Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Worm.win32.netbooster


  • Please log in to reply
18 replies to this topic

#1 brooky

brooky

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 27 April 2008 - 11:06 AM

I have been trying to remove this worm.win32.netbooster all day and finally happened on your site.
i have followed some of the advice that Quietman gave to another user, i have perfomed the removal of malware and now have this log:

Malwarebytes' Anti-Malware 1.11
Database version: 674

Scan type: Quick Scan
Objects scanned: 37783
Time elapsed: 7 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin (Trojan.Fakealert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
does this mean that i am completely in the clear as i use this comp for banking?
thanks in advance guys!!! :thumbsup:

BC AdBot (Login to Remove)

 


#2 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 27 April 2008 - 12:03 PM

Hi; you would appear to be; BUT ,things can be deceptive!!

as you do Banking etc and seem to have been following advise given to another member ( never really a good idea as their problems will NOT be identical to yours )can you tell us what your antivirus program is, and what other scans you have run and are all of them reporting back as clean?

what is your windows version?

#3 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:06 PM

Posted 27 April 2008 - 12:19 PM

the key to fighting an infection like this is to identify it

worm.win32.netbooster is what a rogue malware program says you have after being infected

the important information is what does it try to get you to go and buy the bogus software to remove the fake trojan

http://www.malwarebytes.org/forums/index.php?showforum=39

http://www.bleepingcomputer.com/forums/f/55/spyware-and-malware-removal-guides-and-reading-room/

then you have to consider all these malware programs are changing daily
Chewy

No. Try not. Do... or do not. There is no try.

#4 brooky

brooky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 27 April 2008 - 02:35 PM

Hi, thanks for the advice.
my windows version is microsoft windows media center edition, version 2002, service pack 2.
I have scanned with spyware doctor (free edition), avg irus and spyware free versions, trojan hunter, then SmitfraudFix, then Malwarebytes' Anti-Malware.
all say clean but then just now i have had a new one come up for http://www.system-defender.com/freeware/2/?wmid=6010&mid=MjI6Mzc6MTgxNjM=&lndid=37&p=01, which i am sthe same thing attacking again!!
:thumbsup:

Malwarebytes' Anti-Malware 1.11
Database version: 674

Scan type: Quick Scan
Objects scanned: 37768
Time elapsed: 7 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin (Trojan.Fakealert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


latest scan from Malwarebytes' Anti-Malware.

Edited by brooky, 27 April 2008 - 02:42 PM.


#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:06 PM

Posted 27 April 2008 - 03:13 PM

you must have a new variant of system defender rogue

http://www.bleepingcomputer.com/forums/t/143309/antispyware-master-o/

try this
Chewy

No. Try not. Do... or do not. There is no try.

#6 brooky

brooky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 27 April 2008 - 06:16 PM

right done all that other stuff that you put me onto. done the safe mode stuff.
this is the log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/27/2008 at 10:57 PM

Application Version : 4.0.1154

Core Rules Database Version : 3448
Trace Rules Database Version: 1440

Scan type : Complete Scan
Total Scan Time : 00:47:41

Memory items scanned : 243
Memory threats detected : 0
Registry items scanned : 6348
Registry threats detected : 0
File items scanned : 26435
File threats detected : 7

Rogue.NetProject-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP537\A0100166.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP537\A0100171.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP543\A0100392.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP543\A0100393.EXE

Trojan.Downloader-Gen/Suspicious
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP537\A0100170.EXE

Adware.SXGAdvisor-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP543\A0100389.DLL

Adware.Vundo-Variant/J
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP543\A0100390.DLL

why does the log say restore? i dont get it .



just done the malwarebytes scan this is the log

Malwarebytes' Anti-Malware 1.11
Database version: 674

Scan type: Quick Scan
Objects scanned: 37925
Time elapsed: 7 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

seems to be good news thanks for your help chewy

Edited by brooky, 27 April 2008 - 06:37 PM.


#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:06 PM

Posted 27 April 2008 - 06:37 PM

windows uses system restore to back up key files when you make changes, that will enable you to possibly go back to before and fix your computer before it messed up

unfortunately it also backs up malware that's installed

those 7 threats are inactive as long as they are not restored

A file will be created and saved at C:\Program Files\RogueRemover\RRLog******.txt


would you post this log please
Chewy

No. Try not. Do... or do not. There is no try.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,035 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:06 PM

Posted 27 April 2008 - 06:41 PM

So how is the PC running now are there still symptoms?

why does the log say restore?

Those are infections hidden from scanning tools in the System Restore Point component of Windows we'll get them out after we're sure your clean.
You said you have run SmitfraudFix,did you run the cleaning portion in Safe Mode? If so, Please post a copy of that report in your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt.

EDIT: Didn't see Chews reply til I posted but please post both reports.

Edited by boopme, 27 April 2008 - 06:42 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 brooky

brooky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 28 April 2008 - 01:58 PM

right i had problem with one log so i ran it again in ssafe mode hope it will give u the same info.

rogue remover log

Malwarebytes' RogueRemover
Malwarebytes ©2007 http://www.malwarebytes.org
6213 total fingerprints loaded.

Loading database ...
Expanding environmental variables ...

Scanning files ... [ 100% ].
Scanning folders ... [ 100% ].
Scanning registry keys ... [ 100% ].
Scanning registry values ... [ 100% ].

RogueRemover has detected rogue antispyware components! Results below...

Type: Folder
Vendor: SpywareDetector
Location: C:\Program Files\SpywareDetector
Selected for removal: Yes

RogueRemover has found the objects above.


next one:



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{51086F16-80C4-469E-A05A-55245F64467A}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6538C46C-1BBE-4EBA-BBD1-12A6B68572F0}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS1\Services\Tcpip\..\{51086F16-80C4-469E-A05A-55245F64467A}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6538C46C-1BBE-4EBA-BBD1-12A6B68572F0}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS3\Services\Tcpip\..\{51086F16-80C4-469E-A05A-55245F64467A}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS3\Services\Tcpip\..\{6538C46C-1BBE-4EBA-BBD1-12A6B68572F0}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

SmitFraudFix v2.319

Scan done at 19:46:12.85, 28/04/2008
Run from C:\Documents and Settings\Compaq_Administrator\Desktop\spyware adware and worm killers\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{b0fdc513-46b9-46fc-8e70-d575ee546dae}"="frowardness"

[HKEY_CLASSES_ROOT\CLSID\{b0fdc513-46b9-46fc-8e70-d575ee546dae}\InProcServer32]
@="C:\WINDOWS\system32\zfaiqwr.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{b0fdc513-46b9-46fc-8e70-d575ee546dae}\InProcServer32]
@="C:\WINDOWS\system32\zfaiqwr.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{51086F16-80C4-469E-A05A-55245F64467A}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6538C46C-1BBE-4EBA-BBD1-12A6B68572F0}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS1\Services\Tcpip\..\{51086F16-80C4-469E-A05A-55245F64467A}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6538C46C-1BBE-4EBA-BBD1-12A6B68572F0}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS3\Services\Tcpip\..\{51086F16-80C4-469E-A05A-55245F64467A}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS3\Services\Tcpip\..\{6538C46C-1BBE-4EBA-BBD1-12A6B68572F0}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{b0fdc513-46b9-46fc-8e70-d575ee546dae}"="frowardness"

[HKEY_CLASSES_ROOT\CLSID\{b0fdc513-46b9-46fc-8e70-d575ee546dae}\InProcServer32]
@="C:\WINDOWS\system32\zfaiqwr.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{b0fdc513-46b9-46fc-8e70-d575ee546dae}\InProcServer32]
@="C:\WINDOWS\system32\zfaiqwr.dll"



»»»»»»»»»»»»»»»»»»»»»»»» End

thats the lot.
thanks in advance :thumbsup:

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:06 PM

Posted 28 April 2008 - 04:08 PM

I really do love it when i get a good solid hit on a google search and end up at a reliable trusted database

:thumbsup:

http://www.bleepingcomputer.com/startups/f...ness-22845.html

http://www.bleepingcomputer.com/forums/t/130080/how-to-remove-virusheat-removal-instructions/
Chewy

No. Try not. Do... or do not. There is no try.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,035 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:06 PM

Posted 28 April 2008 - 08:33 PM

The scans look to have killed it. How is the PC running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 brooky

brooky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 11 May 2008 - 02:18 PM

Hi again,
I am still getting spyware and adware and trojans affecting my system on a fairly regular basis, just dont know what to do.
my spyware doctor program tells me all the time that i am infected.
this is my latest log from trojan hunter 5

Quarantined file C:\Documents and Settings\Compaq_Administrator\Desktop\spyware adware and worm killers\SmitfraudFix\exit.exe
Quarantined file C:\Program Files\Mozilla Firefox\SmitfraudFix\exit.exe
Trojan cleaning finished.

Super anti spyware found 5 Adware tracking cookies and 5 Trojan.Smitfraud Variant.

smitfraud

itFraudFix v2.319

Scan done at 20:08:14.65, 11/05/2008
Run from C:\Documents and Settings\Compaq_Administrator\Desktop\spyware adware and worm killers\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\camtool\VideoMonitor\CamTool.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Compaq_Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Compaq_Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\COMPAQ~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 16.92.3.242
DNS Server Search Order: 16.92.3.243
DNS Server Search Order: 16.81.3.243
DNS Server Search Order: 16.118.3.243

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 194.168.4.100
DNS Server Search Order: 194.168.8.100

HKLM\SYSTEM\CCS\Services\Tcpip\..\{51086F16-80C4-469E-A05A-55245F64467A}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6538C46C-1BBE-4EBA-BBD1-12A6B68572F0}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS1\Services\Tcpip\..\{51086F16-80C4-469E-A05A-55245F64467A}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6538C46C-1BBE-4EBA-BBD1-12A6B68572F0}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS3\Services\Tcpip\..\{51086F16-80C4-469E-A05A-55245F64467A}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS3\Services\Tcpip\..\{6538C46C-1BBE-4EBA-BBD1-12A6B68572F0}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

lwarebytes' Anti-Malware 1.11
Database version: 674

Scan type: Quick Scan
Objects scanned: 38119
Time elapsed: 8 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


thanks in advance

Edited by brooky, 11 May 2008 - 02:44 PM.


#13 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:06 PM

Posted 11 May 2008 - 02:41 PM

Unless your ISP is in amsterdam, that's a pretty bad infection

How to use SDFix

http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/
Chewy

No. Try not. Do... or do not. There is no try.

#14 brooky

brooky
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 12 May 2008 - 03:32 AM

Not in amstrerdam i'm UK!!


have added the log from sdfix ran in safe mode




SDFix: Version 1.182
Run by Compaq_Administrator on 12/05/2008 at 08:50

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\COMPAQ~1\Desktop\SDFix\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\spwoqbmv.exe - Deleted
C:\WINDOWS\xbaqktfv.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 08:59:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{39C6755E-FD32-DA9C-2B1D-CE00813780C9}]

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*:Enabled:Kazaa"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\SymplisIT\\DriverMagic\\DriverMagic.exe"="C:\\Program Files\\SymplisIT\\DriverMagic\\DriverMagic.exe:*:Enabled:DriverMagic Utilities"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\Sunflowers\\ParaWorld\\bin\\PWServer.exe"="C:\\Program Files\\Sunflowers\\ParaWorld\\bin\\PWServer.exe:*:Enabled:ParaWorld Server"
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"="C:\\Program Files\\SopCast\\adv\\SopAdver.exe:*:Disabled:SopCast Adver"
"C:\\Program Files\\SopCast\\SopCast.exe"="C:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\\Program Files\\SopCast\\sopvod.exe"="C:\\Program Files\\SopCast\\sopvod.exe:*:Enabled:sopvod"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Westwood\\RA2\\game.exe"="C:\\Westwood\\RA2\\game.exe:*:Enabled:Main executable for Red Alert 2"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Westwood\\RA2\\mph.exe"="C:\\Westwood\\RA2\\mph.exe:*:Disabled:mph"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\DOCUME~1\COMPAQ~1\Desktop\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 4 Nov 2006 211 A.SHR --- "C:\BOOT.BAK"
Fri 29 Feb 2008 625,664 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Wed 7 Mar 2007 22 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Fri 17 Nov 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 14 Nov 2007 43,520 ...H. --- "C:\Documents and Settings\Compaq_Administrator\Desktop\~WRL0001.tmp"
Thu 17 Apr 2008 57,856 ...H. --- "C:\Documents and Settings\Compaq_Administrator\Desktop\~WRL0004.tmp"
Thu 15 Nov 2007 49,152 ...H. --- "C:\Documents and Settings\Compaq_Administrator\Desktop\~WRL0205.tmp"
Thu 15 Nov 2007 49,152 ...H. --- "C:\Documents and Settings\Compaq_Administrator\Desktop\~WRL0407.tmp"
Thu 15 Nov 2007 47,616 ...H. --- "C:\Documents and Settings\Compaq_Administrator\Desktop\~WRL1036.tmp"
Thu 17 Apr 2008 59,392 ...H. --- "C:\Documents and Settings\Compaq_Administrator\Desktop\~WRL1341.tmp"
Thu 15 Nov 2007 49,152 ...H. --- "C:\Documents and Settings\Compaq_Administrator\Desktop\~WRL3261.tmp"
Sat 3 Feb 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 3 Feb 2004 94,208 A..H. --- "C:\Documents and Settings\Compaq_Administrator\Desktop\OLD COMPUTER DOCUMENTS AND SHORTCUTS AND SET UP FILES\~WRL0316.tmp"
Tue 3 Feb 2004 89,088 A..H. --- "C:\Documents and Settings\Compaq_Administrator\Desktop\OLD COMPUTER DOCUMENTS AND SHORTCUTS AND SET UP FILES\~WRL0934.tmp"
Tue 3 Feb 2004 91,648 A..H. --- "C:\Documents and Settings\Compaq_Administrator\Desktop\OLD COMPUTER DOCUMENTS AND SHORTCUTS AND SET UP FILES\~WRL1394.tmp"
Tue 3 Feb 2004 92,672 A..H. --- "C:\Documents and Settings\Compaq_Administrator\Desktop\OLD COMPUTER DOCUMENTS AND SHORTCUTS AND SET UP FILES\~WRL1897.tmp"
Tue 3 Feb 2004 92,160 A..H. --- "C:\Documents and Settings\Compaq_Administrator\Desktop\OLD COMPUTER DOCUMENTS AND SHORTCUTS AND SET UP FILES\~WRL2379.tmp"
Sat 22 Apr 2006 184,832 A..H. --- "C:\Documents and Settings\Compaq_Administrator\Desktop\OLD COMPUTER DOCUMENTS AND SHORTCUTS AND SET UP FILES\~WRL2814.tmp"
Thu 20 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BIT1.tmp"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT1.tmp"

Finished!

#15 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:06 PM

Posted 12 May 2008 - 06:10 AM

Have the malware symptoms disappeared?

P2P is extremely dangerous now days, malware is being injected into pirated software, much is close to being incurable.

http://www.microsoft.com/technet/community...gmt/sm0504.mspx

I suggest you read this, a few flattens and your perspectives will change
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users