Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

avsystemcare infection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

avsystemcare infection

Unread postby hematex » September 20th, 2007, 3:41 pm

I am very frustrated with this malware. It has hijacked everything and blocked every possible way that I know to remove it. Also, I can't seem to uninstall Symantec Antivirus. :cry: Your help would be greatly appreciated. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 2:33:27 PM, on 9/20/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\printer.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\SVCHOST.EXE
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SYSTEM32\freecell.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestbuy.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&m ... PLHSEM&O=I
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\printer.exe
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (file missing)
O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6300\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: .lnk = ?
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O15 - Trusted Zone: *.hotmail.com
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.passport.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by123fd.bay123.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9288590140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9288663546
O20 - AppInit_DLLs: systems.txt
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Server lanmanserverClipSrv (lanmanserverClipSrv) - Unknown owner - C:\WINDOWS\System32\rt26.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - Unknown owner - C:\Program Files\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (file missing)
hematex
Regular Member
 
Posts: 19
Joined: September 20th, 2007, 3:29 pm
Location: Texas
Top
Advertisement
Register to Remove

Unread postby Katana » September 20th, 2007, 4:39 pm

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.


Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

You appear to have an unpatched copy of XP, is there a reason for this ?
Please run the MGA Diagnostic Tool and post back the report it creates:
  • Download MGADiag to your desktop.
  • Double-click on MGADiag.exe to launch the program
  • Click "Continue"
  • Ensure that the "Windows" tab is selected (it should be by default).
  • Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
  • Paste the MGA Diagnostic Report back here in your next reply.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Top

Unread postby hematex » September 20th, 2007, 7:52 pm

There is no reason for having an unpached copy. Here is the report. I had to open the file with notepad in order to copy it, so it may not be correct. If I need to do it another way, please let me know how. Thanks.



PÃ  ª  &Text   «  ª « &OEM Text Diagnostic Report (1.7.0039.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Detailed Status: N/A
Cached / Grace status: N/A, N/A
Windows Product Key: *****-*****-CTK4J-JD3RT-8QVCG
Windows Product Key Hash: pi5qj7TXWjWs3MvHB44+KJaNMxY=
Windows Product ID: 55277-OEM-2111907-00238
Windows Product ID Type: 2
CSVLK Server: N/A
CSVLK PID: N/A
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.0.0.hom
ID: {D241D759-B963-45C5-A8A9-F70B71B8F229}(3)
Is Admin: Yes
Commit / Reboot / BRT: N/A, N/A, N/A
WGA Version: Registered, 1.7.36.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1
Resolution Status: N/A

Notifications Data-->
Cached Result: N/A
File Exists: No
Version: N/A
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: Failed to retrieve file version. - 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: FCEE394C-2993-80070002_B4D0AA8B-470-80070002

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control:
Active scripting:
Script ActiveX controls marked as safe for scripting:

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{D241D759-B963-45C5-A8A9-F70B71B8F229}</UGUID><Version>1.7.0039.0</Version><OS>5.1.2600.2.00010300.0.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-8QVCG</PKey><PID>55277-OEM-2111907-00238</PID><PIDType>2</PIDType><SID>S-1-5-21-720897496-3569660965-3179742922</SID><SYSTEM><Manufacturer>vpr Matrix, Inc. </Manufacturer><Model>226R </Model></SYSTEM><BIOS><Manufacturer>Intel Corp.</Manufacturer><Version>BT84510A.31T.0005.P04.0206181600</Version><SMBIOSVersion major="2" minor="3"/><Date>20020618******.******+***</Date><SLPBIOS>vpr Matrix</SLPBIOS></BIOS><HWID>21903AF701843462</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>vpr Matrix â„¢</name><model>Personal Computer</model></SBID><OEM/></MachineData> <Software><Office><Result>109</Result><Products/></Office></Software></GenuineResults>
hematex
Regular Member
 
Posts: 19
Joined: September 20th, 2007, 3:29 pm
Location: Texas
Top

Unread postby Katana » September 20th, 2007, 8:00 pm

Update Your Windows XP.
Before attempting to remove malware, it is CRITICAL that you update to Service Pack 1a.
Get SP1a here : http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx
You should also get SP2, but NOT NOW, rather only after your machine is clean.
After updating your Windows to SP1a, post a new HijackThis log please, using the Reply button.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Top

Unread postby hematex » September 21st, 2007, 12:09 am

Logfile of HijackThis v1.99.1
Scan saved at 11:07:12 PM, on 9/20/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\printer.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestbuy.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&m ... PLHSEM&O=I
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\printer.exe
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (file missing)
O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6300\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: .lnk = ?
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O15 - Trusted Zone: *.hotmail.com
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.passport.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by123fd.bay123.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9288590140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9288663546
O20 - AppInit_DLLs: systems.txt
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Server lanmanserverClipSrv (lanmanserverClipSrv) - Unknown owner - C:\WINDOWS\System32\rt26.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - Unknown owner - C:\Program Files\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (file missing)
hematex
Regular Member
 
Posts: 19
Joined: September 20th, 2007, 3:29 pm
Location: Texas
Top

Unread postby Katana » September 21st, 2007, 3:46 am

SmitFraud Look
Please download SmitfraudFix (by S!Ri)

Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Top

Unread postby hematex » September 21st, 2007, 11:01 am

SmitFraudFix v2.226

Scan done at 10:00:48.82, Fri 09/21/2007
Run from C:\Documents and Settings\David\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\printer.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 http://www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\svchost.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\printer.exe FOUND !
C:\WINDOWS\system32\WinAvXX.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\David


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\David\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\David\STARTM~1\Programs\Startup\system.exe FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\autorun.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\David\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="systems.txt"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.254



»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
hematex
Regular Member
 
Posts: 19
Joined: September 20th, 2007, 3:29 pm
Location: Texas
Top

Unread postby Katana » September 21st, 2007, 11:47 am

Hi Hematex,

Download AVG Anti-Spyware
Please download AVG Anti-Spyware. to your Desktop or to your usual Download Folder.
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update AVG
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Reboot in safe mode
You will now need to reboot in safe mode, you will not have internet access whilst you do the next part
Please copy/paste or print the following instructions.

To reboot in safe mode
You can boot in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears.
Use your up arrow key to highlight Safe Mode, then hit enter.

Double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Run AVG Anti-Spyware
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Do not automatically generate reports
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine, if not click on the link and choose Quarantine from the popup menu.
    • At the bottom of the window click on the Apply all Actions button.
  • When done, click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Please post:
  1. c:\rapport.txt
  2. AVG log
  3. A new HijackThis log
Your may need several replies to post the requested logs, otherwise they might get cut off.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Top

Unread postby hematex » September 21st, 2007, 12:31 pm

Ok, I cannot run the smitfraudfix successfully. When the program tries to do the registy, I get a message that registry access has been disabled by the administrator. This has been a problem with this malware, I has lost all of my administrative functions. Any ideas? Thanks...
hematex
Regular Member
 
Posts: 19
Joined: September 20th, 2007, 3:29 pm
Location: Texas
Top

Unread postby Katana » September 21st, 2007, 12:44 pm

After you boot to safe mode, and before you use SmitFraud Fix do this.

Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis

Now run SmitfraudFix and AVG as per the previous instructions.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Top

Unread postby hematex » September 21st, 2007, 1:25 pm

I went through the HJT and fixed the line, but its still doing the same thing. I get a prompt twice saying Registry editing has been disabled by the administrator, then the smithfraud fix begins the disk cleanup, and it seems to lock up.
hematex
Regular Member
 
Posts: 19
Joined: September 20th, 2007, 3:29 pm
Location: Texas
Top

Unread postby Katana » September 21st, 2007, 1:55 pm

Hi hematex,
Lets try a different method.

Download and Run ComboFix

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please post the ComboFix Log along with a fresh HJT log in your reply.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Top

Unread postby hematex » September 21st, 2007, 2:06 pm

Hi Katana, here is the Combofix log-

ComboFix 07-09-21.2 - "David" 2007-09-21 12:59:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.679 [GMT -5:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\David\STARTM~1\Programs\Startup\.lnk
C:\Temp\fse
C:\tskmgr.exe
C:\WINDOWS\1.exe
C:\WINDOWS\system32\drivers\ohctusb.sys
C:\WINDOWS\system32\drivers\ohctusb.syt
C:\WINDOWS\system32\drivers\ohcuusb.sys
C:\WINDOWS\system32\drivers\ohcuusb.syt
C:\WINDOWS\system32\f11WtR
C:\WINDOWS\system32\help.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_GENERAL_SOCKET_SERVICE
-------\LEGACY_OHCTUSB
-------\General Socket Service
-------\ohctusb


((((((((((((((((((((((((( Files Created from 2007-08-21 to 2007-09-21 )))))))))))))))))))))))))))))))
.

2007-09-21 12:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-21 12:21 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-09-21 11:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-09-21 11:13 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-09-21 11:13 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-09-21 11:13 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-09-21 11:08 10,872 --a------ C:\WINDOWS\SYSTEM32\drivers\AvgAsCln.sys
2007-09-21 10:01 2,460 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-09-20 22:38 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-09-20 22:38 <DIR> d-------- C:\WINDOWS\ehome
2007-09-20 22:31 42,537 --a------ C:\WINDOWS\SYSTEM32\keyboard.sys
2007-09-20 22:31 169,984 --a------ C:\WINDOWS\SYSTEM32\sccbase.dll
2007-09-20 18:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-09-20 14:59 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2007-09-19 19:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-19 15:44 <DIR> d-------- C:\DOCUME~1\David\.housecall6.6
2007-09-19 13:24 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-09-19 11:05 <DIR> d-------- C:\Temp
2007-09-18 16:49 109 --ahs---- C:\WINDOWS\SYSTEM32\1148250889.dat
2007-09-17 10:38 22,948 --a------ C:\WINDOWS\SYSTEM32\rt28.exe
2007-09-14 10:13 73,728 --a------ C:\WINDOWS\SYSTEM32\dllcache\nmcom.dll
2007-09-14 10:13 593,408 --a------ C:\WINDOWS\SYSTEM32\h323msp.dll
2007-09-14 10:13 593,408 --a------ C:\WINDOWS\SYSTEM32\dllcache\h323msp.dll
2007-09-14 10:13 40,960 --------- C:\WINDOWS\SYSTEM32\dllcache\evtgprov.dll
2007-09-14 10:13 364,544 --a------ C:\WINDOWS\SYSTEM32\dllcache\callcont.dll
2007-09-14 10:13 36,864 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll
2007-09-14 10:13 36,864 --a------ C:\WINDOWS\SYSTEM32\dllcache\mf3216.dll
2007-09-14 10:13 253,952 --a------ C:\WINDOWS\SYSTEM32\dllcache\mst120.dll
2007-09-14 10:11 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-09-14 10:07 26,112 --a------ C:\WINDOWS\SYSTEM32\xpsp1hfm.exe
2007-09-14 10:07 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$
2007-09-09 00:03 <DIR> d-------- C:\Program Files\DIFX
2007-09-09 00:02 81,920 --a------ C:\WINDOWS\SYSTEM32\FTD2XX.dll
2007-09-09 00:02 77,824 --a------ C:\WINDOWS\SYSTEM32\FTDIUNIN.exe
2007-09-09 00:02 34,639 --a------ C:\WINDOWS\SYSTEM32\drivers\FTD2XX.sys
2007-09-09 00:02 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2007-09-09 00:02 <DIR> d-------- C:\Program Files\Superchips
2007-09-08 17:00 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2007-09-08 16:59 7,680 --------- C:\WINDOWS\SYSTEM32\dllcache\bitsprx2.dll
2007-09-08 16:59 7,680 --------- C:\WINDOWS\SYSTEM32\bitsprx2.dll
2007-09-08 16:59 7,168 --------- C:\WINDOWS\SYSTEM32\dllcache\bitsprx3.dll
2007-09-08 16:59 7,168 --------- C:\WINDOWS\SYSTEM32\bitsprx3.dll
2007-09-08 16:59 361,984 --a------ C:\WINDOWS\SYSTEM32\dllcache\qmgr.dll
2007-09-08 16:59 331,776 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll
2007-09-08 16:59 17,408 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2007-09-08 16:59 17,408 --a------ C:\WINDOWS\SYSTEM32\dllcache\qmgrprxy.dll
2007-09-08 16:59 158,720 --------- C:\WINDOWS\SYSTEM32\xpob2res.dll
2007-09-08 16:58 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-09-08 16:57 549,720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-09-08 16:57 43,352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-09-08 16:57 33,624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-09-08 16:57 325,976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-09-08 00:35 69,632 --a------ C:\WINDOWS\SYSTEM32\lfgif13n.dll
2007-09-08 00:35 57,344 --a------ C:\WINDOWS\SYSTEM32\lfbmp13n.dll
2007-09-08 00:35 462,848 --a------ C:\WINDOWS\SYSTEM32\ltkrn13n.dll
2007-09-08 00:35 450,560 --a------ C:\WINDOWS\SYSTEM32\ltimg13n.dll
2007-09-08 00:35 401,408 --a------ C:\WINDOWS\SYSTEM32\lfcmp13n.dll
2007-09-08 00:35 299,008 --a------ C:\WINDOWS\SYSTEM32\ltdis13n.dll
2007-09-08 00:35 206,336 --a------ C:\WINDOWS\SYSTEM32\ltefx13n.dll
2007-09-08 00:35 163,840 --a------ C:\WINDOWS\SYSTEM32\ltfil13n.dll
2007-08-27 20:10 929,792 -ra------ C:\WINDOWS\SYSTEM32\PRISME5.dll
2007-08-27 20:10 15,781 -ra------ C:\WINDOWS\SYSTEM32\drivers\mdc8021x.sys
2007-08-27 20:10 <DIR> d-------- C:\Program Files\Yahoo!
2007-08-27 20:09 <DIR> d-------- C:\Program Files\2Wire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-29 16:47 --------- d-------- C:\DOCUME~1\David\APPLIC~1\MSN6
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A8FB8EB3-183B-4598-924D-86F0E5E37085}"= C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll [ ]

[HKEY_CLASSES_ROOT\CLSID\{A8FB8EB3-183B-4598-924D-86F0E5E37085}]
[HKEY_CLASSES_ROOT\PeoplePal Toolbar]
[HKEY_CLASSES_ROOT\TypeLib\{994D628D-4D22-4DB9-B6DB-F7D9F1635817}]
[HKEY_CLASSES_ROOT\PeoplePal Toolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="C:\WINDOWS\Options\OEMReset.exe" [2002-02-22 18:31]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2000-07-13 22:00]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-07-13 22:00]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 22:00]
"CHotkey"="mHotkey.exe" [2002-01-17 14:54 C:\WINDOWS\mHotkey.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44]
"CTSysVol"="C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe" [2003-05-02 09:53]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-11-29 14:23]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-04-01 16:16]
"nwiz"="nwiz.exe" [2005-04-01 16:16 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-04-01 16:16]
"Bart Station"="C:\Program Files\PeoplePC\ISP6300\BIN\PPCOLink.exe" []
"PRISMSVR.EXE"="C:\WINDOWS\System32\PRISMSVR.exe" []
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [2007-08-31 20:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-29 05:41]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Lexmark X125 Settings Utility.lnk - C:\Program Files\Lexmark X125\LEX125SU.exe [2007-02-25 21:05:50]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-07-13 22:00:00]

R0 fasttrak;fasttrak;C:\WINDOWS\System32\DRIVERS\fasttrak.sys
R0 hpt3xx;hpt3xx;C:\WINDOWS\System32\DRIVERS\hpt3xx.sys
R2 NMSSvc;Intel(R) NMS;C:\WINDOWS\System32\NMSSvc.exe
R3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\System32\drivers\NMSCFG.SYS
R3 P17;Creative SB Audigy LS;C:\WINDOWS\System32\drivers\P17.sys
S2 DgiVecp;DgiVecp;\??\C:\WINDOWS\System32\Drivers\DgiVecp.sys
S2 lanmanserverClipSrv;Server lanmanserverClipSrv;C:\WINDOWS\System32\rt26.exe srv
S3 BCMModem;BCM V.90 56K Modem;C:\WINDOWS\System32\DRIVERS\BCMDM.sys
S3 FTD2XX;Flashpaq FTD2XX.SYS FT8U2XX device driver;C:\WINDOWS\System32\Drivers\FTD2XX.sys

*Newly Created Service* - NMSCFG
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-21 13:02:23
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-21 13:04:00 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-21 13:03
.
--- E O F ---
hematex
Regular Member
 
Posts: 19
Joined: September 20th, 2007, 3:29 pm
Location: Texas
Top

Unread postby hematex » September 21st, 2007, 2:07 pm

... and here is the HJT log-

Logfile of HijackThis v1.99.1
Scan saved at 1:05:09 PM, on 9/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestbuy.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&m ... PLHSEM&O=I
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (file missing)
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6300\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O15 - Trusted Zone: *.hotmail.com
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.passport.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by123fd.bay123.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9288590140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9288663546
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Server lanmanserverClipSrv (lanmanserverClipSrv) - Unknown owner - C:\WINDOWS\System32\rt26.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - Unknown owner - C:\Program Files\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (file missing)
hematex
Regular Member
 
Posts: 19
Joined: September 20th, 2007, 3:29 pm
Location: Texas
Top

Unread postby Katana » September 21st, 2007, 2:43 pm

Hi hematex,
Well that is looking better :)

Submit a File For Analysis
We need to have the files below Scanned by Uploading them to Jotti

Please visit Jotti
Copy/paste the the following file path into the window
C:\WINDOWS\SYSTEM32\rt28.exe
Click Submit/Send File
Please post back, to let me know the results.

Please do the same for the following file
C:\WINDOWS\SYSTEM32\1148250889.dat

If Jotti is too busy please try Virustotal

Please run the AVG scan now (as previous instructions)
Safe mode is not required

Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • Jotti/Virus Total Results
  • AVG log
  • How are things running now ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Top
Advertisement
Register to Remove
Next
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 133 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index