Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan win32

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trojan win32

Unread postby mompa » August 18th, 2007, 4:53 pm

My computer is telling me I have a infection. Can you look at my log file and tell me what I can do?
Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:44:16 PM, on 8/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\msbind32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\tmrsrv32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\printer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\PROGRA~1\NETSCAPE\NETSCA~1\NETSCP.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\printer.exe
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JONATHAN\Application Data\Mozilla\Profiles\default\xx2qchxe.slt\prefs.js)
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [infamous.exe] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [B280B38D] C:\WINDOWS\System32\qfiudkyay.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] c:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O20 - AppInit_DLLs: C:\WINDOWS\System32\hanonvt.ini
O21 - SSODL: GXDNCVdudvH - {304EC1B2-9AE4-6B18-7E6A-480461BD63AB} - C:\WINDOWS\System32\nc.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

--
End of file - 4854 bytes
mompa
Active Member
 
Posts: 4
Joined: August 18th, 2007, 4:50 pm
Advertisement
Register to Remove

Unread postby SNOWHITE » August 19th, 2007, 10:16 am

Hello mompa,

My name is SNOWHITE and I will be helping you with your Malware problem.

PLEASE READ THIS POST COMPLETELY, IT MAY MAKE IT EASIER FOR YOU IF YOU COPY AND PASTE THIS POST INTO A NEW TEXT DOCUMENT OR PRINT IT FOR REFERENCE LATER

Your computer is very infected, please follow the steps below exactly in the order they are written:

Step #1

1. Download combofix from one of these links:
Link1
Link2
2.Disconnect your computer from internet before running combofix! << Important
3.Double click combofix.exe & follow the prompts.
4.When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When done with combofix, enable internet connection.

Step #2

1. Go to this website: www.virustotal.com
2. Upload this file by copy/pasting (Ctrl+C/Ctrl+V) it in to the file box:
    C:\WINDOWS\System32\hanonvt.ini
3. Submit the file and copy/paste the results back into this thread.

Step #3

    Open HijackThis, click Config, click Misc Tools
    Click "Open Uninstall Manager"
    Click "Save List" (generates uninstall_list.txt)
    Click Save, copy and paste the results in your next post.

Step #4

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please navigate to the following file:

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe << Right-click on it and choose Rename, rename HijackThis.exe to scanner.exe

Close Windows Explorer.

Run new scan with HijackThis (now scanner.exe) and post the log back here.

In your next post please include the following reports:
  • ComboFix report
  • VirusTotal file report
  • Uninstall list
  • New HijackThis log
Let me know how the things went.

Regards,
User avatar
SNOWHITE
Regular Member
 
Posts: 94
Joined: February 12th, 2007, 2:06 pm

Unread postby mompa » August 19th, 2007, 11:37 pm

Results from ComboFix:

