Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm Infected! Please Help


  • This topic is locked This topic is locked
2 replies to this topic

#1 toeboo

toeboo

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 26 October 2006 - 07:48 PM

I'm infected with Spy-Quake2 and Trojan-Spy.Win32@mx, and my internet explore start up page got change to www.ieuptodate.com. Here are my logs:

Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 7:36:46 PM, on 10/26/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\DELL\Ewido\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\dell\activesync\WCESCOMM.EXE
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Aladdin Systems\Internet Cleanup\ONICTASK.exe
C:\DELL\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\DELL\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebgames.com/gs/ps3/ps3_signup.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DELL\Spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {c3703265-4671-4858-92a4-cba6a7b3bb45} - C:\WINDOWS\System32\ixt0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\System32\WLTRAY
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\System32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\dell\activesync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Startup: IC Task Manager.lnk = C:\Program Files\Aladdin Systems\Internet Cleanup\ONICTASK.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - c:\dell\activesync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - c:\dell\activesync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - c:\dell\activesync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: IC 3.0 - {bba9a1cb-c90a-4912-8f01-dfa51a2b4102} - C:\Program Files\Aladdin Systems\Internet Cleanup\ic3hlpr.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.webshots.com/html/atx/wsaxcontrol.cab
O23 - Service: Broadcom ASF IP monitoring service v6.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\DELL\Ewido\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\DELL\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

ComboFix:

Start Time= Thu 10/26/2006 19:43:15.89
Running from: C:\DELL\Virus Helps\Combofix

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-26 19:22:44 18432 ( A.... ) "C:\WINDOWS\system32\ixt0.dll"
2006-10-25 20:27:24 5120 ( A.... ) "C:\WINDOWS\system32\ismini.exe"
2006-10-25 18:25:46 53760 ( A.... ) "C:\WINDOWS\system32\drvzac.dll"
2006-10-18 15:22:00 ( .D... ) "C:\Program Files\InterActual"
2006-10-17 14:40:46 28 ( A.... ) "C:\WINDOWS\system32\vfw_32.reg"
2006-10-17 14:35:32 ( .D... ) "C:\Program Files\Common Files\SureThing Shared"
2006-10-17 14:26:56 ( .D... ) "C:\Program Files\Roxio"
2006-10-17 14:26:56 ( .D... ) "C:\Program Files\Common Files\Sonic Shared"
2006-10-17 14:26:12 ( .D... ) "C:\Program Files\DivX"
2006-10-17 12:33:26 ( .D... ) "C:\Program Files\Google"
2006-08-09 04:19:50 770048 ( A.... ) "C:\WINDOWS\system32\CDDBUIRoxio.dll"
2006-08-09 04:19:50 643072 ( A.... ) "C:\WINDOWS\system32\CDDBControlRoxio.dll"
2006-08-09 04:19:50 585728 ( A.... ) "C:\WINDOWS\system32\CddbMusicIDRoxio.dll"
2006-08-09 04:19:50 520192 ( A.... ) "C:\WINDOWS\system32\CddbPlaylist2Roxio.dll"
2006-08-09 04:19:50 204800 ( A.... ) "C:\WINDOWS\system32\CddbFileTaggerRoxio.dll"
2006-08-09 04:19:50 147456 ( A.... ) "C:\WINDOWS\system32\CddbCleanRoxio.dll"
2006-08-09 04:19:50 90112 ( A.... ) "C:\WINDOWS\system32\CddbWOManagerRoxio.dll"
2006-08-09 04:18:02 106496 ( A.... ) "C:\WINDOWS\system32\cdrtc.dll"
2006-08-09 04:17:58 81920 ( A.... ) "C:\WINDOWS\system32\cdral.dll"
2006-08-09 01:00:00 45056 ( A.... ) "C:\WINDOWS\system32\besch.exe"
2006-08-09 01:00:00 28672 ( A.... ) "C:\WINDOWS\system32\besched.dll"
2006-08-08 09:18:18 56056 ( A.... ) "C:\WINDOWS\system32\DLAAPI_W.DLL"
2006-08-08 09:18:14 92920 ( A.... ) "C:\WINDOWS\DLA.EXE"
2006-08-07 04:11:00 585728 ( A.... ) "C:\WINDOWS\system32\AudioSettings.dll"
2006-08-03 12:12:06 11776 ( A.... ) "C:\WINDOWS\system32\chkdsk.exe"
2006-07-27 12:24:40 129784 ( A.... ) "C:\WINDOWS\system32\PxAFS.DLL"
2002-07-26 17:02:06 153088 ( A.... ) "C:\Program Files\UNWISE.EXE"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-10-26 19:22 18,432 C:\WINDOWS\system32\ixt0.dll
2006-10-25 18:25 53,760 C:\WINDOWS\system32\drvzac.dll
2006-10-25 18:25 5,120 C:\WINDOWS\system32\ismini.exe
2006-10-17 14:40 28 C:\WINDOWS\system32\vfw_32.reg
2006-10-17 14:36 92,920 C:\WINDOWS\DLA.EXE
2006-10-17 14:36 56,056 C:\WINDOWS\system32\DLAAPI_W.DLL


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"bascstray"="BascsTray.exe"
"Dell Wireless Manager UI"="C:\\WINDOWS\\System32\\WLTRAY"
"nwiz"="nwiz.exe /installquiet"
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SM1BG"="C:\\WINDOWS\\SM1BG.EXE"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"USB2Check"="RUNDLL32.EXE \"C:\\WINDOWS\\System32\\PCLECoInst.dll\",CheckUSBController"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
@=""
"RoxWatchTray"="\"C:\\Program Files\\Common Files\\Roxio Shared\\9.0\\SharedCOM\\RoxWatchTray9.exe\""
"DMXLauncher"="\"C:\\Program Files\\Roxio\\Media Experience\\DMXLauncher.exe\""
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Drag-to-Disc\\DrgToDsc.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"H/PC Connection Agent"="\"C:\\dell\\activesync\\WCESCOMM.EXE\""
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"issearch.exe"="issearch.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,fe,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableTaskMgr REG_DWORD 0 (0x0)
NoColorChoice REG_DWORD 0 (0x0)
NoSizeChoice REG_DWORD 0 (0x0)
NoDispScrSavPage REG_DWORD 0 (0x0)
NoDispCPL REG_DWORD 0 (0x0)
NoVisualStyleChoice REG_DWORD 0 (0x0)
NoDispSettingsPage REG_DWORD 0 (0x0)
DisableRegistryTools REG_DWORD 0 (0x0)
NoDispAppearancePage REG_DWORD 0 (0x0)
NoDispBackgroundPage REG_DWORD 0 (0x0)



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job

Completion time: Thu 10/26/2006 19:43:33.21
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-10-26.194315.txt

Can someone please help me? Thank you!!!

BC AdBot (Login to Remove)

 


#2 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:12:59 AM

Posted 28 October 2006 - 07:51 AM

Hi and welcome. My name is Kairis and I will be helping you.
You have some crap there! But don't worry; we'll get you cleaned up!
Please follow my steps in the right order...
We'll start with this:
Please download SmitfraudFix (by S!Ri)

Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

#3 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:12:59 AM

Posted 05 November 2006 - 03:26 AM

Topic has been closed. Should you need this Topic reopened, please PM a Staff member with the address of this thread.

Topic has been closed. Should you need this Topic reopened, please PM a Staff member with the address of this thread.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users