Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC infected by "XP Police" program


  • This topic is locked This topic is locked
10 replies to this topic

#1 sam-my

sam-my

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 06 February 2009 - 03:11 AM

My PC (Windows XP with SP3) has been Hijacked by "XP Police".
This program disaffected my antivirus (Nod23) and its icon replaced the AV icon on the system tray.
I've got Microsoft Security System warning that my PC is at risk since my AV is "OFF" and was requested to activate it.
This rogue program begun sending me "alert windows' that my PC is infected.
The command "Task Manager" has been deactivated (gray color).

I downloaded "Malwarebytes Anti-Malware" and "SuperAntispyware'' up-dated them and scanned
the PC. They found and cleaned more than70 "nasties"
The XP Police icon has been removed from the system tray and been replaced by NOD32 one.
I run also SpyBot and NOD32
The PC seems to revert to normal

Is there any additional cleaning to perform.

Thanks for assistance

BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 06 February 2009 - 09:29 AM

Hi,

Do a new full scan with MalwareBytes Anti-Malware, and post that logfile in your next reply.
Also do this:

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

#3 sam-my

sam-my
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  

Posted 06 February 2009 - 06:13 PM

Thank you Superbird for your assistance.

Both scan shown a clean PC

As follows the MalwareBytes Anti-Malware scan log:

Malwarebytes' Anti-Malware 1.33
Database version: 1735
Windows 5.1.2600 Service Pack 3

06/02/2009 22:39:20
mbam-log-2009-02-06 (22-39-20).txt

Scan type: Full Scan (C:\|)
Objects scanned: 109982
Time elapsed: 13 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


The Kasperski scan log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, February 7, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, February 06, 2009 20:48:58
Records in database: 1761004
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 125282
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:35:04

No malware has been detected. The scan area is clean.

The selected area was scanned.

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 07 February 2009 - 05:02 AM

Let's take a deeper look :thumbsup:

Download this file: zoek.exe
Start the tool. A logfile will open after a while.
Post the contents of the logfile in your next reply.

#5 sam-my

sam-my
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 07 February 2009 - 03:32 PM

Many thanks for your time,
As follows the "zoek" log file content:

======C:\WINDOWS====
----a-w 0 2009-02-07 14:53:16 C:\WINDOWS\0.log
--s-a-w 2,048 2009-02-07 14:52:50 C:\WINDOWS\bootstat.dat
----a-w 0 2008-11-17 13:33:14 C:\WINDOWS\control.ini
----a-w 934 2008-12-27 19:15:37 C:\WINDOWS\disney.ini
----a-w 1,616,384 2008-08-18 18:17:14 C:\WINDOWS\explorer.exe
----a-w 16,608 2009-02-07 14:52:56 C:\WINDOWS\gdrv.sys
----a-w 315,392 2008-11-17 13:58:05 C:\WINDOWS\HideWin.exe
----a-w 69 2009-02-06 13:54:45 C:\WINDOWS\NeroDigital.ini
----a-w 0 2008-11-17 20:09:25 C:\WINDOWS\nsreg.dat
----a-w 4,161 2008-11-17 13:33:01 C:\WINDOWS\ODBCINST.INI
----a-w 32,586 2009-02-07 11:46:20 C:\WINDOWS\SchedLgU.Txt
----a-w 5,684 2009-02-07 15:58:13 C:\WINDOWS\setupapi.log
----a-w 0 2009-02-05 23:31:49 C:\WINDOWS\Sti_Trace.log
----a-w 227 2008-11-25 23:02:10 C:\WINDOWS\system.ini
----a-w 36 2008-11-17 13:30:20 C:\WINDOWS\vb.ini
----a-w 37 2008-11-17 13:30:20 C:\WINDOWS\vbaddin.ini
----a-w 216 2009-02-05 23:55:26 C:\WINDOWS\wiadebug.log
----a-w 50 2009-02-05 23:55:26 C:\WINDOWS\wiaservc.log
----a-w 582 2008-11-25 23:02:10 C:\WINDOWS\win.ini
----a-w 255 2008-11-27 18:52:54 C:\WINDOWS\wincmd.ini
---ha-r 749 2008-11-17 13:32:18 C:\WINDOWS\WindowsShell.Manifest
----a-w 1,052,847 2009-02-07 19:40:56 C:\WINDOWS\WindowsUpdate.log
----a-w 316,640 2008-11-17 13:33:08 C:\WINDOWS\WMSysPr9.prx

Entries: 23 (21)
Directories: 0 Files: 23
Bytes: 3,365,505 Blocks: 6,584
======C:\WINDOWS\system32=====
----a-w 1,100 2008-11-17 13:38:05 C:\WINDOWS\System32\$winnt$.inf
----a-w 483,328 2008-09-25 13:20:54 C:\WINDOWS\System32\actskn45.ocx
----a-w 124,928 2008-10-16 20:38:34 C:\WINDOWS\System32\advpack.dll
----a-w 16,832 2008-11-17 13:33:09 C:\WINDOWS\System32\amcompat.tlb
----a-w 172,032 2009-01-01 15:11:40 C:\WINDOWS\System32\AniGIF.ocx
----a-w 34,308 2009-01-24 20:07:13 C:\WINDOWS\System32\BASSMOD.dll
----a-w 146,650 2008-11-17 13:59:43 C:\WINDOWS\System32\BuzzingBee.wav
----a-w 92,696 2008-10-16 12:09:44 C:\WINDOWS\System32\cdm.dll
---ha-r 749 2008-11-17 13:32:18 C:\WINDOWS\System32\cdplayer.exe.manifest
----a-w 107,888 2008-12-29 21:01:59 C:\WINDOWS\System32\CmdLineExt.dll
----a-w 2,577 2008-11-17 13:33:14 C:\WINDOWS\System32\CONFIG.NT
----a-w 884 2008-11-17 19:06:25 C:\WINDOWS\System32\d3d8caps.dat
----a-w 664 2009-02-07 20:26:26 C:\WINDOWS\System32\d3d9caps.dat
----a-w 410,984 2009-02-06 20:36:38 C:\WINDOWS\System32\deploytk.dll
----a-w 347,136 2008-10-16 20:38:34 C:\WINDOWS\System32\dxtmsft.dll
----a-w 214,528 2008-10-16 20:38:34 C:\WINDOWS\System32\dxtrans.dll
----a-w 21,640 2008-11-17 13:30:29 C:\WINDOWS\System32\emptyregdb.dat
----a-w 133,120 2008-10-16 20:38:35 C:\WINDOWS\System32\extmgr.dll
----a-w 415,856 2009-02-02 20:00:09 C:\WINDOWS\System32\FNTCACHE.DAT
----a-w 286,720 2008-10-23 12:36:14 C:\WINDOWS\System32\gdi32.dll
----a-w 1,700,352 2008-12-29 21:18:25 C:\WINDOWS\System32\gdiplus.dll
----a-w 0 2008-11-17 20:27:44 C:\WINDOWS\System32\h323log.txt
----a-w 63,488 2008-10-16 20:38:35 C:\WINDOWS\System32\icardie.dll
----a-w 70,656 2008-10-16 13:11:09 C:\WINDOWS\System32\ie4uinit.exe
----a-w 153,088 2008-10-16 20:38:35 C:\WINDOWS\System32\ieakeng.dll
----a-w 230,400 2008-10-16 20:38:35 C:\WINDOWS\System32\ieaksie.dll
----a-w 161,792 2008-10-15 07:04:53 C:\WINDOWS\System32\ieakui.dll
----a-w 383,488 2008-10-16 20:38:35 C:\WINDOWS\System32\ieapfltr.dll
----a-w 384,512 2008-10-16 20:38:35 C:\WINDOWS\System32\iedkcs32.dll
----a-w 6,066,176 2008-10-16 20:38:37 C:\WINDOWS\System32\ieframe.dll
----a-w 44,544 2008-10-16 20:38:37 C:\WINDOWS\System32\iernonce.dll
----a-w 267,776 2008-10-16 20:38:37 C:\WINDOWS\System32\iertutil.dll
----a-w 13,824 2008-10-16 13:11:09 C:\WINDOWS\System32\ieudinit.exe
----a-w 1,831,424 2008-10-16 20:38:37 C:\WINDOWS\System32\inetcpl.cpl
----a-w 406 2008-11-29 21:36:13 C:\WINDOWS\System32\ioloBootDefrag.cfg
----a-w 144,792 2009-02-06 20:36:38 C:\WINDOWS\System32\java.exe
----a-w 73,728 2009-02-06 20:36:38 C:\WINDOWS\System32\javacpl.cpl
----a-w 144,792 2009-02-06 20:36:38 C:\WINDOWS\System32\javaw.exe
----a-w 148,888 2009-02-06 20:36:38 C:\WINDOWS\System32\javaws.exe
----a-w 27,648 2008-10-16 20:38:37 C:\WINDOWS\System32\jsproxy.dll
----a-w 436,768 2008-08-24 10:11:00 C:\WINDOWS\System32\keystone.exe
---ha-r 488 2008-11-17 13:32:21 C:\WINDOWS\System32\logonui.exe.manifest
----a-w 940,794 2008-11-17 13:59:43 C:\WINDOWS\System32\LoopyMusic.wav
----a-w 74,703 2008-11-29 21:18:33 C:\WINDOWS\System32\mfc45.dll
----a-w 1,060,864 2008-12-29 21:18:25 C:\WINDOWS\System32\mfc71.dll
----a-w 20,853,704 2009-01-10 01:35:28 C:\WINDOWS\System32\MRT.exe
----a-w 459,264 2008-10-16 20:38:37 C:\WINDOWS\System32\msfeeds.dll
----a-w 52,224 2008-10-16 20:38:37 C:\WINDOWS\System32\msfeedsbs.dll
----a-w 3,593,216 2008-12-13 06:40:02 C:\WINDOWS\System32\mshtml.dll
----a-w 477,696 2008-10-16 20:38:38 C:\WINDOWS\System32\mshtmled.dll
----a-w 188 2008-11-18 22:04:55 C:\WINDOWS\System32\MsiExec.exe.log
----a-w 193,024 2008-10-16 20:38:38 C:\WINDOWS\System32\msrating.dll
----a-w 671,232 2008-10-16 20:38:39 C:\WINDOWS\System32\mstime.dll
----a-w 499,712 2008-11-04 07:35:24 C:\WINDOWS\System32\msvcp71.dll
----a-w 348,160 2008-11-04 07:35:24 C:\WINDOWS\System32\msvcr71.dll
----a-w 1,106,944 2008-09-04 17:15:04 C:\WINDOWS\System32\msxml3.dll
----a-w 1,286,152 2008-09-30 14:43:34 C:\WINDOWS\System32\msxml4.dll
----a-w 1,307,648 2008-09-10 01:14:56 C:\WINDOWS\System32\msxml6.dll
----a-w 268,648 2008-10-16 12:06:48 C:\WINDOWS\System32\mucltui.dll
----a-w 27,496 2008-10-16 12:06:48 C:\WINDOWS\System32\mucltui.dll.mui
----a-w 208,744 2008-10-16 12:06:48 C:\WINDOWS\System32\muweb.dll
---ha-r 749 2008-11-17 13:32:18 C:\WINDOWS\System32\ncpa.cpl.manifest
----a-w 337,408 2008-10-15 16:34:24 C:\WINDOWS\System32\netapi32.dll
----a-w 619 2008-08-18 18:17:18 C:\WINDOWS\System32\nlite.cmd
----a-w 23,392 2008-11-17 13:33:09 C:\WINDOWS\System32\nscompat.tlb
----a-w 6,057,344 2008-08-24 10:11:00 C:\WINDOWS\System32\nv4_disp.dll
----a-w 475,136 2008-08-24 10:11:00 C:\WINDOWS\System32\nvapi.dll
----a-w 449,056 2008-08-24 10:11:00 C:\WINDOWS\System32\nvappbar.exe
----a-w 200,513 2009-02-07 15:57:43 C:\WINDOWS\System32\nvapps.xml
----a-w 122,880 2008-08-24 10:11:00 C:\WINDOWS\System32\nvcod.dll
----a-w 122,880 2008-08-24 10:11:00 C:\WINDOWS\System32\nvcodins.dll
----a-w 143,360 2008-08-24 10:11:00 C:\WINDOWS\System32\nvcolor.exe
----a-w 420,384 2008-08-24 10:11:00 C:\WINDOWS\System32\nvcpl.cpl
----a-w 13,574,144 2008-08-24 10:11:00 C:\WINDOWS\System32\nvcpl.dll
----a-w 797,216 2008-08-24 10:11:00 C:\WINDOWS\System32\nvcplui.exe
----a-w 1,108,512 2008-08-24 10:11:00 C:\WINDOWS\System32\nvcpluir.dll
----a-w 1,368,064 2008-08-24 10:11:00 C:\WINDOWS\System32\nvcuda.dll
----a-w 18,394 2008-08-24 10:11:00 C:\WINDOWS\System32\nvdisp.nvu
----a-w 3,989,504 2008-08-24 10:11:00 C:\WINDOWS\System32\nvdisps.dll
----a-w 5,799,936 2008-08-24 10:11:00 C:\WINDOWS\System32\nvdispsr.dll
----a-w 1,346,080 2008-08-24 10:11:00 C:\WINDOWS\System32\nvdspsch.exe
----a-w 3,444,736 2008-08-24 10:11:00 C:\WINDOWS\System32\nvgames.dll
----a-w 3,457,024 2008-08-24 10:11:00 C:\WINDOWS\System32\nvgamesr.dll
----a-w 1,499,136 2008-08-24 10:11:00 C:\WINDOWS\System32\nview.dll
----a-w 229,376 2008-08-24 10:11:00 C:\WINDOWS\System32\nvmccs.dll
----a-w 45,056 2008-08-24 10:11:00 C:\WINDOWS\System32\nvmccsrs.dll
----a-w 188,416 2008-08-24 10:11:00 C:\WINDOWS\System32\nvmccss.dll
----a-w 458,752 2008-08-24 10:11:00 C:\WINDOWS\System32\nvmccssr.dll
----a-w 86,016 2008-08-24 10:11:00 C:\WINDOWS\System32\nvmctray.dll
----a-w 1,257,472 2008-08-24 10:11:00 C:\WINDOWS\System32\nvmobls.dll
----a-w 2,854,912 2008-08-24 10:11:00 C:\WINDOWS\System32\nvmoblsr.dll
----a-w 286,720 2008-08-24 10:11:00 C:\WINDOWS\System32\nvnt4cpl.dll
----a-w 8,826,880 2008-08-24 10:11:00 C:\WINDOWS\System32\nvoglnt.dll
----a-w 331,776 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrsar.dll
----a-w 245,760 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrscs.dll
----a-w 253,952 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrsda.dll
----a-w 278,528 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrsde.dll
----a-w 282,624 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrsel.dll
----a-w 245,760 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrseng.dll
----a-w 282,624 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrses.dll
----a-w 274,432 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrsesm.dll
----a-w 249,856 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrsfi.dll
----a-w 282,624 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrsfr.dll
----a-w 331,776 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrshe.dll
----a-w 258,048 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrshu.dll
----a-w 278,528 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrsit.dll
----a-w 270,336 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrsja.dll
----a-w 262,144 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrsko.dll
----a-w 274,432 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrsnl.dll
----a-w 253,952 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrsno.dll
----a-w 253,952 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrspl.dll
----a-w 270,336 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrspt.dll
----a-w 266,240 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrsptb.dll
----a-w 266,240 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrsru.dll
----a-w 258,048 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrssk.dll
----a-w 258,048 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrssl.dll
----a-w 253,952 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrssv.dll
----a-w 253,952 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrsth.dll
----a-w 253,952 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrstr.dll
----a-w 225,280 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrszhc.dll
----a-w 122,880 2008-08-24 10:11:00 C:\WINDOWS\System32\nvrszht.dll
----a-w 466,944 2008-08-24 10:11:00 C:\WINDOWS\System32\nvshell.dll
----a-w 163,908 2008-08-24 10:11:00 C:\WINDOWS\System32\nvsvc32.exe
----a-w 73,728 2008-08-24 10:11:00 C:\WINDOWS\System32\nvtuicpl.cpl
----a-w 453,152 2008-08-24 10:11:00 C:\WINDOWS\System32\nvudisp.exe
----a-w 453,152 2008-08-22 00:00:16 C:\WINDOWS\System32\NVUNINST.EXE
----a-w 3,764,224 2008-08-24 10:11:00 C:\WINDOWS\System32\nvvitvs.dll
----a-w 4,149,248 2008-08-24 10:11:00 C:\WINDOWS\System32\nvvitvsr.dll
----a-w 81,920 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwddi.dll
----a-w 1,724,416 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwdmcpl.dll
----a-w 1,101,824 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwimg.dll
----a-w 282,624 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrsar.dll
----a-w 286,720 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrscs.dll
----a-w 294,912 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrsda.dll
----a-w 311,296 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrsde.dll
----a-w 335,872 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrsel.dll
----a-w 286,720 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrseng.dll
----a-w 335,872 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrses.dll
----a-w 327,680 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrsesm.dll
----a-w 303,104 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrsfi.dll
----a-w 327,680 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrsfr.dll
----a-w 278,528 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrshe.dll
----a-w 315,392 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrshu.dll
----a-w 323,584 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrsit.dll
----a-w 212,992 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrsja.dll
----a-w 196,608 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrsko.dll
----a-w 319,488 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrsnl.dll
----a-w 299,008 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrsno.dll
----a-w 294,912 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrspl.dll
----a-w 323,584 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrspt.dll
----a-w 319,488 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrsptb.dll
----a-w 315,392 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrsru.dll
----a-w 299,008 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrssk.dll
----a-w 303,104 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrssl.dll
----a-w 294,912 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrssv.dll
----a-w 290,816 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrsth.dll
----a-w 303,104 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrstr.dll
----a-w 163,840 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrszhc.dll
----a-w 167,936 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwrszht.dll
----a-w 2,686,976 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwss.dll
----a-w 2,981,888 2008-08-24 10:11:00 C:\WINDOWS\System32\nvwssr.dll
---ha-r 749 2008-11-17 13:32:18 C:\WINDOWS\System32\nwc.cpl.manifest
----a-w 1,657,376 2008-08-24 10:11:00 C:\WINDOWS\System32\nwiz.exe
----a-w 102,912 2008-10-16 20:38:39 C:\WINDOWS\System32\occache.dll
----a-w 215 2008-08-18 12:32:18 C:\WINDOWS\System32\oeminfo.ini
----a-w 682,280 2008-12-01 22:55:34 C:\WINDOWS\System32\pbsvc.exe
----a-w 68,292 2009-02-07 14:57:17 C:\WINDOWS\System32\perfc009.dat
----a-w 435,396 2009-02-07 14:57:17 C:\WINDOWS\System32\perfh009.dat
----a-w 512,960 2009-02-07 14:57:16 C:\WINDOWS\System32\PerfStringBackup.INI
----a-w 181,528 2008-09-04 07:31:14 C:\WINDOWS\System32\PhysX.cpl
----a-w 288,024 2008-09-04 07:31:16 C:\WINDOWS\System32\PhysXCplUI.exe
----a-w 70,936 2008-08-29 06:57:16 C:\WINDOWS\System32\PhysXLoader.dll
----a-w 4,444 2008-11-17 20:25:12 C:\WINDOWS\System32\pid.PNF
----a-w 44,544 2008-10-16 20:38:39 C:\WINDOWS\System32\pngfilt.dll
----a-w 66,872 2008-12-01 22:55:35 C:\WINDOWS\System32\PnkBstrA.exe
----a-w 111,928 2009-01-17 04:53:37 C:\WINDOWS\System32\PnkBstrB.exe
---ha-r 749 2008-11-17 13:32:18 C:\WINDOWS\System32\sapi.cpl.manifest
----a-w 26,561,024 2008-08-18 18:17:42 C:\WINDOWS\System32\shell32.dll
------r 59,392 2009-01-31 10:00:37 C:\WINDOWS\System32\streamhlp.dll
----a-w 247,326 2008-10-03 10:02:42 C:\WINDOWS\System32\strmdll.dll
----a-w 900,096 2008-08-18 18:17:54 C:\WINDOWS\System32\sysdm.cpl
----a-w 64,694,869 2008-08-18 18:19:10 C:\WINDOWS\System32\taskman.exe
----a-w 355,584 2008-11-18 20:31:36 C:\WINDOWS\System32\TuneUpDefragService.exe
----a-w 62,976 2008-10-23 10:06:59 C:\WINDOWS\System32\tzchange.exe
----a-w 436,172 2008-12-11 01:02:49 C:\WINDOWS\System32\TZLog.log
----a-w 105,984 2008-10-16 20:38:39 C:\WINDOWS\System32\url.dll
----a-w 1,160,192 2008-10-16 20:38:39 C:\WINDOWS\System32\urlmon.dll
----a-w 70,176 2008-09-26 13:05:24 C:\WINDOWS\System32\vsnapvss.exe
----a-w 50,688 2009-01-01 15:11:40 C:\WINDOWS\System32\wbhelp2.dll
----a-w 479,298 2009-01-01 15:11:40 C:\WINDOWS\System32\wbocx.ocx
----a-w 233,472 2008-10-16 20:38:39 C:\WINDOWS\System32\webcheck.dll
----a-w 1,846,400 2008-09-15 12:12:56 C:\WINDOWS\System32\win32k.sys
---ha-r 488 2008-11-17 13:32:21 C:\WINDOWS\System32\WindowsLogon.manifest
----a-w 826,368 2008-10-16 20:38:40 C:\WINDOWS\System32\wininet.dll
----a-w 2,206 2009-02-07 11:13:00 C:\WINDOWS\System32\wpa.dbl
----a-w 561,688 2008-10-16 12:12:20 C:\WINDOWS\System32\wuapi.dll
----a-w 23,576 2008-10-16 12:07:44 C:\WINDOWS\System32\wuapi.dll.mui
----a-w 51,224 2008-10-16 12:09:44 C:\WINDOWS\System32\wuauclt.exe
----a-w 213,528 2008-10-16 12:12:20 C:\WINDOWS\System32\wuaucpl.cpl
---ha-r 749 2008-11-17 13:32:18 C:\WINDOWS\System32\wuaucpl.cpl.manifest
----a-w 23,576 2008-10-16 12:07:46 C:\WINDOWS\System32\wuaucpl.cpl.mui
----a-w 1,809,944 2008-10-16 12:13:40 C:\WINDOWS\System32\wuaueng.dll
----a-w 18,456 2008-10-16 12:07:14 C:\WINDOWS\System32\wuaueng.dll.mui
----a-w 323,608 2008-10-16 12:12:22 C:\WINDOWS\System32\wucltui.dll
----a-w 31,768 2008-10-16 12:09:40 C:\WINDOWS\System32\wucltui.dll.mui
----a-w 34,328 2008-10-16 12:08:58 C:\WINDOWS\System32\wups.dll
----a-w 43,544 2008-10-16 12:09:44 C:\WINDOWS\System32\wups2.dll
----a-w 202,776 2008-10-16 12:13:40 C:\WINDOWS\System32\wuweb.dll
----a-w 14,303,392 2008-10-28 15:41:22 C:\WINDOWS\System32\xlive.dll
----a-w 173,552 2008-10-28 15:40:48 C:\WINDOWS\System32\xlive.dll.cat
----a-w 13,643,936 2008-10-28 15:41:20 C:\WINDOWS\System32\xlivefnt.dll

Entries: 211 (204)
Directories: 0 Files: 211
Bytes: 275,121,279 Blocks: 537,395
======C:\WINDOWS\system32\drivers=====
----a-w 15,504 2009-01-14 14:11:28 C:\WINDOWS\System32\drivers\mbam.sys
----a-w 38,496 2009-01-14 14:11:32 C:\WINDOWS\System32\drivers\mbamswissarmy.sys
----a-w 455,296 2008-10-24 11:21:09 C:\WINDOWS\System32\drivers\mrxsmb.sys
----a-w 6,128,352 2008-08-24 10:11:00 C:\WINDOWS\System32\drivers\nv4_mini.sys
----a-w 138,464 2009-01-17 04:53:59 C:\WINDOWS\System32\drivers\PnkBstrK.sys
----a-w 717,296 2008-11-19 20:42:30 C:\WINDOWS\System32\drivers\sptd.sys
----a-w 333,952 2008-12-11 10:57:09 C:\WINDOWS\System32\drivers\srv.sys

Entries: 7 (7)
Directories: 0 Files: 7
Bytes: 7,827,360 Blocks: 15,292
======C:\WINDOWS\Tasks======
----a-w 484 2009-02-07 20:00:00 C:\WINDOWS\Tasks\1-Click Maintenance.job
---ha-w 6 2009-02-07 14:52:55 C:\WINDOWS\Tasks\SA.DAT

Entries: 2 (1)
Directories: 0 Files: 2
Bytes: 490 Blocks: 2
=======C:\Program Files=====
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
=======C:=====
----a-w 0 2008-11-17 13:33:14 C:\AUTOEXEC.BAT
--sh--w 211 2008-11-25 23:02:10 C:\boot.ini
----a-w 0 2008-11-17 13:33:14 C:\CONFIG.SYS
----a-w 230 2009-01-28 22:20:19 C:\config.xml
----a-w 197 2008-11-17 14:00:41 C:\csb.log
--sha-r 0 2008-11-17 13:33:14 C:\IO.SYS
--sha-r 0 2008-11-17 13:33:14 C:\MSDOS.SYS
--sha-w 2,145,386,496 2009-02-07 14:52:48 C:\pagefile.sys
----a-w 429 2008-11-17 13:58:40 C:\RHDSetup.log
----a-w 125 2009-02-07 14:53:21 C:\service.log
--sha-w 4,096 2009-02-05 20:23:58 C:\VSM000.IDX

Entries: 11 (6)
Directories: 0 Files: 11
Bytes: 2,145,391,784 Blocks: 4,190,221
======C:\Documents and Settings\SAMY\Application Data======
----a-w 157 2009-01-26 21:48:44 C:\Documents and Settings\SAMY\Application Data\default.pls
--sha-w 62 2008-11-17 20:23:34 C:\Documents and Settings\SAMY\Application Data\desktop.ini
----a-w 22,328 2008-12-01 22:55:54 C:\Documents and Settings\SAMY\Application Data\PnkBstrK.sys