ComboFix 07-08-14.4 - "Patti" 2007-08-19 21:53:21.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.272 [GMT -4:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\a.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\autorun.exe
C:\DOCUME~1\Patti\APPLIC~1.\crosof~1.net
C:\DOCUME~1\Patti\APPLIC~1.\dobe~1
C:\DOCUME~1\Patti\APPLIC~1.\ecurit~1
C:\DOCUME~1\Patti\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\Patti\APPLIC~1.\winantispyware 2007\Logs\update.log
C:\DOCUME~1\Patti\APPLIC~1\..\err.log
C:\DOCUME~1\Patti\APPLIC~1\Microsoft\25319.dat
C:\DOCUME~1\Patti\APPLIC~1\WinAntiSpyware 2007\Logs\update.log
C:\DOCUME~1\Patti\MYDOCU~1.\icroso~1
C:\DOCUME~1\Patti\STARTM~1\Programs.\Outerinfo
C:\DOCUME~1\Patti\STARTM~1\Programs.\Outerinfo\Terms.lnk
C:\DOCUME~1\Patti\STARTM~1\Programs.\Outerinfo\Uninstall.lnk
C:\DOCUME~1\Patti\STARTM~1\Programs\Startup.\system.exe
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Program Files\appatc~1
C:\Program Files\appatc~1\A?pPatch\
C:\Program Files\appatc~1\explorer.exe
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe
C:\Program Files\Common Files\winantispyware 2007\uwas7cw.exe
C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\Program Files\Messenger\zykisuh.dll
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\pppatc~1
C:\Program Files\WindowsUpdate\vixyz4444.dll
C:\Program Files\WindowsUpdate\vixyz83122.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\bi.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\dls0523pmw.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hyomeyd.exe
C:\WINDOWS\hyomeydA.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\new_drv.sys
C:\WINDOWS\pbar.dll
C:\WINDOWS\rau001978.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\sysrlb32.exe
C:\WINDOWS\system32\180ax.exe
C:\WINDOWS\system32\7_exception.nls
C:\WINDOWS\system32\bi.dll
C:\WINDOWS\system32\biprep.exe
C:\WINDOWS\system32\configs
C:\WINDOWS\system32\configs\kmhp83122.exe
C:\WINDOWS\system32\crosof~1.net
C:\WINDOWS\system32\crosof~1.net\?ti2evxx.exe
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver\w717.exe
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\remove_spyware_button.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\secdrv.sys
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\system32\F2
C:\WINDOWS\system32\F3
C:\WINDOWS\system32\F3\n553.exe
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\icroso~1.net
C:\WINDOWS\system32\KB05401733.exe
C:\WINDOWS\system32\KB35675404.exe
C:\WINDOWS\system32\KB37658028.exe
C:\WINDOWS\system32\KB49214670.exe
C:\WINDOWS\system32\KB58956977.exe
C:\WINDOWS\system32\KB73687313.exe
C:\WINDOWS\system32\KB78583298.exe
C:\WINDOWS\system32\KB82468156.exe
C:\WINDOWS\system32\KB86927746.exe
C:\WINDOWS\system32\kdxsk.exe
C:\WINDOWS\system32\lfd32.ini
C:\WINDOWS\system32\msbind32.exe
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\msscds32.dll
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\qdogswdk.exe
C:\WINDOWS\system32\rkgmibus.exe
C:\WINDOWS\system32\salm.exe
C:\WINDOWS\system32\satmat.exe
C:\WINDOWS\system32\sl.bin
C:\WINDOWS\system32\spooldr.ini
C:\WINDOWS\system32\stimon.dll
C:\WINDOWS\system32\susp.exe
C:\WINDOWS\system32\updatetc.exe
C:\WINDOWS\system32\vcud.dll
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wcpicomsv.exe
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\WinAvXX.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\wmvds32.dll
C:\WINDOWS\TISKY009.exe
C:\WINDOWS\tk58.exe
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\voiceip.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\LEGACY_NET_AGENT
-------\LEGACY_NEW_DRV
-------\LEGACY_NTMLSVC
-------\LEGACY_POOF
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\LEGACY_SYMAVC32
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\Net Agent
-------\NtmlSvc


((((((((((((((((((((((((( Files Created from 2007-07-20 to 2007-08-20 )))))))))))))))))))))))))))))))


2007-08-19 20:43 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-18 15:51 192,625 --a------ C:\WINDOWS\system32\kwinqmdt.exe
2007-08-17 20:31 <DIR> d-------- C:\DOCUME~1\ADMINI~1.FAM\APPLIC~1\Lavasoft
2007-08-17 20:26 37,376 --a------ C:\WINDOWS\system32\vtr441.dll
2007-08-17 20:24 786,432 --ah----- C:\DOCUME~1\ADMINI~1.FAM\NTUSER.DAT
2007-08-17 20:24 <DIR> d-------- C:\DOCUME~1\ADMINI~1.FAM\WINDOWS
2007-08-17 20:24 <DIR> d-------- C:\DOCUME~1\ADMINI~1.FAM\APPLIC~1\Gtek
2007-08-17 19:57 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-17 19:57 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-08-17 19:57 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Gtek
2007-08-17 12:57 <DIR> d-------- C:\WINDOWS\LogFiles
2007-08-16 19:20 10,000 --a------ C:\WINDOWS\system32\sder4gh.dll
2007-08-13 11:13 26,454 --a------ C:\WINDOWS\system32\afn.exe
2007-08-12 18:13 3,072 --a------ C:\WINDOWS\u4j3d4e1.exe
2007-08-11 12:26 173,056 --a------ C:\WINDOWS\system32\drivers\Kpa37.sys
2007-08-11 12:21 173,056 --a------ C:\WINDOWS\system32\drivers\Qdwa41.sys
2007-08-10 11:11 12 --a------ C:\WINDOWS\system32\sl.bin
2007-08-09 10:00 <DIR> d-------- C:\Program Files\XXXPlugin
2007-08-08 20:30 153 --a------ C:\WINDOWS\system32\delFSF.bat
2007-08-08 20:06 23,851 --ah----- C:\wsusupd.exe
2007-08-08 20:06 15,360 --a------ C:\WINDOWS\addoo32.exe
2007-08-08 20:05 13,697 --a------ C:\WINDOWS\system32\KB_963491.exe
2007-08-08 15:00 <DIR> d-------- C:\VundoFix Backups
2007-08-08 14:40 <DIR> d-------- C:\Program Files\Trend Micro


