Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Your system is infected" background


  • Please log in to reply
1 reply to this topic

#1 nittany605

nittany605

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:46 AM

Posted 27 December 2009 - 05:39 PM

I'm trying to fix my friends computer that has a virus. The background was switched to green with a black box in the middle that said "Your system is infected" along with some other stuff. Whatever it is, it disabled the anti-virus (AVG) and Malwarebytes. It also is preventing me from connecting to the internet on that computer (wired or wireless), so I'm posting this from a different one. I found on here how to fix it (ComboFix), so I ran that, but each post says after running ComboFix to post the log file to see if the infection is cleaned or not. Just wondering if I need to do any more to clean the box (looks good so far). Here is the log (I ran it as Administrator on the infected computer):

ComboFix 09-12-26.01 - Administrator 12/27/2009 16:25:16.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.672 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\InternetSecurity2010
c:\windows\EventSystem.log
c:\windows\mainms.vpi
c:\windows\megavid.cdt
c:\windows\muotr.so
c:\windows\system32\41.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\xxop81.dll

----- BITS: Possible infected sites -----

hxxp://80.93.48.89
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSECURITY1.209.4
-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_PLUGPLAYRPC
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2009-11-27 to 2009-12-27 )))))))))))))))))))))))))))))))
.

2009-12-27 21:20 . 2009-12-27 21:20 19944 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-27 21:13 . 2009-12-27 21:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-12-27 21:13 . 2009-12-27 21:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-26 20:32 . 2004-08-04 12:00 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll
2009-12-26 20:32 . 2004-08-04 12:00 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys
2009-12-26 20:32 . 2004-08-04 12:00 9216 -c--a-w- c:\windows\system32\dllcache\wamps51.dll
2009-12-26 20:32 . 2004-08-04 12:00 76800 -c--a-w- c:\windows\system32\dllcache\wam51.dll
2009-12-26 20:32 . 2004-08-04 12:00 53248 -c--a-w- c:\windows\system32\dllcache\wamreg51.dll
2009-12-26 20:32 . 2004-08-04 12:00 73728 -c--a-w- c:\windows\system32\dllcache\w3ext.dll
2009-12-26 20:32 . 2004-08-04 12:00 5632 -c--a-w- c:\windows\system32\dllcache\w3svapi.dll
2009-12-26 20:32 . 2004-08-04 12:00 48256 -c--a-w- c:\windows\system32\dllcache\w32.dll
2009-12-26 20:32 . 2004-08-04 12:00 4608 -c--a-w- c:\windows\system32\dllcache\w3ctrs51.dll
2009-12-26 20:32 . 2004-08-04 12:00 363520 -c--a-w- c:\windows\system32\dllcache\w3svc.dll
2009-12-26 20:32 . 2004-08-04 12:00 86073 -c--a-w- c:\windows\system32\dllcache\voicesub.dll
2009-12-26 20:32 . 2004-08-04 12:00 426041 -c--a-w- c:\windows\system32\dllcache\voicepad.dll
2009-12-26 20:30 . 2004-08-04 12:00 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys
2009-12-26 20:29 . 2004-08-04 12:00 24064 -c--a-w- c:\windows\system32\dllcache\compfilt.dll
2009-12-26 20:21 . 2004-08-04 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2009-12-26 20:21 . 2004-08-04 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2009-12-26 20:21 . 2004-08-04 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2009-12-26 20:21 . 2004-08-04 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2009-12-26 18:39 . 2009-11-14 17:49 891248 ----a-w- C:\avg_free_stb_all_9_40_cnet.exe
2009-12-26 18:39 . 2009-11-14 17:50 4045544 ----a-w- C:\mbam-setup.exe
2009-12-26 01:02 . 2009-12-26 01:44 -------- d-----w- C:\$AVG
2009-12-23 11:42 . 2009-12-23 11:42 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-12-21 06:37 . 2009-12-27 21:24 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft
2009-12-12 18:19 . 2009-11-25 17:01 2063640 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-12-12 18:19 . 2009-11-25 17:00 3514648 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-12-12 18:19 . 2009-11-25 17:00 2029336 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-12-02 20:45 . 2009-12-02 20:45 -------- d-----w- c:\documents and settings\Colleen\Application Data\HP
2009-12-02 20:39 . 2009-12-02 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2009-12-02 20:37 . 2009-12-02 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\HPSSUPPLY
2009-12-02 20:37 . 2009-12-02 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-12-02 20:37 . 2009-12-02 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-12-02 20:36 . 2009-12-02 20:36 -------- d-----w- c:\program files\Common Files\HP
2009-12-02 20:35 . 2009-12-02 20:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-12-02 20:35 . 2007-03-28 19:01 117760 ----a-w- c:\windows\system32\hpzll5ha.dll
2009-12-02 20:35 . 2007-03-28 18:57 274944 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp5ha.dll
2009-12-02 20:35 . 2007-03-31 05:11 267864 ----a-w- c:\windows\system32\hpzids01.dll
2009-12-02 20:34 . 2009-12-02 20:37 -------- d-----w- c:\program files\HP
2009-12-02 20:33 . 2009-12-02 20:38 137370 ----a-w- c:\windows\HPHins15.dat
2009-12-02 20:33 . 2007-08-28 21:16 2828 ----a-w- c:\windows\hphmdl15.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-27 21:23 . 2008-05-13 02:58 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-12-26 20:36 . 2009-10-03 21:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-26 20:26 . 2008-05-12 23:12 22748 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-23 20:03 . 2009-10-20 15:20 -------- d-----w- c:\program files\McAfee Security Scan
2009-12-09 01:28 . 2008-08-04 20:50 -------- d-----w- c:\documents and settings\Colleen\Application Data\Apple Computer
2009-11-30 17:10 . 2008-05-14 00:12 -------- d-----w- c:\documents and settings\Desiree\Application Data\Apple Computer
2009-11-29 23:23 . 2008-05-14 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-11-14 02:38 . 2009-11-14 01:50 -------- d-----w- c:\program files\ConsoleClassix.com
2009-11-14 01:38 . 2009-11-14 01:38 -------- d-----w- c:\documents and settings\Colleen\Application Data\Nero
2009-10-14 15:12 . 2008-05-13 23:44 19944 ----a-w- c:\documents and settings\Desiree\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-10 22:34 . 2009-10-10 22:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-10 22:34 . 2009-10-10 22:34 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-10 22:34 . 2009-10-10 22:34 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-10 22:34 . 2009-10-10 22:34 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-10 22:03 . 2008-05-13 02:53 19944 ----a-w- c:\documents and settings\Colleen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 53760]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\Desiree\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-9-30 503808]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-10 22:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 02:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 02:34 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 20:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 04:56 1667584 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 18:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-12-14 07:42 144784 ----a-w- c:\program files\Java\jre1.6.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wltrysvc"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"Seekeen Service"=2 (0x2)
"PlugPlayRPC"=2 (0x2)
"MyWebSearchService"=2 (0x2)
"MsSecurity1.209.4"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Nero BackItUp Scheduler 4.0"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/10/2009 5:34 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/10/2009 5:34 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/10/2009 5:33 PM 297752]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/10/2009 5:33 PM 908056]
S4 Seekeen Service;Seekeen Service;"c:\program files\Seekeen\seekeen.exe" "c:\program files\Seekeen\seekeen.dll" Service --> c:\program files\Seekeen\seekeen.exe [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/13/2008 6:55 PM 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
------- Supplementary Scan -------
.
mSearch Bar = 687474703a2f2f7777772e476f6f676c652e636f6d2f
mSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
mSearchURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -

Notify-deabfcfaafcfd - c:\windows\system32\deabfcfaafcfd.dll
Notify-xxop81 - xxop81.dll
MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe
MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
MSConfigStartUp-My Web Search Bar - c:\progra~1\MYWEBS~1\bar\3.bin\MWSBAR.DLL
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
MSConfigStartUp-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\3.bin\M3PLUGIN.DLL
MSConfigStartUp-SMrhcno6j0er4t - c:\program files\rhcno6j0er4t\rhcno6j0er4t.exe
MSConfigStartUp-SMshclo6j0er4t - c:\program files\shclo6j0er4t\shclo6j0er4t.exe
MSConfigStartUp-tqammy - c:\windows\system32\msaouahn.dll
MSConfigStartUp-wekewfjo983mkefdd - c:\docume~1\Desiree\LOCALS~1\Temp\winlogan.exe
MSConfigStartUp-winupdate86 - c:\windows\system32\winupdate86.exe
MSConfigStartUp-wltray - c:\windows\system32\wltray.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-27 16:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-27 16:40:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-27 21:40

Pre-Run: 9,234,440,192 bytes free
Post-Run: 13,985,529,856 bytes free

- - End Of File - - D1B817C1C05DCFA5A9CF0358977111C8

BC AdBot (Login to Remove)

 


#2 nittany605

nittany605
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:46 AM

Posted 27 December 2009 - 05:41 PM

Also, I'd like to mention that I'm fairly computer literate, just haven't seen this particular problem before.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users