Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cleaned Registry After Infections, Now Freezes (ouch!)


  • Please log in to reply
3 replies to this topic

#1 Irondawgs

Irondawgs

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 25 January 2008 - 11:24 PM

How it started:
Got a massive attack from a bad case of virus-embedded Nero...
Virtumonde (wow, this was tough to get rid of...even with both the dedicated main Virtumonde removers), BHO trojans, Winlogon, droppers, and a few others. After downloading a new version of HJT, Combofix, Vundofix, VirtumondoBeGone, SuperAntiSpyware, Spybot, AVG, ThreatFire, Spyware Terminator, and a few other online scans, I have it under control...except for one bad day where it seemed I was fighting a losing battle. These viruses are kick-butt in deleting/changing/disabling Spybot, Threatfire, AvastAntivirus, TeaTimer, Quicktime, RealPlayer, Java, everything...that makes it real difficult to delete when they just erased your antivirus!!!

What I did:
After doing all of the above and still having bad registry keys on HJT after reboots, I kind of went berserk and erased things while checking on http://www.spyandseek.com/ as a guide to what is a good, valid key and what are listed as bad. But I soon realized that there is so much variation on opinions of what is good and what is bad that I may have erased some things that are needed. I thought spyandseek.com was God's gift for what were good and bad keys, and if someone listed one of my keys as bad, I erased it without hesitation, even if half the people said it was good, half bad.

What happens now:
From a cold boot trying to logon normally, it will hang as soon as it get to the black background screen with the Windows XP Professional Logo...as soon as it shows up at that screen so that the Windows XP Pro logo is not even at full brightness.

What I can do:
I have to reboot, start in safe mode (not even safe mode with networking works consistently), and once it loads (safe mode always works), I can push "start", "turn off" and "restart" and now windows will start normally. It's as if loading in safe mode first gets all the necessary keys or something so it will now allow me to start in "normal" mode. Then everything appears to work perfectly.

What I need:
???????? Repair my registry? How do I do this? Or...is something else wrong??? All of those spyware scanners, online scans, and newest AVG, Threatfire, Spyware Terminator, SuperAntiSpyware, AdAware, Spybot, SpywareBlaster, etc, etc...I run them all, and all say I am clean...so I think that is "one" thing I am 95% sure of.
Some of what I erased is below, but there is a chance that what happened isn't completely or only part due to me messing with the registry, maybe it was the viruses.

Here is my current HJT log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:51 PM, on 1/25/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.speakeasy.net/speedtest/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: U.S. Robotics 802.11g Wireless Network Utility.lnk = ?
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198597342296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198597329898
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 5790 bytes



Now here are the "backups" from HJT...to tell you the truth, I am not sure if even these were my first logs because the viruses even erased/corrupted HJT at one point, so I uninstalled, reinstalled it, but here they are:
(I am writing these by hand b/c I can't figure out how to put them on a text file without risking possibly reinstalling "or" losing them!!!) Some were deleted at different times, but I fear the main keys I need that I erased, I may have erased even before this!!!)

1/24/2008 9:18:00pm: O4 - HKLM\..\Run:[Quicktime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
" O4 - HKLM]..\Run:[80d5f676]rundll32.exe"C:\Windows\system32\ohcucngf.dll",b
" O2 - BHO: {462c3f5c-eb3d-3c7a-3864-3d5558b05904} - {40950b85-55d3-4683-a7c3-d3bec5f3c264}-C:\Windows\System32\vnhkdjob.dll (file missing)

" another O2:BHO ddccy.dll (obviously one of the viruses)
O16: nbkeyscan.exe (virus from nero)

O16 - DPF:{CAFEEFAC-0015-000-0002-ABCDEDDEDCBA}(Java Plug-in)-
O23 nbservice.exe (another nero virus)
O23 nmindexingservice.exe (another nero virus)
O4 - HKLM\..\Run:[Logitech Utility]Logi_Mwx.Exe (I erased it at one point bc it said it was infected--my infrared mouse?)
O2 - BHO:SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}-C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll(file missing) (I erased it as some scanner said at one point it was infected)
O16 - DPF:{74D05D43-3236-11D4-BDCD-))C04F9A3B61}- (I erased this because, well, why not??? ;-) and it had no description and I was suspicious of everything at this point)
O4 - HKLM\..\Run:[Uninstall_CToolbar]"C:\Windows\Temp\CTun.exe""/remove"
O9 - Extra button: (no name)-{08B0E5C0-4FCB-11CF-AAA5-00401C608501}-C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll(file missing) --I erased this once again because "no name"
O9 - Extra 'Tools' menuitem: Sun Java Console-[08B0E5C0-4FCB-11CF-AAA5-00401C608501}-C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll(file missing) --again, I was pretty desperate
O4-HKLM\..\Run:[SunJavaUpdateSched\"C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" --definitely alterted by another program that it was infected, this I remember
O16 - DPF:{9B03C5F1-F5AB-47EE-937D-A8EDA626F876}- erased it just for kicks, and it had no description
O16 - DPF:[9A9307A0-7DA4-B042-9F29E09E1]- fun, fun, fun
O16 - DPF:{D27CDB6E-AE6D-11CF-96B8-444553540000}(Shockwave Flash Object)- ----erased because it was there


That's it for this log of "Backups" for HJT






Here's my Combofix Log:
ComboFix 08-01-23.1C - Dell GX1 2008-01-25 23:09:52.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.84 [GMT -5:00]
Running from: C:\Documents and Settings\Dell GX1\Desktop\imp utilities\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-26 to 2008-01-26 )))))))))))))))))))))))))))))))
.

2008-01-25 20:28 . 2008-01-25 20:28 <DIR> d-------- C:\Program Files\ThreatFire
2008-01-25 20:28 . 2007-12-20 11:24 52,032 --a------ C:\WINDOWS\system32\drivers\TfFsMon.sys
2008-01-25 20:28 . 2007-12-20 11:24 41,792 --a------ C:\WINDOWS\system32\drivers\TfSysMon.sys
2008-01-25 20:28 . 2007-12-20 11:13 33,600 --a------ C:\WINDOWS\system32\drivers\TfNetMon.sys
2008-01-25 20:28 . 2007-12-20 11:13 12,608 --a------ C:\WINDOWS\system32\drivers\TfKbMon.sys
2008-01-25 09:46 . 2008-01-25 21:03 <DIR> d-------- C:\Program Files\a-squared Free
2008-01-25 03:14 . 2008-01-25 03:14 <DIR> d-------- C:\Program Files\CCleaner
2008-01-25 02:53 . 2008-01-25 02:53 138,624 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-01-25 02:52 . 2008-01-25 02:53 <DIR> d-------- C:\Program Files\WinClamAVShield
2008-01-25 02:50 . 2008-01-25 09:48 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-01-25 02:50 . 2008-01-25 02:51 <DIR> d-------- C:\Program Files\Crawler
2008-01-25 02:48 . 2008-01-25 03:29 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-24 22:58 . 2008-01-24 22:58 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-24 22:58 . 2008-01-24 22:58 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-24 22:58 . 2008-01-24 22:58 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-24 21:50 . 2005-11-10 12:03 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-01-24 21:27 . 2008-01-24 23:40 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-24 20:51 . 2008-01-24 20:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-24 19:40 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 17:29 . 2008-01-24 23:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-24 16:51 . 2008-01-25 05:27 <DIR> d-------- C:\VundoFix Backups
2008-01-23 15:10 . 2008-01-23 15:10 <DIR> d-------- C:\Program Files\Xilisoft
2008-01-23 14:04 . 2008-01-24 18:33 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-23 13:01 . 2008-01-23 13:01 <DIR> d-------- C:\Program Files\Nero
2008-01-23 13:01 . 2008-01-23 13:10 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-01-23 11:56 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-01-23 11:52 . 2003-05-30 09:00 1,962,496 --a------ C:\WINDOWS\system32\quartz.dll
2008-01-23 02:32 . 2008-01-23 02:32 <DIR> d-------- C:\Program Files\ExtractNow
2008-01-23 02:32 . 2008-01-23 02:32 136 --a------ C:\_dele.bat
2008-01-23 01:02 . 2008-01-23 01:02 <DIR> d--h-c--- C:\WINDOWS\$MSI30UninstallMSI30-KB884016$
2008-01-22 01:03 . 2008-01-22 01:03 <DIR> d-------- C:\Program Files\uTorrent
2008-01-19 18:39 . 2008-01-19 18:48 <DIR> d-------- C:\Program Files\FrostWire
2008-01-15 00:23 . 2008-01-23 23:52 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-07 13:52 . 2008-01-07 13:52 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-02 13:33 . 2008-01-02 13:33 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-28 14:00 . 2007-12-28 14:00 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-12-28 13:59 . 2007-12-28 14:02 <DIR> d-------- C:\Program Files\AIM6
2007-12-28 13:59 . 2007-12-28 14:02 520 --ah----- C:\IPH.PH

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 02:51 --------- d-----w C:\Program Files\Java
2008-01-25 02:10 --------- d-----w C:\Program Files\Common Files\Real
2008-01-23 16:08 --------- d-----w C:\Program Files\Ahead
2008-01-22 21:11 --------- d-----w C:\Program Files\palmOne
2008-01-19 23:39 --------- d-----w C:\Program Files\LimeWire
2007-12-26 00:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-14 18:26 --------- d-----w C:\Program Files\support.com
2007-12-14 00:09 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-12-04 14:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-12-03 23:04 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
2006-10-01 04:51 16,765,814 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_09_30_15_17_03_full.dmp.zip
2006-09-15 18:23 16,730,500 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_09_14_18_52_11_full.dmp.zip
2006-09-15 18:22 16,808,656 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_09_14_18_46_17_full.dmp.zip
2006-09-15 18:21 16,736,461 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_09_14_18_33_01_full.dmp.zip
2006-08-24 01:24 51,697 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_08_23_16_25_45_small.dmp.zip
2006-08-13 06:37 16,785,252 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_08_11_11_53_01_full.dmp.zip
2006-08-13 06:36 16,772,452 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_08_10_23_58_16_full.dmp.zip
2006-08-11 03:34 16,744,556 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_08_10_23_29_12_full.dmp.zip
2006-08-10 20:46 16,745,527 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_08_10_16_41_36_full.dmp.zip
.
<pre>
----a-w		   180,269 2008-01-24 08:31:43  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
</pre>


((((((((((((((((((((((((((((( snapshot_2008-01-24_23.33.07.47 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-25 00:41:14 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NtUser.dat
+ 2008-01-26 04:09:32 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NtUser.dat
+ 2008-01-25 09:01:48 821,856 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
+ 2008-01-25 09:01:54 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys
+ 2008-01-25 09:01:55 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys
+ 2008-01-25 09:01:57 10,760 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
+ 2008-01-25 09:01:57 26,952 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
- 2001-11-10 19:15:10 1,388,544 ----a-w C:\WINDOWS\system32\msvbvm60.dll
+ 2004-02-24 02:42:40 1,386,496 ----a-w C:\WINDOWS\system32\msvbvm60.dll
+ 1996-01-12 23:00:00 24,576 ----a-w C:\WINDOWS\system32\STKIT432.DLL
- 2007-12-25 14:32:29 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
+ 2008-01-25 08:02:29 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-03-09 14:29 7561216]
"nwiz"="nwiz.exe" [2006-03-09 14:29 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-03-09 14:29 86016]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-01-25 02:52 2778112]
"RegistryMechanic"="C:\Program Files\Registry Mechanic\RegMech.exe" [2007-08-20 11:58 2483496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-25 04:00 579072]
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [2007-12-20 11:13 1238336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-25 04:01 219136]

C:\Documents and Settings\Dell GX1\Start Menu\Programs\Startup\
palmOne Registration.lnk - C:\Program Files\palmOne\register.exe [2004-10-08 00:38:44 2322432]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 13:16:08 471040]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-02 04:29:26 180224]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
U.S. Robotics 802.11g Wireless Network Utility.lnk - C:\U.S.R.TurboGWLAN\USRWLANG.exe [2007-03-09 07:58:05 806912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 TfFsMon;TfFsMon;C:\WINDOWS\System32\drivers\TfFsMon.sys [2007-12-20 11:24]
R0 TfSysMon;TfSysMon;C:\WINDOWS\System32\drivers\TfSysMon.sys [2007-12-20 11:24]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\System32\drivers\sp_rsdrv2.sys [2008-01-25 02:53]
R2 ThreatFire;ThreatFire;C:\Program Files\ThreatFire\TFService.exe service []
R3 cwbmidi_device;Crystal WDM MPU-401 UART Driver;C:\WINDOWS\System32\drivers\cwbmidi.sys [2001-08-17 07:19]
R3 cwbwdm_device;Crystal WDM Audio Codec Driver;C:\WINDOWS\System32\drivers\cwbwdm.sys [2001-08-17 07:19]
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\System32\DRIVERS\odysseyIM3.sys [2004-03-11 21:16]
R3 TfNetMon;TfNetMon;C:\WINDOWS\System32\drivers\TfNetMon.sys [2007-12-20 11:13]
R3 vgadrv;vgadrv;C:\WINDOWS\System32\DRIVERS\vgadrv.sys [2006-03-17 12:04]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS []

*Newly Created Service* - PROCEXP90
*Newly Created Service* - THREATFIRE
.
Contents of the 'Scheduled Tasks' folder
"2008-01-19 19:11:16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 23:24:25
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-25 23:29:26
ComboFix-quarantined-files.txt 2008-01-26 04:29:04
ComboFix2.txt 2008-01-25 04:33:49
ComboFix3.txt 2008-01-25 00:56:33






Here's a list of other deletions by many of the various programs (only a partial list):
fccdaww.dll
qttask.exe quicktime
dropper found by avast
rcx29 dropper
rcx2c dropper
agrsmmsg.exe dropper agent-psg what is this file???
ashdisp.exe
realsched.exe
spywareterminatorshield.exe
jussched.exe sunjava
nbservice.exe?
viewpointservice.exe?
wdfmgr.exe
ex_exec.exe
aswUpdSv.exe
fwservice.exe
dxlwyatu.exe adware? avast
ddccy.exe
ddccy.dll



Thanks guys
It could always be worse.
I hope there is some MagicFix to fix the registry by patching up the holes that the virus, and I, did.

I did erase all System Restore Points at one time because I did notice that the restore points even got infected at one point...which SUCKS!!!
and I do not have any back up restore points...although I should keep something like this as a backup...any recommendations on the best twoo ways to do this???

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 29 January 2008 - 03:53 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Irondawgs
My name is Richie and i'll be helping you to fix your problems.

Before we can provide you with any further assistance,you first need to go here and install Service Pack 1a;
http://www.microsoft.com/windowsxp/downloa...p1/default.mspx
This will patch numerous security vulnerabilities in Internet Explorer and the Windows operating system.
As your machine stands right now it's exremely vulnerable to infection.
You need to get these updates installed first before we can proceed or we’ll both be wasting our time.

Do not install Service Pack 2.
If you install SP 2 on an infected machine it will cause serious problems within the operating system.

Once you've completed the above,post a new Hijackthis log into this topic.
Posted Image
Posted Image

#3 Irondawgs

Irondawgs
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 30 January 2008 - 01:34 AM

Wow,
This sucks. After 40-something views and no replies, I have already just installed SP2 just before your reply. It worked fine...for awhile, until I got YourUninstaller 2008 to uninstall the rest of the Nero, the process which froze under regular uninstaller. The uninstall took forever, 30 mins or so, but eventually worked. I could not have heard worse luck about having already installed SP2. I am looking to get SP3 installed if that will help.
Or should I uninstall SP2 somehow??

I have installed a Nero Express 7 from a CD bundle I got when I purchased a DVD burner I have (in order to burn some things to back-up in the advent the worst happens!!!), which works fine, so if that shows up in the HJT log, that's what it is. I don't mind erasing it if you want me to.

I would also like to make back-ups for everything in the future or have better registry protection, boot CDs and disks, so if you know the best back-up(s) and protection, that would also be appreciated.
I am now using AVG and Spyware Terminator (with active real-time protection), Spybot with TeaTimer and SpywareBlaster (also active free versions), and use Free version of AdAware (passive, only checks when I do a scan). I also use Comodo Firewall.

My first post also has a list of the "back-ups" of the HJT registry lines I erased that I can put back in if you want. I can put these back one-by-one, and may very well be as simple a problem as that, who knows? I do not need Virtual Clone Drive to run as I only used it to make sure my SP2 was good.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:13 AM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.speakeasy.net/speedtest/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198597342296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198597329898
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 6928 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 30 January 2008 - 01:41 PM

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 4'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation jre-6u4-windows-i586-p.exe' [15.12 MB] and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,NOT for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix by sUBs and save to your desktop.
Alternative Combofix download link HERE.
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users