Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Spyquake2 Virus


  • This topic is locked This topic is locked
17 replies to this topic

#1 mrshrek

mrshrek

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 13 October 2006 - 08:24 AM

Hi, Please help-- I have been infected with a spyquake2 virus/trojan, I followed and fully completed the steps mentioned in this self-help guide: http://www.bleepingcomputer.com/forums/top....html#automated
There are three icons that appear in the system tray--- one is spyquake 2, the other is a flashing no sign saying that there are harmful files on your PC. There are also Desktop icons that are sudddenly appearing---- One is a shortcut to spyquake2, The other ones are troubleshoooting guides or something. Even if i uninstall, it keeps coming back..HELP!!
Also-- It creates a dial-up internet connection under the network connections folder called "CoolWeb"

These are some of the popup sites(do not click):

www.amaena.com/securityworm61/index.php?ax=1&ex=2&h=10&mpt=1160740905&aid=nm_mg_wav_kw1&lid=scan&affid=nm_862_4fcf681a5a9f11dbb50a00167647fa98_60e055c2+5b491149e5814d26bab7170854322420

www.winantivirus.com/pages/scanner/?p=15&j=1&ex=1&ax=1&h=10&aid=nm_mg_wav_1026

//Mod edit to disable the malware links above.//

I have run the panda activescan, norton scan, spybot search and destroy and adaware SE. Below is the roguescanfix task file.


---------
roguescanfix task file

Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"


Thanks in advance, the HJT log is on the next post(sorry for all the editing)

Edited by mrshrek, 14 October 2006 - 02:06 AM.


BC AdBot (Login to Remove)

 


#2 mrshrek

mrshrek
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 13 October 2006 - 10:31 PM

Hi guys, here is the Hijackthislog when spyquake2 is actually running. Hope it can be fixed. I am running AVG and ewido at the moment and it has detected but im not sure if it will work. Any help would be appreciaterd, Thanks
Edit: The avg AV is stil going but has so far detected a trojan horse generic2.ENZ called "antzom[1] "in temporary intenet files

Logfile of HijackThis v1.99.1
Scan saved at 12:33:21 PM, on 14/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\windlls.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
c:\windows\system32\windllc.exe
C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\sxserv101.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\system32\isnotify.exe
C:\WINDOWS\system32\ismini.exe
C:\WINDOWS\NewMixer.exe
C:\WINDOWS\System32\Rscmpt.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SpyQuake2.com\Spy-Quake2.exe
C:\Program Files\Common Files\{60E055C2-0AF0-1033-0812-02081220003d}\Update.exe
C:\Program Files\SpyQuake2.com\Spy-Quake2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\user\APPLIC~1\MBOLS~1\wuauboot.exe
C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\WINDOWS\system32\cool.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
\Shrenik\shareddocs\ewido-setup_4.0.0.172c.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dsl.optusnet.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {3E6B91CF-5D5D-5AD1-29C2-7295CE8789C3} - C:\WINDOWS\system32\gpz.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{30E055C2-0A6A-1033-0812-02081220003d}\MyToolBar.dll
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\SafetyBar.dll
O4 - HKLM\..\Run: [C-Media Mixer] C:\WINDOWS\NewMixer.exe /startup
O4 - HKLM\..\Run: [Rscmpt] C:\WINDOWS\System32\Rscmpt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [xdsseim.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\xdsseim.dll,cbwisub
O4 - HKLM\..\Run: [SpyQuake2.com] C:\Program Files\SpyQuake2.com\Spy-Quake2.exe /h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Esol] "C:\DOCUME~1\user\APPLIC~1\MBOLS~1\wuauboot.exe" -vt yazb
O4 - HKCU\..\Run: [Prcbx] C:\WINDOWS\??mantec\l?ass.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Watch.lnk = C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra 'Tools' menuitem: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120130604875
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\system32\urroxtl.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Switching Alerter - Unknown owner - C:\WINDOWS\system32\windlls.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SX Service (SXServ) - Unknown owner - C:\WINDOWS\system32\sxserv101.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

This is a printscreen while spyquake is active.

Posted Image

Edited by mrshrek, 14 October 2006 - 01:35 AM.


#3 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:11:40 PM

Posted 14 October 2006 - 02:57 AM

Hi mrshrek and welcome to Bleeping Computer :thumbsup:

You got infections there...

