jack\Application Data\winav.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dlcgcoms.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Documents and Settings\Jack\Local Settings\Temporary Internet Files\Content.IE5\YBYZAXPG\hijackgpthis[1].exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivirprotection.com
O1 - Hosts: 94.232.248.66 [You must be registered and logged in to see this link.]
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: 199638 helper - {65768B48-B004-4B26-9BAC-A3BAC39643D1} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: BHO - {BBD4551A-9B23-41cd-9BCD-818AA2DA7B63} - C:\WINDOWS\system32\iehelper.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [dlcgmon.exe] "C:\Program Files\Dell AIO 810\dlcgmon.exe"
O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\Security Solutions Antivirus\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [Uninstall getPlus(R) for Adobe] "C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1noarp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
O4 - HKCU\..\Run: [AVScan] C:\Documents and Settings\Jack\Application Data\winav.exe
O4 - HKCU\..\Run: [ErrorFix] C:\Program Files\ErrorFix\ErrorFix.exe -boot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 7941 bytes
A few days ago my computer was hacked by the WnPc Antivirus Security Center virus, which poses as a fake security center. I tired to download Malaware to get rid of it, but every time the download is close to being down, WnPc freezes it and stops it. I downloaded hijack and am waiting for your reply as of what to do next.

Above is my hijack logfile.

jacknivison
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 27565
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WnPc Virus: How do I get rid of it when Malaware is hijacked?

Post by Origin on 24th May 2009, 8:42 pm


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
    O1 - Hosts: ::1 localhost
    O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
    O1 - Hosts: 94.232.248.66 antivirprotection.com
    O1 - Hosts: 94.232.248.66 [You must be registered and logged in to see this link.]
    O2 - BHO: 199638 helper - {65768B48-B004-4B26-9BAC-A3BAC39643D1} - (no file)
    O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\RunOnce: [Uninstall getPlus(R) for Adobe] "C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1noarp



  • Press "Fix Checked"
  • Close Hijack This.




1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WnPc Virus: How do I get rid of it when Malaware is hijacked?

Post by jacknivison on 24th May 2009, 10:52 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.

jacknivison
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 27565
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WnPc Virus: How do I get rid of it when Malaware is hijacked?

Post by Origin on 24th May 2009, 11:49 pm

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.
See [You must be registered and logged in to see this link.] for how to disable your AV..

  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WnPc Virus: How do I get rid of it when Malaware is hijacked?

Post by jacknivison on 26th May 2009, 1:22 am

ComboFix 09-05-25.05 - Jack 05/25/2009 21:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.759.446 [GMT -4:00]
Running from: c:\documents and settings\Jack\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Microsoft Common
c:\windows\f23567.dat
c:\windows\ieocx.dll
c:\windows\system32\199638
c:\windows\system32\drivers\fad.sys
c:\windows\system32\drivers\UACxpnesejgddohsdi.sys
c:\windows\system32\mdm.exe
c:\windows\system32\UACctjmujvicceodcx.dll
c:\windows\system32\UACeyykyfmmatwpilt.log
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkdfxuqlmvmdjhgq.log
c:\windows\system32\UACkwuncniiohgvwvu.dll
c:\windows\system32\UAClmykygsarlwtuuo.dat
c:\windows\system32\UACmnvhajeosvjhghf.log
c:\windows\system32\UACmvppyaqnpjcuppi.dll
c:\windows\system32\UACrqpveopshovnklw.dll
c:\windows\system32\UACsvnxyojlqvosuvd.dll
c:\windows\system32\wbem\proquota.exe
c:\windows\t55ft2668f44.dat

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
[color=blue]c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\$NtServicePackUninstall$\proquota.exe


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-04-26 to 2009-05-26 )))))))))))))))))))))))))))))))
.

2009-05-26 01:14 . 2004-08-04 07:56 50176 -c--a-w c:\windows\system32\dllcache\proquota.exe
2009-05-26 01:14 . 2004-08-04 07:56 50176 ----a-w c:\windows\system32\proquota.exe
2009-05-25 23:01 . 2008-12-11 12:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-05-25 23:01 . 2009-05-26 01:09 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-25 23:01 . 2009-05-25 23:34 130936 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-05-25 23:01 . 2008-12-18 16:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-25 23:01 . 2009-05-25 23:02 -------- d-----w c:\program files\Common Files\PC Tools
2009-05-25 23:01 . 2008-12-10 16:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-05-25 23:01 . 2009-05-26 01:07 -------- d-----w c:\program files\Spyware Doctor
2009-05-25 23:01 . 2009-05-25 23:01 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-05-25 23:01 . 2009-05-25 23:01 -------- d-----w c:\docume~1\Jack\APPLIC~1\PC Tools
2009-05-24 18:45 . 2009-05-24 19:00 -------- d-----w c:\docume~1\Jack\APPLIC~1\ErrorFix
2009-05-24 18:23 . 2009-05-24 18:27 -------- d-----w c:\documents and settings\Jack\Local Settings\Application Data\NOS
2009-05-24 18:21 . 2009-05-24 18:27 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-05-24 18:21 . 2009-05-24 18:21 -------- d-----w c:\program files\NOS
2009-05-24 15:18 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-24 15:18 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-24 15:18 . 2009-05-24 15:30 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-24 15:18 . 2009-05-24 15:18 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-12 19:48 . 2009-05-12 19:48 1244 ---h--w c:\windows\f5087.dat
2009-05-08 12:38 . 2009-05-08 12:38 -------- d-----w c:\docume~1\Jack\APPLIC~1\.clamwin
2009-05-08 12:38 . 2009-05-08 12:38 -------- d-----w c:\program files\Security Solutions Antivirus
2009-05-08 12:38 . 2009-05-08 12:38 -------- d-----w c:\documents and settings\All Users\.clamwin
2009-05-08 12:25 . 2009-05-23 16:33 -------- d-----w c:\program files\Spyware Protect 2009
2009-05-08 03:55 . 2009-05-08 03:55 -------- d-sh--w c:\documents and settings\Jack\IECompatCache
2009-05-08 02:14 . 2009-05-08 02:14 -------- d-sh--w c:\documents and settings\Jack\PrivacIE
2009-05-08 00:46 . 2009-05-08 00:46 -------- d-sh--w c:\documents and settings\Jack\IETldCache
2009-05-08 00:45 . 2009-05-08 00:45 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-05-08 00:23 . 2009-05-08 00:23 -------- d-----w c:\windows\system32\scripting
2009-05-08 00:23 . 2009-05-08 00:23 -------- d-----w c:\windows\l2schemas
2009-05-08 00:23 . 2009-05-08 00:23 -------- d-----w c:\windows\system32\en
2009-05-05 02:45 . 2009-05-05 02:45 -------- d-----w c:\windows\ie8updates
2009-05-05 02:38 . 2009-05-05 02:38 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-05-05 02:38 . 2009-05-05 02:44 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-05-05 02:38 . 2009-05-05 02:38 -------- d-----w c:\docume~1\Jack\APPLIC~1\Yahoo!
2009-05-05 02:37 . 2009-05-05 02:38 -------- d-----w c:\program files\Yahoo!
2009-05-05 02:35 . 2009-05-05 02:44 -------- dc-h--w c:\windows\ie8
2009-05-05 02:34 . 2009-05-05 02:46 -------- d--h--w c:\windows\msdownld.tmp
2009-05-05 02:32 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-05-03 15:28 . 2009-05-03 15:28 1174 ----a-w C:\DL32.bat
2009-05-03 15:27 . 2009-05-26 00:49 -------- d-----w c:\windows\system32\796525

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-23 03:46 . 2009-05-23 03:46 177 ----a-w c:\docume~1\Jack\APPLIC~1\asd.bat
2009-05-23 01:04 . 2009-05-23 01:04 1096704 ----a-w c:\docume~1\Jack\APPLIC~1\winav.exe
2009-05-19 18:19 . 2007-09-18 23:58 -------- d-----w c:\program files\Dl_cats
2009-05-08 11:28 . 2007-09-11 04:05 -------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-05-08 11:28 . 2007-09-11 04:06 -------- d-----w c:\docume~1\Jack\APPLIC~1\AVG7
2009-05-08 00:28 . 2007-09-10 04:50 77423 ----a-w c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-04-01 19:38 . 2007-09-12 00:37 -------- d-----w c:\program files\Java
2009-03-08 08:34 . 2006-06-23 15:33 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2003-07-16 20:32 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2003-07-16 20:25 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2003-07-16 20:49 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2003-07-16 20:23 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2003-07-16 20:30 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2003-07-16 20:30 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2003-07-16 20:35 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2003-07-16 20:35 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2003-07-16 20:36 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2003-07-16 20:41 284160 ----a-w c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"AVScan"="c:\documents and settings\Jack\Application Data\winav.exe" [2009-05-23 1096704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-22 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-06-07 319488]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"dlcgmon.exe"="c:\program files\Dell AIO 810\dlcgmon.exe" [2005-10-21 425984]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"ClamWin"="c:\program files\Security Solutions Antivirus\bin\ClamTray.exe" [2008-08-07 77824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Spyware Protect 2009\\avscan.exe"=
"c:\\Program Files\\AIM\\aim.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/25/2009 7:01 PM 130936]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/25/2009 7:01 PM 348752]
S2 MOizlameq;MOizlameq;c:\windows\System32\svchost.exe -k netsvcs [7/16/2003 4:47 PM 14336]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [5/24/2009 2:21 PM 33176]
S3 MTK;Media Technology Kernel Driver;c:\windows\system32\Drivers\mtk.sys --> c:\windows\system32\Drivers\mtk.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
MOizlameq

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-05-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
HKCU-Run-ErrorFix - c:\program files\ErrorFix\ErrorFix.exe
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-25 21:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-26 21:17
ComboFix-quarantined-files.txt 2009-05-26 01:17

Pre-Run: 2,014,011,392 bytes free
Post-Run: 2,757,771,264 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

190 --- E O F --- 2009-05-13 07:02

jacknivison
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 27565
# Likes # Likes : 0

View user profile

Back to top Go down

Re: WnPc Virus: How do I get rid of it when Malaware is hijacked?

Post by Origin on 27th May 2009, 12:22 am

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\f5087.dat
c:\windows\system32\796525
C:\DL32.bat
c:\docume~1\Jack\APPLIC~1\asd.bat
c:\docume~1\Jack\APPLIC~1\winav.exe


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum