Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus And Malware Infection Problem, Window Xp


  • This topic is locked This topic is locked
2 replies to this topic

#1 cpack

cpack

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 30 April 2008 - 10:04 PM

Foxfire and Internet Explorer links got hijacked to unknown, apparently bogus sites adverting maleware removal. Latter, some links in the browsers would not work at all - noticabley MyYahoo and Google. CA Security reports Vundologeneric, but cannot seem to permanently remove it. Ran Vundofix.exe, scan did not show any hits. Ran combofix, this seemed to help Foxfire browser run much better, the links to MyYahoo, etc now all work, but CA still reports finding Vundolgeneric virus. Also installed Spyware Doctor - it turned up some spyware, etc and removed these, but browser problems seem to always come back. Below is log from combofix.exe. First time I have done this so hope the info is enough. Thanks for any help anyone can provide to get rid of these problems. PS - for unknown reason I cannot get Microsoft Firewall turned on.

ComboFix 08-04-29.5 - Jonathan Crook 2008-04-30 20:24:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.549 [GMT -4:00]
Running from: H:\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\StDMTvGh.ini
C:\WINDOWS\system32\StDMTvGh.ini2
C:\WINDOWS\system32\TAGiQqru.ini
C:\WINDOWS\system32\TAGiQqru.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.

2008-04-30 18:54 . 2008-04-30 18:54 <DIR> d-------- C:\VundoFix Backups
2008-04-29 21:23 . 2008-04-29 21:23 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-28 19:51 . 2008-04-28 19:51 <DIR> d-------- C:\qrnt
2008-04-28 19:32 . 2008-04-29 21:34 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-28 19:31 . 2008-04-28 19:44 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-28 19:31 . 2008-04-28 19:31 <DIR> d-------- C:\Documents and Settings\Jonathan Crook\Application Data\PC Tools
2008-04-28 19:31 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-28 19:31 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-28 19:31 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-28 19:31 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-27 18:17 . 2008-04-29 20:53 <DIR> d-------- C:\Program Files\Microsoft Money Plus
2008-04-27 15:28 . 2008-04-30 18:38 109,838 --a------ C:\WINDOWS\BM74427d53.xml
2008-04-22 20:45 . 2008-04-22 20:45 <DIR> d-------- C:\CA
2008-04-20 21:05 . 2008-04-20 21:05 <DIR> d-------- C:\Program Files\DNA
2008-04-20 21:05 . 2008-04-20 21:05 <DIR> d-------- C:\Program Files\BitTorrent
2008-04-20 21:05 . 2008-04-23 21:47 <DIR> d-------- C:\Documents and Settings\Jonathan Crook\Application Data\DNA
2008-04-20 21:05 . 2008-04-28 21:03 <DIR> d-------- C:\Documents and Settings\Jonathan Crook\Application Data\BitTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 01:49 --------- d-----w C:\Program Files\Privacy Guardian
2008-04-30 00:20 --------- d-----w C:\Program Files\Google
2008-04-19 14:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-28 23:05 --------- d-----w C:\Program Files\Java
2008-03-28 22:33 --------- d-----w C:\Program Files\License Backup
2008-03-24 17:38 --------- d-----w C:\Program Files\QuickTime
2008-03-24 17:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-22 13:44 --------- d-----w C:\Program Files\InterActual
2008-03-02 00:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2005-12-27 22:12 1,853,447 -c--a-w C:\Documents and Settings\Jonathan Crook\Application Data\Install.dat
2005-09-14 18:24 26,166,613 -c--a-w C:\Program Files\NAV05ENG.exe
2005-09-14 18:12 110,592 -c--a-w C:\Program Files\setup.exe
2005-02-06 17:50 25,392 -c--a-w C:\Documents and Settings\Jonathan Crook\Application Data\GDIPFONTCACHEV1.DAT
2004-12-01 01:26 16,706,160 -c--a-w C:\Program Files\AdbeRdr60_enu_full.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34E12A24-E56D-47BC-9151-0CEBF3FE0848}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7AB54879-BDC2-4095-985D-7EF0704586CB}]
C:\WINDOWS\system32\hGvTMDtS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d273c650-0bc4-4696-a381-d673cb7bca84}]
C:\WINDOWS\system32\psusmikx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="" []
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-16 23:25 177416]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 14:42 230664]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)
"Btn_Search"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccaBSji]
fccaBSji.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"aux"= ctwdm32.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AHQInit"=C:\Program Files\Creative\SBLive\Program\AHQInit.exe
"AudioHQ"=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
"NeroCheck"=C:\WINDOWS\System32\\NeroCheck.exe
"SoundMan"=SOUNDMAN.EXE
"Internet Explorer"=iexpl0re.exe
"D-Link AirPlus G"=C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
"UpdReg"=C:\WINDOWS\Updreg.exe
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"ANIWZCS2Service"=C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"BM74427d53"=Rundll32.exe "C:\WINDOWS\system32\myygfdcq.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"Internet Explorer"=iexpl0re.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-03-22 04:17]
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2007-08-16 22:10]
S3 BCM42XX;Broadcom iLine10™ Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 13:11]
S3 HNBCP;Intel® AnyPoint™ PCI 10 Mbps Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\HNBCP_5.sys [2001-04-02 18:04]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-24 14:12:19 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-03 03:55:24 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Jonathan Crook at 7 26 PM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
"2008-05-01 00:33:52 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 20:55:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-04-30 21:03:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-01 01:03:32

Pre-Run: 52,852,670,464 bytes free
Post-Run: 52,963,811,328 bytes free

162 --- E O F --- 2008-04-14 02:59:15

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 01 May 2008 - 01:32 AM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Before we begin, please visit the page below, scroll down to the part which says "How to install and use the Windows XP Recovery Console," and follow those instructions:

How to download and use ComboFix

Then please run another scan with Combofix and post back the new log, along with a HijackThis log
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 25 May 2008 - 03:27 PM

Due to lack of feedback, this topic is now closed.
If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users