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.
UNITE & ASAP member since 2006
Posted Image
Posted Image

#4 mrshrek

mrshrek
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 14 October 2006 - 05:03 AM

Hi mrshrek and welcome to Bleeping Computer :thumbsup:

You got infections there...

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.



Thanks for your response Mr_JAk3, i really appreciate it. I think the best option here as you said is to re-format and reinstall the OS. I have been meaning to do this but have been lazy to backup the data. I have been trying to limit the internet acces for this computer as much as possible( only enabled when i was downloading progs like HJT etc.). THis computer is our second computer and they are directly connected with wired ethernet. It is the client computer....so I was hoping to backup the data with file sharing and send it to the other comp....however would this be dangerous??? . The reason being is that it only has a CD burner, and backing up all those files would be very time consuming.

Also.... I have never reformatted before, so do I just insert the OS CD.....and will there be an option? or do i need to go into the BIOS.

It is just movies and music, so if therre is no other way, I will have to sacrifice it.

Thanks again

#5 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:11:40 PM

Posted 14 October 2006 - 07:45 AM

Hi again :thumbsup:

You said that two computer are directly connected. This means that the second computer may be infected too.
It is also risky to backup data from an infected pc. You just propably move the infections from one computer to another. Backuping should be done before the "bad things" happen.

I can of course give instructions to reformatting but I can also help you to clean the computer.

Please let me know how you would like to continue :flowers:
UNITE & ASAP member since 2006
Posted Image
Posted Image

#6 mrshrek

mrshrek
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 14 October 2006 - 10:32 PM

Hi, The only files which I would like to keep from the PC are photos, music, and some video files. Would it be dangerous to tranfer these files to the next computer even with firewall/antivirus on the other comp.
I think I will reformat as it is the safest option, however my only concern is the photos, music etc. So are there any other transfer methods for these files. The infected comp. only has a CDRW and Floppy.

Thanks for your help :thumbsup:

#7 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:11:40 PM

Posted 15 October 2006 - 05:10 AM

Hi again :thumbsup:

Text documents, pictures, videos and music should be good to go. But eg exe's dll's may be infected.
So be careful when you backup these.

Please make sure that you know what to do before beginning the operation.

Here are a few links that propably help.

When should I re-format? How should I reinstall?
Windows XP Clean install

Then there are a couple of things you should do immediately after installing Windows and before surfing the net...
  • Install an antivirus and firewall (you should download and have those on a CD or USB drive, all ready to be installed).

    These are good (free) firewalls:
    - Kerio
    - Sygate
    - Outpost

    These are good (free) antiviruses:
    - Antivir
    - Avast
    - AVG
  • Get all Windows updates installed!
Please ask me if you have any questions :flowers:

Then here are a few things that you can do in order to make your fresh computer more secure:
UNITE & ASAP member since 2006
Posted Image
Posted Image

#8 mrshrek

mrshrek
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 15 October 2006 - 05:13 AM

Hi again :thumbsup:

Text documents, pictures, videos and music should be good to go. But eg exe's dll's may be infected.
So be careful when you backup these.

Please make sure that you know what to do before beginning the operation.


HI, thanks again, so can i transfer these to the other networked computer

#9 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:11:40 PM

Posted 15 October 2006 - 05:18 AM

Yes, text documents, pictures, videos and music should be good to go :thumbsup:
UNITE & ASAP member since 2006
Posted Image
Posted Image

#10 mrshrek

mrshrek
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 15 October 2006 - 05:20 AM

Ok, thanks alot. So do i insert the XP OS Cd after I turn on the computer or boot with it....im a litle confused. Anyway the first step is to transfer all those files with filesharing.

#11 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:11:40 PM

Posted 15 October 2006 - 05:35 AM

Yes the first step is to do the backupping...

Here are a few more links that propably help you:
http://helpdesk.its.uiowa.edu/windows/inst...ns/reformat.htm
http://www.whitecanyon.com/reformat-hard-drive-window-xp.php

Please ask me if you got any questions :thumbsup:
UNITE & ASAP member since 2006
Posted Image
Posted Image

#12 mrshrek

mrshrek
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 16 October 2006 - 04:30 AM

Hi again.

