Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Several Infections Including Xp Virus Alert 2008


  • This topic is locked This topic is locked
5 replies to this topic

#1 cd2045

cd2045

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 16 June 2008 - 12:24 PM

I'm helping a friend who's machine was so thoroughly hijacked that his admin rights were gone, no control panel, could not locate c: drive from windows, and much more, I'm afraid. I've followed advice from this forum and have gotten alot of functionality back, but it's still in trouble. I installed and ran AVG, Adaware, CCcleaner and HiJackThis. I removed cookies, temp files, emptied the recycle bin and anything else I could think of! It is not connected to the internet now, but tries to. I think there's something installed trying to use it to send things out, but I'm not sure. This XP 2008 virus junk keeps coming back to life. This is my latest HJT log: Thanks for any help you can give me! After re-reading instructions, I see I was supposed to post the DSS info, which I forgot to copy. I am not on the internet while working on his machine. Here is the HJT log pasted in here like I was supposed to. Sorry.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:24:14, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
E:\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 1719 bytes

Attached Files


Edited by cd2045, 16 June 2008 - 01:36 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:23 AM

Posted 16 June 2008 - 04:25 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

I don't really see any sign of malware in that log, so we really need to see the more detailed DSS log. Please post it as a reply to this post when you have a chance to run it and we'll take it from there.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 cd2045

cd2045
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 18 June 2008 - 10:37 AM

Hi, Sam. Thanks for your help! Here are two DSS logs. The first one is the original one and the second is after I cleaned up some stuff and is the current state.
Deckard's System Scanner v20071014.68
Run by Shaun on 2008-06-13 22:59:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-06-14 02:59:12 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2008-06-14 02:57:42 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Shaun.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:59:45, on 6/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
E:\avg_free_stf_all_8_100a1323.exe
C:\DOCUME~1\Shaun\LOCALS~1\Temp\RarSFX0\avgsetup.exe
E:\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Shaun.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: (no name) - {A30E4323-28BD-40DB-9236-44F5EB65E451} - C:\WINDOWS\system32\geBRhEVp.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 2186 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080612-181051-100 O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
backup-20080612-181051-228 O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
backup-20080612-181051-257 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080612-181051-267 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
backup-20080612-181051-286 O4 - HKCU\..\Run: [44267310142863502201305220189846] C:\Program Files\XP Antivirus\xpa.exe
backup-20080612-181051-328 O4 - HKLM\..\Run: [advap32] C:\DOCUME~1\Shaun\LOCALS~1\Temp\printsrv.exe/r
backup-20080612-181051-346 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080612-181051-350 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080612-181051-442 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20080612-181051-527 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
backup-20080612-181051-545 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20080612-181051-574 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
backup-20080612-181051-666 O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ietoolgate.com/redirect.php (file missing)
backup-20080612-181051-688 O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
backup-20080612-181051-752 O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
backup-20080612-181051-769 O3 - Toolbar: nmwegbsf - {CF9BAB30-8E3C-4D10-B8C1-428B16A38D69} - C:\WINDOWS\nmwegbsf.dll
backup-20080612-181051-830 O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
backup-20080612-181051-837 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
backup-20080612-181051-933 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
backup-20080612-181052-275 O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
backup-20080612-181052-276 O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
backup-20080612-181052-550 O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...136/mcfscan.cab
backup-20080612-181052-560 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20080612-181052-600 O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ietoolgate.com/redirect.php (file missing)
backup-20080612-181052-812 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080612-181052-886 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080613-224246-173 O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
backup-20080613-224246-393 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
backup-20080613-224246-538 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
backup-20080613-224314-678 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
backup-20080613-224314-856 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 catchme - c:\docume~1\shaun\locals~1\temp\catchme.sys (file missing)
S3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 NAL (Nal Service ) - c:\windows\system32\drivers\iqvw32.sys <Not Verified; Intel Corporation; Intel® iQVW32.SYS>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-05-13 and 2008-06-13 -----------------------------

2008-06-13 22:54:10 0 d-------- C:\Documents and Settings\Shaun\Application Data\AVGTOOLBAR
2008-06-13 22:43:48 0 dr-h----- C:\Documents and Settings\Shaun\Recent
2008-06-13 22:43:48 0 d--h----- C:\Documents and Settings\Shaun\NetHood
2008-06-13 22:29:39 0 d--hs---- C:\Documents and Settings\Shaun\Cookies
2008-06-13 22:21:04 0 d-------- C:\WINDOWS\ERUNT
2008-06-13 18:32:45 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-13 17:35:27 0 d-------- C:\Program Files\Alwil Software
2008-06-12 18:40:32 0 d-------- C:\Program Files\Yahoo!
2008-06-12 18:40:27 0 d-------- C:\Program Files\CCleaner
2008-06-12 18:32:13 0 d-------- C:\WINDOWS\system32\appmgmt
2008-06-12 17:57:59 0 d-------- C:\Program Files\Trend Micro
2008-06-12 17:44:55 0 d-------- C:\VundoFix Backups
2008-06-11 08:44:21 0 d-------- C:\WINDOWS\system32\NtmsData
2008-06-09 14:39:00 2883584 --a------ C:\Documents and Settings\Shaun\ntuser.dat
2008-06-09 14:38:18 2832 --ahs---- C:\WINDOWS\system32\pVEhRBeg.ini2
2008-06-09 14:37:58 321280 --a------ C:\WINDOWS\system32\geBRhEVp.dll
2008-06-09 14:32:55 29824 --a------ C:\WINDOWS\system32\mlJDsPGX.dll
2008-06-09 14:31:04 29824 --a------ C:\WINDOWS\system32\efcCrRKe.dll
2008-06-09 14:31:01 0 d-------- C:\Documents and Settings\Shaun\Application Data\TmpRecentIcons


-- Find3M Report ---------------------------------------------------------------

2008-06-13 22:05:19 0 d-------- C:\Documents and Settings\Shaun\Application Data\AdwareAlert
2008-06-13 18:32:45 0 d-------- C:\Program Files\Common Files
2008-06-13 17:15:29 0 d-------- C:\Program Files\Google
2008-06-12 20:25:36 0 d-------- C:\Program Files\Online Services
2008-04-23 12:31:35 0 d-------- C:\Documents and Settings\Shaun\Application Data\Intuit
2008-04-23 12:30:06 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-23 12:30:02 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-23 12:28:19 0 d-------- C:\Program Files\TurboTax
2008-04-23 12:28:00 0 d-------- C:\Program Files\Common Files\InstallShield


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A30E4323-28BD-40DB-9236-44F5EB65E451}]
06/09/2008 14:38 321280 --a------ C:\WINDOWS\system32\geBRhEVp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [10/23/2002 10:15]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogoff"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Antiwpa]
antiwpa.dll 09/18/2005 02:32 5376 C:\WINDOWS\system32\antiwpa.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau C:\WINDOWS\system32\geBRhEVp




-- End of Deckard's System Scanner: finished at 2008-06-13 23:00:13 ------------

*****NEWEST SCAN*****
Deckard's System Scanner v20071014.68
Run by Shaun on 2008-06-17 18:52:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Shaun.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:53:05, on 6/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Shaun\Desktop\dss.exe
E:\Shaun.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {4C964F5A-08A7-4EA4-A5CE-65F590A3E61F} - C:\WINDOWS\system32\geBRhEVp.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 2945 bytes

-- Files created between 2008-05-17 and 2008-06-17 -----------------------------

2008-06-14 15:29:04 0 d-------- C:\Program Files\Lavasoft
2008-06-14 15:25:24 0 dr-h----- C:\Documents and Settings\Shaun\Recent
2008-06-14 15:24:05 0 d--hs---- C:\Documents and Settings\Shaun\Cookies
2008-06-13 23:05:17 0 d--h----- C:\$AVG8.VAULT$
2008-06-13 23:02:43 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-13 23:02:31 0 d-------- C:\Program Files\AVG
2008-06-13 23:02:30 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-13 22:54:10 0 d-------- C:\Documents and Settings\Shaun\Application Data\AVGTOOLBAR
2008-06-13 22:43:48 0 d--h----- C:\Documents and Settings\Shaun\NetHood
2008-06-13 22:21:04 0 d-------- C:\WINDOWS\ERUNT
2008-06-13 18:32:45 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-13 17:35:27 0 d-------- C:\Program Files\Alwil Software
2008-06-12 18:40:32 0 d-------- C:\Program Files\Yahoo!
2008-06-12 18:40:27 0 d-------- C:\Program Files\CCleaner
2008-06-12 18:32:13 0 d-------- C:\WINDOWS\system32\appmgmt
2008-06-12 17:57:59 0 d-------- C:\Program Files\Trend Micro
2008-06-12 17:44:55 0 d-------- C:\VundoFix Backups
2008-06-11 08:44:21 0 d-------- C:\WINDOWS\system32\NtmsData
2008-06-09 14:39:00 2883584 --a------ C:\Documents and Settings\Shaun\ntuser.dat
2008-06-09 14:38:18 3726 --ahs---- C:\WINDOWS\system32\pVEhRBeg.ini2
2008-06-09 14:37:58 321280 --a------ C:\WINDOWS\system32\geBRhEVp.dll
2008-06-09 14:32:55 29824 --a------ C:\WINDOWS\system32\mlJDsPGX.dll
2008-06-09 14:31:04 29824 --a------ C:\WINDOWS\system32\efcCrRKe.dll


-- Find3M Report ---------------------------------------------------------------

2008-06-13 22:05:19 0 d-------- C:\Documents and Settings\Shaun\Application Data\AdwareAlert
2008-06-13 18:32:45 0 d-------- C:\Program Files\Common Files
2008-06-13 17:15:29 0 d-------- C:\Program Files\Google
2008-06-12 20:25:36 0 d-------- C:\Program Files\Online Services
2008-04-23 12:31:35 0 d-------- C:\Documents and Settings\Shaun\Application Data\Intuit
2008-04-23 12:30:06 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-23 12:30:02 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-23 12:28:19 0 d-------- C:\Program Files\TurboTax
2008-04-23 12:28:00 0 d-------- C:\Program Files\Common Files\InstallShield


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4C964F5A-08A7-4EA4-A5CE-65F590A3E61F}]
06/09/2008 14:38 321280 --a------ C:\WINDOWS\system32\geBRhEVp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
06/13/2008 23:02 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/13/2008 23:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 08:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogoff"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Antiwpa]
antiwpa.dll 09/18/2005 02:32 5376 C:\WINDOWS\system32\antiwpa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau C:\WINDOWS\system32\geBRhEVp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-06-17 18:53:27 ------------

#4 cd2045

cd2045
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 18 June 2008 - 11:07 AM

Also, here is the 'extra.txt' log from the first run. I didn't see one from the second run?
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.40GHz
Percentage of Memory in Use: 41%
Physical Memory (total/avail): 510.8 MiB / 300.51 MiB
Pagefile Memory (total/avail): 1247.43 MiB / 1103.87 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1940.48 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.26 GiB total, 31.08 GiB free.
D: is CDROM (No Media)
E: is Removable (FAT)

\\.\PHYSICALDRIVE0 - WDC WD400BB-00DKA0 - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:

\\.\PHYSICALDRIVE1 - USB DISK USB Device - 988.37 MiB - 1 partition
\PARTITION0 (bootable) - MS-DOS V4 Huge - 991.48 MiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe:*:Enabled:QuickBooks 2007 Data Manager"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Shaun\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DAVID-2072A2F96
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Shaun
LOGONSERVER=\\DAVID-2072A2F96
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Shaun\LOCALS~1\Temp
TMP=C:\DOCUME~1\Shaun\LOCALS~1\Temp
USERDOMAIN=DAVID-2072A2F96
USERNAME=Shaun
USERPROFILE=C:\Documents and Settings\Shaun
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Shaun (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /I{71EEA108-09C9-4D81-8FA2-D48C70681242}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP OfficeJet G Series --> "C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\Uninstall\hpourn07.exe" /Path="C:\Program Files\Hewlett-Packard\HP OfficeJet G Series" /Uninstall="HP OfficeJet G Series"
Intel Application Accelerator --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9984DF60-1C5B-11D3-ACA1-908A4FC10801}\Setup.exe" -INTELUNINST
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Intel® PROSet --> MsiExec.exe /I{EF4EF65F-4D62-44D7-82C9-1AECCBA74C50}
Linksys Wireless-G USB Network Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C7EEF2B9-8C16-4A04-B98D-B1A952A47E55}\setup.exe" -l0x9
Macromedia Flash Player 8 --> MsiExec.exe /X{5E8A1B08-0FBD-4543-9646-F2C2D0D05750}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (2.0.0.7) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Norton Security Scan --> MsiExec.exe /I{3A4FFB84-D070-4DA5-AB7B-D41D87FD8D19}
QuickBooks Product Listing Service --> MsiExec.exe /I{054C3038-FFAC-446D-9682-E25891DC2E05}
QuickBooks Simple Start Edition --> msiexec.exe /I {71EEA108-09C9-4D81-8FA2-D48C70681242} UNIQUE_NAME="atom" QBFULLNAME="QuickBooks Simple Start Edition" ADDREMOVE=1
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
TurboTax Deluxe 2004 --> C:\Program Files\TurboTax\Deluxe 2004\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2004\Uninstall.log" -NoGui
WexTech AnswerWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\setup.exe" -l0x9 -eliminate
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type605 / Warning
Event Submitted/Written: 06/13/2008 10:54:00 PM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C

Event Record #/Type603 / Error
Event Submitted/Written: 06/13/2008 06:32:48 PM
Event ID/Source: 1008 / MsiInstaller
Event Description:
The installation of C:\Program Files\Common Files\Wise Installation Wizard\WISDED53B0BB67C4244AE6AD6FD3C28D1EF_7_1_0_7.MSI is not permitted due to an error in software restriction policy processing. The object cannot be trusted.

Event Record #/Type587 / Warning
Event Submitted/Written: 06/12/2008 06:38:09 PM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C

Event Record #/Type580 / Warning
Event Submitted/Written: 06/12/2008 06:32:13 PM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C

Event Record #/Type579 / Warning
Event Submitted/Written: 06/12/2008 06:29:54 PM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type50233 / Error
Event Submitted/Written: 06/13/2008 10:55:11 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type50232 / Error
Event Submitted/Written: 06/13/2008 10:54:08 PM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context failed for C:\Program Files\AVG\AVG8\avgpp.dll.
Reference error message: The operation completed successfully.
.

Event Record #/Type50231 / Error
Event Submitted/Written: 06/13/2008 10:54:08 PM
Event ID/Source: 59 / SideBySide
Event Description:
Resolve Partial Assembly failed for Microsoft.VC80.CRT.
Reference error message: The referenced assembly is not installed on your system.
.

Event Record #/Type50230 / Error
Event Submitted/Written: 06/13/2008 10:54:08 PM
Event ID/Source: 32 / SideBySide
Event Description:
Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.

Event Record #/Type50229 / Error
Event Submitted/Written: 06/13/2008 10:54:07 PM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context failed for C:\Program Files\AVG\AVG8\avgssie.dll.
Reference error message: The operation completed successfully.
.



-- End of Deckard's System Scanner: finished at 2008-06-13 23:00:13 ------------

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:23 AM

Posted 18 June 2008 - 04:27 PM

You still have some malware present.



Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:23 AM

Posted 01 July 2008 - 11:44 AM

As there has been no response, this thread will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users