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-19 22:54 --------- d--h----- C:\Program Files\WindowsUpdate
2007-08-19 22:38 --------- d-------- C:\Program Files\Messenger
2007-08-19 20:42 --------- d-------- C:\Program Files\Lx_cats
2007-08-06 20:55 --------- d-------- C:\Program Files\LimeWire
2007-08-06 18:28 --------- d-------- C:\DOCUME~1\Patti\APPLIC~1\LimeWire
2007-08-05 15:08 --------- d-------- C:\DOCUME~1\Patti\APPLIC~1\AdobeUM
2007-08-05 14:48 --------- d-------- C:\DOCUME~1\Patti\APPLIC~1\OpenOffice.org2
2007-08-03 17:36 55296 --a------ C:\WINDOWS\system32\haspnt32.dll
2007-07-12 22:18 --------- d-------- C:\DOCUME~1\Patti\APPLIC~1\Google
2007-07-12 22:07 --------- d-------- C:\Program Files\Google
2004-12-04 19:52 0 --a------ C:\WINDOWS\prefetch\ADDBE32.DLL
2005-01-18 18:09:10 0 --sha-w C:\WINDOWS\lyxwy.dll
2004-11-25 16:15:08 94,784 --sha-w C:\WINDOWS\twain.dll
2001-08-18 12:00:00 46,592 --sh--w C:\WINDOWS\twain_32.dll
2004-11-25 03:07:00 1,007 --sha-w C:\WINDOWS\system32\iewo32.dll
2002-08-29 10:41:10 569,344 --sh--w C:\WINDOWS\system32\oleaut32.dll
2001-08-18 12:00:00 9,728 --sh--w C:\WINDOWS\system32\regsvr32.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WorksFUD"="" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-05-22 12:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"infamous.exe"="C:\Program Files\Windows Media Player\wmplayer.exe" [2005-01-28 14:44]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" []
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-10 10:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW4"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-07-13 15:00:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{740470CC-C8E1-4325-BD9B-03DD0C0C226C}"= haspnt32.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"GXDNCVdudvH"= {304EC1B2-9AE4-6B18-7E6A-480461BD63AB} - C:\WINDOWS\System32\nc.dll [2006-08-08 20:06 14848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\System32\hanonvt.ini

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Patti^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Patti^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

R0 Bstg74;Bstg74;C:\WINDOWS\System32\drivers\Bstg74.sys
R0 sonypvl2;sonypvl2;C:\WINDOWS\System32\drivers\sonypvl2.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2K;pwd_2K;C:\WINDOWS\System32\drivers\pwd_2K.sys
R1 sonypvf2;sonypvf2;C:\WINDOWS\System32\drivers\sonypvf2.sys
R1 sonypvt2;sonypvt2;C:\WINDOWS\System32\drivers\sonypvt2.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\System32\PackethSvc.exe
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\System32\DRIVERS\ptserlp.sys
S1 sonypvd2;sonypvd2;C:\WINDOWS\System32\DRIVERS\sonypvd2.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{Y479C6D0-OTRW-U5GH-S1EE-E02310B4E666}]
C:\WINDOWS\system32\tmrsrv32.exe

Contents of the 'Scheduled Tasks' folder
2007-08-11 19:17:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-19 22:54:44
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\Soap Bubbles.bmp:hubou 10752 bytes executable
C:\WINDOWS\FeatherTexture.bmp:yvzkw 10752 bytes executable
C:\WINDOWS\GatorHDPlugin.log-old.log:jvrqq 29696 bytes executable
C:\WINDOWS\REGLOCS.OLD:kccehy 64000 bytes executable
C:\WINDOWS\vmmreg32.dll:ewhaqp 29696 bytes executable
C:\WINDOWS\vsapi32.dll:izqnz 10752 bytes executable
C:\WINDOWS\Windows Update.log:cwkle 56320 bytes executable
C:\WINDOWS\svcpack.log:zvtbw 29696 bytes executable
C:\WINDOWS\comsetup.log:lmxvf 56320 bytes executable
C:\WINDOWS\ipdg32.dll:rrpuff 10752 bytes executable
C:\WINDOWS\ipir32.dll:ussnba 29696 bytes executable
C:\WINDOWS\iplu32.dll:giikop 55808 bytes executable
C:\WINDOWS\tsoc.log:xffqo 56320 bytes executable
C:\WINDOWS\twain.dll:typet 10752 bytes executable
C:\WINDOWS\Blue Lace 16.bmp:gdlnkx 70144 bytes executable
C:\WINDOWS\bootstat.dat:ebyot 29696 bytes executable
C:\WINDOWS\BPMNT.dll:rafdvq 10752 bytes executable
C:\WINDOWS\Compaq Amber.BMP:hregdv 10752 bytes executable
C:\WINDOWS\Compaq Sapphire.BMP:zrwmfg 29696 bytes executable
C:\WINDOWS\winhw32.dll:lszwfk 55808 bytes executable
C:\WINDOWS\winmp.dll:krsjsj 10752 bytes executable
C:\WINDOWS\winnt256.bmp:bvtnh 10752 bytes executable
C:\WINDOWS\wints32.dll:twmsj 29696 bytes executable
C:\WINDOWS\wints32.dll:vtwboe 29696 bytes executable
C:\WINDOWS\winuc32.dll:izftp 10752 bytes executable
C:\WINDOWS\winyn.dll:aaqzr 29696 bytes executable
C:\WINDOWS\liveup.ini:hfbofm 29696 bytes executable
C:\WINDOWS\LPT$VPN.606:oylpg 29696 bytes executable
C:\WINDOWS\addsq32.dll:huerl 56320 bytes executable
C:\WINDOWS\addsw32.dll:zstwt 29696 bytes executable
C:\WINDOWS\apicg32.dll:dvcpns 10752 bytes executable
C:\WINDOWS\apidi32.dll:vwvchc 29696 bytes executable
C:\WINDOWS\apiey.dll:bexemc 10752 bytes executable
C:\WINDOWS\apihg.dll:ufikpf 29696 bytes executable
C:\WINDOWS\netuo.dll:bjnfoi 55808 bytes executable
C:\WINDOWS\ntdtcsetup.log:btyswc 10752 bytes executable
C:\WINDOWS\d3cd32.dll:ukwax 10752 bytes executable
C:\WINDOWS\d3ll32.dll:juikif 10752 bytes executable
C:\WINDOWS\d3os32.dll:elofa 29696 bytes executable
C:\WINDOWS\d3sg32.dll:bvapcq 29696 bytes executable
C:\WINDOWS\sdket32.dll:hchkee 10752 bytes executable
C:\WINDOWS\sdkic.dll:acapgo 29696 bytes executable
C:\WINDOWS\sdkjd.dll:ptlsgt 10752 bytes executable
C:\WINDOWS\sdkls32.dll:iuexae 29696 bytes executable
C:\WINDOWS\sdkxq32.dll:uiswk 10752 bytes executable
C:\WINDOWS\SDSALRES.dll:mjlbe 29696 bytes executable
C:\WINDOWS\atlfr.dll:thgade 55808 bytes executable
C:\WINDOWS\atlow.dll:ugdntr 10752 bytes executable
C:\WINDOWS\atlyk.dll:azkshg 29696 bytes executable
C:\WINDOWS\AuHCcup1.ini:magaz 10752 bytes executable
C:\WINDOWS\sysri.dll:vkvezm 10752 bytes executable
C:\WINDOWS\mtcap.ini:kawglb 10752 bytes executable
C:\WINDOWS\N6Uninst.exe:ctplfd 29696 bytes executable
C:\WINDOWS\netpi.dll:mfxeqm 10752 bytes executable
C:\WINDOWS\netqu32.dll:vvkvq 55808 bytes executable
C:\WINDOWS\netrd32.dll:fgijso 29696 bytes executable
C:\WINDOWS\xpsp1hfm.log:plcuel 10752 bytes executable
C:\WINDOWS\_default.pif:zxzau 103943 bytes executable
C:\WINDOWS\apirw.dll:ojgip 10752 bytes executable
C:\WINDOWS\apiwm32.dll:hkrnr 29696 bytes executable
C:\WINDOWS\apply.dll:nmhriu 29696 bytes executable
C:\WINDOWS\appmi32.dll:dcsnrb 68096 bytes executable
C:\WINDOWS\ntij32.dll:uujxzm 29696 bytes executable
C:\WINDOWS\ocmsn.log:bhzzx 29696 bytes executable
C:\WINDOWS\mfcjq32.dll:nbaxrw 68096 bytes executable
C:\WINDOWS\mfcpb32.dll:cukxt 55808 bytes executable
C:\WINDOWS\iemo.dll:yqtbbd 10752 bytes executable
C:\WINDOWS\ieqm.dll:qqmgvf 29696 bytes executable
C:\WINDOWS\crfb32.dll:ifhemn 64000 bytes executable
C:\WINDOWS\crhl.dll:kpmcwc 10752 bytes executable
C:\WINDOWS\crjj.dll:dpfqye 29696 bytes executable
C:\WINDOWS\crjq32.dll:gndcsq 68096 bytes executable
C:\WINDOWS\twunk_32.exe:lzakn 29696 bytes executable
C:\WINDOWS\vb.ini:lhnwk 29696 bytes executable
C:\WINDOWS\addbe32.dll:hrbrr 10752 bytes executable
C:\WINDOWS\system32\drivers\Bstg74.sys
C:\WINDOWS\system32\drivers\symavc32.sys

scan completed successfully
hidden files: 77

**************************************************************************

Completion time: 2007-08-19 23:02:24 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-19 23:02

--- E O F ---

-------------------------------------------------------------------------------------_____________________________________________________________


Results from virustotal:

Antivirus Version Last Update Result
AhnLab-V3 2007.8.18.0 2007.08.18 -
AntiVir 7.4.1.62 2007.08.19 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2007.08.17 -
Avast 4.7.1029.0 2007.08.20 -
AVG 7.5.0.484 2007.08.19 -
BitDefender 7.2 2007.08.20 -
CAT-QuickHeal 9.00 2007.08.18 TrojanDownloader.Agent.bxx
ClamAV 0.91 2007.08.20 -
DrWeb 4.33 2007.08.19 Trojan.Proxy.1739
eSafe 7.0.15.0 2007.08.16 -
eTrust-Vet 31.1.5069 2007.08.18 -
Ewido 4.0 2007.08.19 -
FileAdvisor 1 2007.08.20 -
Fortinet 2.91.0.0 2007.08.19 W32/Agent.BXX!tr.dldr
F-Prot 4.3.2.48 2007.08.17 -
F-Secure 6.70.13030.0 2007.08.19 -
Ikarus T3.1.1.12 2007.08.19 Trojan-Downloader.Win32.Agent.bxx
Kaspersky 4.0.2.24 2007.08.20 -
McAfee 5100 2007.08.17 -
Microsoft 1.2803 2007.08.19 -
NOD32v2 2470 2007.08.19 -
Norman 5.80.02 2007.08.17 -
Panda 9.0.0.4 2007.08.19 Adware/WinAntiVirus2007
Prevx1 V2 2007.08.20 -
Rising 19.36.60.00 2007.08.19 -
Sophos 4.20.0 2007.08.12 -
Sunbelt 2.2.907.0 2007.08.18 -
Symantec 10 2007.08.20 Trojan.Perfcoo
TheHacker 6.1.8.170 2007.08.17 -
VBA32 3.12.2.2 2007.08.17 -
VirusBuster 4.3.26:9 2007.08.19 -
Webwasher-Gateway 6.0.1 2007.08.20 Trojan.Crypt.XPACK.Gen
Additional information
File size: 6144 bytes
MD5: b26f13d207ca8e073bb6632118d00537
SHA1: b49acae0cd0c5d30633e9531cee288cf0ccb98d4
_____________________________________________________________
Results from Uninstall list:

18 Wheels of Steel Pedal to the Metal
3D Groove Playback Engine
7 Wonders of the Ancient World
888.info
ABBYY FineReader 6.0 Sprint Plus
ACDSee
Action Replay Code Manager
Ad-Aware SE Personal
Adobe Download Manager 1.2 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Reader 6.0.1
Advanced Font Viewer 2.4
AIM 6.0
AOL Toolbar 4.0
Apple Software Update
ArcSoft Software Suite
Barbie® As Sleeping Beauty
Blasterball 2 Holidays (Free with Game Console - WildGames)
Boggle® Supreme
Caillou(R) Birthday Party(TM)
Coloreal
Compaq Wallpaper
Compaq WinDVD
Deer's Revenge
Disney's Toontown Online
Easy CD Creator 5 Basic
Encarta Online
Everyday Spelling Grade 3
Fisher-Price® - Toddler
Fisher-Price® Big Action Construction
Font Creator 5.0
Fuel Tax By WolfByte
GAIN
Game Console - WildGames
GdiplusUpgrade
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
GuitarVision
hhy_worldss Screen Saver
Hijackthis 1.99.1
HijackThis 2.0.2
Hot Shots Bug Drop
HP Image Zone 4.2
HP Photo Imaging Software
HP Photo Printing Software
HP PSC & Officejet 4.7 Corporate Edition
HP Software Update
ImageMixer for Sony DVD Handycam
InterActual Player
InterVideo Installer
iTunes
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_05
JumpStart Kindergarten v2.4b
JumpStart Preschool v2.0
Kids Next Door
Lexmark 7100 Series
Lexmark 7100 Series Fax Solutions
Linksys EasyLink Advisor 1.5 (1045)
LoadLedger
Luxor
Luxor: Amun Rising
Macromedia Shockwave Player
MGI PhotoSuite III SE (Remove Only)
Microsoft .NET Framework 1.1
Microsoft Location Finder
Microsoft Works 6.0
MicroStaff WINASPI
Mini Car Racing
MLB.com Playball
Monster Truck Stunts v1.2
MSN Add-in for Windows Messenger
MSN Music Assistant
MSXML 4.0 SP2 Parser and SDK
Netscape (7.1)
Netscape (7.2)
NHRA Drag Racing
Nikon Message Center
NVIDIA Windows 2000/XP Display Drivers
OfotoNow
OpenOffice.org 2.0
Opera
Outlook Express Q837009
overland
Owl and Mouse MegaMaps
PhonicsTutor Classic Demo
Pic-Tac-Toe
PictureProject
Plantasia
PopCap Browser Plugin
Princess Castle Party
Quicken 2005
QuickTime
RealArcade
RealPlayer
Registry Booster
Road Runner Medic 5.3
Roll
School House Rock Grammar Rock
SCRABBLE
Sean's Magic Slate
Security Task Manager 1.7
Shockwave
Sierra On-Line Games (Remove only)
Sony DVD Handycam USB Driver
SoundMAX
Spybot - Search & Destroy 1.4
Sudoku
Super Collapse II
Super Collapse! II
Super SpongeBob Collapse!
Super TextTwist
Tarzan Action Game
The Print Shop® 6.0 Deluxe
The Weather Channel
TOBYMAC_saver
TurboTax Deluxe 2003
TurboTax Deluxe 2004
UnderTheSea3D
USB6800 Instant Drive
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Virtools 3D Life Player
W&G Screen Saver
Weather Services
WexTech AnswerWorks
Where in the USA is Carmen Sandiego?
Where in the World is Carmen Sandiego?
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB822603
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB835732
Windows XP Service Pack 1a
Word Challenger
Word Munchers
Word Slinger
Writing Trek Ages 4-6
XXXPlugin
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Messenger
Yahoo! Toolbar

_______________________________________________________________New..HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:55 PM, on 8/19/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tmrsrv32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\PATTI\Application Data\Mozilla\Profiles\default\wkrltbti.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\PATTI\Application Data\Mozilla\Profiles\default\wkrltbti.slt\prefs.js)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [infamous.exe] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O20 - AppInit_DLLs: C:\WINDOWS\System32\hanonvt.ini
O21 - SSODL: GXDNCVdudvH - {304EC1B2-9AE4-6B18-7E6A-480461BD63AB} - C:\WINDOWS\System32\nc.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

--
End of file - 3470 bytes


Thanks for your help!!!
mompa
Active Member
 
Posts: 4
Joined: August 18th, 2007, 4:50 pm

Unread postby SNOWHITE » August 20th, 2007, 1:05 pm

Hello mompa,

Unfortunately your computer is much worse infected then i was expecting. It appears you have a rootkit on your computer .Your computer is and always will be at risk because of this rootkit. I cannot guarantee that everything will get cleaned out. Rootkits are extremely hard to detect, and just as hard to clean out. You have to think that from this point forward, you can't trust your computer. The possibility that there are backdoors too on the computer is very high, this gives hackers full access to everything stored on the computer!