I will soon be backing up the files on the infected comp, by transferring them to my other computer on the network. But there is just one thing I would like to check. My other computer has just recently started to noticeably slow down. This is mainly in startup and shutdown. It is a very new PC and also a Core2duo so it shouldnt be this slow. Below is the Hijackthislog and I would appreciate it if you could check it out so that i can get back to backing up the other infected comp.

Logfile of HijackThis v1.99.1
Scan saved at 7:23:00 PM, on 10/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\WService.EXE
C:\Program Files\Gigabyte\ET5\GUI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\DfrgNtfs.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\S h r e n i k\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\GUI.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {AF14429C-D85A-40F3-AE1C-ADC75429A472} (Cgroupworld_control Object) - http://www.vienova.com/conferenceapp/ui/groupworld.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: WinFast® Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\system32\DRIVERS\WtSrv.exe

Thanks!!!

#13 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:11:40 PM

Posted 16 October 2006 - 09:09 AM

Hi again :thumbsup:

I can't find anything bad from that log.

You don't seem to a firewall running, you must install one firewall.
NOTE: If you're using Windows XP firewall, I recommend that you install a better firewall. Windows firewall doesn't really provide enough protection.
Disable Windows firewall after installing a new firewall.


These are good (free) firewalls:You don't have an antivirus on your computer, you must install one antivirus.

These are good (free) antiviruses:Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

UNITE & ASAP member since 2006
Posted Image
Posted Image

#14 mrshrek

mrshrek
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 17 October 2006 - 04:46 AM

Hi Mr_Jak3,

I fixed this : "O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE" withe Hijackthis. I also ran the Kaspersky scan. Below are the results. Hmmm, I dont understand why it is slow all of a sudden. I will install firewall and AV soon.


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, October 17, 2006 7:40:52 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 17/10/2006
Kaspersky Anti-Virus database records: 232361
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 21729
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:54:35

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\S h r e n i k\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\S h r e n i k\Application Data\Mozilla\Firefox\Profiles\a58txepw.default\cert8.db Object is locked skipped
C:\Documents and Settings\S h r e n i k\Application Data\Mozilla\Firefox\Profiles\a58txepw.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\S h r e n i k\Application Data\Mozilla\Firefox\Profiles\a58txepw.default\history.dat Object is locked skipped
C:\Documents and Settings\S h r e n i k\Application Data\Mozilla\Firefox\Profiles\a58txepw.default\key3.db Object is locked skipped
C:\Documents and Settings\S h r e n i k\Application Data\Mozilla\Firefox\Profiles\a58txepw.default\parent.lock Object is locked skipped
C:\Documents and Settings\S h r e n i k\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\S h r e n i k\Desktop\Towards Independance~.doc Object is locked skipped
C:\Documents and Settings\S h r e n i k\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\S h r e n i k\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\S h r e n i k\Local Settings\Application Data\Mozilla\Firefox\Profiles\a58txepw.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\S h r e n i k\Local Settings\Application Data\Mozilla\Firefox\Profiles\a58txepw.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\S h r e n i k\Local Settings\Application Data\Mozilla\Firefox\Profiles\a58txepw.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\S h r e n i k\Local Settings\Application Data\Mozilla\Firefox\Profiles\a58txepw.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\S h r e n i k\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\S h r e n i k\Local Settings\History\History.IE5\MSHist012006101720061018\index.dat Object is locked skipped
C:\Documents and Settings\S h r e n i k\Local Settings\Temp\~DF41BC.tmp Object is locked skipped
C:\Documents and Settings\S h r e n i k\Local Settings\Temp\~DF435B.tmp Object is locked skipped
C:\Documents and Settings\S h r e n i k\Local Settings\Temp\~DF50E4.tmp Object is locked skipped
C:\Documents and Settings\S h r e n i k\Local Settings\Temp\~DF53A6.tmp Object is locked skipped
C:\Documents and Settings\S h r e n i k\Local Settings\Temp\~DF5BED.tmp Object is locked skipped
C:\Documents and Settings\S h r e n i k\Local Settings\Temp\~WRF0000.tmp Object is locked skipped
C:\Documents and Settings\S h r e n i k\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\S h r e n i k\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\S h r e n i k\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\Microsoft Office\Office10\Startup\Annotate.dot Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Thanks

#15 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:11:40 PM

Posted 17 October 2006 - 04:57 AM

Kaspersky didn't find anything bad :thumbsup:

Yes, you should definately install a firewall and an antivirus.
UNITE & ASAP member since 2006
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users