Entries: 3 (2)
Directories: 0 Files: 3
Bytes: 22,547 Blocks: 46
======C:\Documents and Settings\SAMY======
----a-w 1,024 2008-12-15 21:26:29 C:\Documents and Settings\SAMY\.rnd
----a-w 6,029,312 2009-02-07 11:46:25 C:\Documents and Settings\SAMY\NTUSER.DAT
---ha-w 32,768 2009-02-07 20:28:05 C:\Documents and Settings\SAMY\ntuser.dat.LOG
--sh--w 178 2009-02-07 11:46:18 C:\Documents and Settings\SAMY\ntuser.ini

Entries: 4 (2)
Directories: 0 Files: 4
Bytes: 6,063,282 Blocks: 11,843
======C:\WINDOWS\Downloaded Program Files====
---h--w 65 2008-11-17 13:32:21 C:\WINDOWS\Downloaded Program Files\desktop.ini
----a-w 1,887,080 2008-10-04 18:16:46 C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
----a-w 1,065 2008-11-25 18:06:56 C:\WINDOWS\Downloaded Program Files\jinstall-6u11.inf
----a-w 144 2008-11-04 07:41:30 C:\WINDOWS\Downloaded Program Files\swdir.inf
----a-w 247 2008-10-04 18:08:34 C:\WINDOWS\Downloaded Program Files\swflash.inf

Entries: 5 (4)
Directories: 0 Files: 5
Bytes: 1,888,601 Blocks: 3,692
=============

#6 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 07 February 2009 - 03:44 PM

Hoi,

1. Reboot your computer in Safe Mode
  • Restart your computer.
  • When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
  • Select the option for Safe Mode using the arrow keys.
  • Then press enter on your keyboard to boot into Safe Mode.
2. Open Notepad.
Copy this in the Notepad-file:

@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting files>>log.txt
FOR %%g in (
C:\WINDOWS\HideWin.exe
C:\WINDOWS\gdrv.sys
C:\WINDOWS\System32\h323log.txt) DO (
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
START NOTEPAD.EXE log.txt

Go to File - Save as...
Fill in the next values:
Location: Desktop
File name: del.bat
File type: All files (*.*).
Now, click Save.
Doubleclick del.bat.
Post the contents of the logfile that opens in your next reply.

3. Now restart again in normal mode, and post the logfile of del.bat.

#7 sam-my

sam-my
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  

Posted 07 February 2009 - 06:28 PM

Hi,

The logfile of del.bat:

Deleting files
C:\WINDOWS\HideWin.exe deleted
C:\WINDOWS\gdrv.sys deleted
C:\WINDOWS\System32\h323log.txt deleted

Again thanks for your time

#8 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 08 February 2009 - 05:02 AM

Hi,

Now do a new full scan with MBAM, and post the logfile in your next reply. :thumbsup:

#9 sam-my

sam-my
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 08 February 2009 - 03:28 PM

HI

MBAM logfile:

Malwarebytes' Anti-Malware 1.33
Database version: 1738
Windows 5.1.2600 Service Pack 3

08/02/2009 22:25:58
mbam-log-2009-02-08 (22-25-58).txt

Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 178585
Time elapsed: 22 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 08 February 2009 - 03:32 PM

Hi,

I'm going to redirect you to the HijackThissection of this forum. This, because it's a deeper infection.
Read this page and follow it's steps: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Give them a link to this topic please.

Good luck. :thumbsup:

#11 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN

Posted 08 February 2009 - 09:45 PM

Hello sam-my,

Now that you have a log posted here: http://www.bleepingcomputer.com/forums/t/201782/pc-infected-by-xp-police-program/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users