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.


More info can be found here:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Some further reading:

Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft.com/technet/community...gmt/sm0504.mspx

Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
http://www.microsoft.com/technet/community...gmt/sm0704.mspx

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

Regards,
User avatar
SNOWHITE
Regular Member
 
Posts: 94
Joined: February 12th, 2007, 2:06 pm

Unread postby mompa » August 20th, 2007, 6:15 pm

:shock: :x Yikes!!

OK..couple questions. Could the computers in my network (wireless) affected?

Is it ok to use the computer if I don't use it for personal info?

I probably want to re-format. I don't anything stored that I can't live without.
Is there danger in unloading things to disc from infected comp. and reloading to uninfected computer?

Another thing...how did this happen!??

Thanks so much!
mompa
Active Member
 
Posts: 4
Joined: August 18th, 2007, 4:50 pm

Unread postby SNOWHITE » August 21st, 2007, 5:39 pm

Hello mompa,


OK..couple questions. Could the computers in my network (wireless) affected?


It is possible if the network was unprotected, it would be wise to check all of your computer on the same network.


Is it ok to use the computer if I don't use it for personal info?


If you don't use the computer for storing personal info, i can attempt to clean it, but i still cant be sure will it be 100% clean. But we can try.

Is there danger in unloading things to disc from infected comp. and reloading to uninfected computer?

Of course there is danger, especially when the computer is infected like this.
I probably want to re-format. I don't anything stored that I can't live without.


Reformat would be the best choice in my opinion.

Another thing...how did this happen!??


Well, your computer doesn't have any protection on it, you don't have basic securities programs like antivirus, firewall, antispyware programs too. I also see you are using P2P programs, LimeWire. Even when a program like this is not infected itself, it will still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I recommend that you remove these programs from your system.

Think about it and let me know what you have decided in your next post, or you can follow my instructions below, there are also some files on your computer that we have interest in, so we can send them to antivirus vendors. That helps in preventing other computers to get infected with these malwares.

Please follow the steps below exactly in the order they are written:

Step #1

Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
File::
C:\WINDOWS\system32\sl.bin
C:\WINDOWS\system32\delFSF.bat 
C:\WINDOWS\system32\tmrsrv32.exe 

Collect::[29]
C:\WINDOWS\system32\kwinqmdt.exe 
C:\WINDOWS\system32\vtr441.dll 
C:\WINDOWS\system32\sder4gh.dll 
C:\WINDOWS\u4j3d4e1.exe
C:\WINDOWS\system32\drivers\Kpa37.sys
C:\WINDOWS\system32\drivers\Qdwa41.sys
C:\WINDOWS\System32\drivers\Bstg74.sys
C:\WINDOWS\system32\drivers\symavc32.sys
C:\wsusupd.exe
C:\WINDOWS\addoo32.exe
C:\WINDOWS\system32\KB_963491.exe
C:\WINDOWS\prefetch\ADDBE32.DLL
C:\WINDOWS\lyxwy.dll 
C:\WINDOWS\system32\iewo32.dll
C:\WINDOWS\System32\nc.dll
C:\WINDOWS\System32\hanonvt.ini

Suspect::[29]
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\afn.exe




Save this as "CFScript"


Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply. You will also be asked to upload a file please do so.

Step #2

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors:

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

Step #3

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

NOTE: If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


NOTE: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Post back with combofix report, smitfraudfix report and new HijackThis log.

Regards,
User avatar
SNOWHITE
Regular Member
 
Posts: 94
Joined: February 12th, 2007, 2:06 pm

Unread postby random/random » August 28th, 2007, 5:39 am

This topic is now closed due to inactivity. If you wish it to be reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 200 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware