Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Nuwar.n!sys Virus


  • Please log in to reply
5 replies to this topic

#1 SnackPack

SnackPack

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 14 May 2007 - 01:45 PM

Hijack This Log File:

Logfile of HijackThis v1.99.1
Scan saved at 1:37:08 PM, on 5/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.gateway.com/g/startpage.html?Ch...TB&M=MX3228
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.gateway.com/g/startpage.html?Ch...TB&M=MX3228
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll
O2 - BHO: (no name) - {5142FE17-20E6-4121-A925-A4C6385CDDAA} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar3.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} -

C:\WINDOWS\system32\dnsersnd.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter

Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) -

http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -

http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) -

http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} (Pearson MyEconLab Player Control) -

http://asp.mathxl.com/books/_Players/EconPlayer.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common

Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program

Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New

Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program

Files\Viewpoint\Common\ViewpointService.exe



I get a blue screen for a split second, at any given time, and then the computer automatically restarts. It goes so quickly that I can't do anything. I had a mass of trojan downloaders that I got rid of myself, but I'm still getting this Nuwar.N!Sys Virus message after the reboot. Another thing that has happened during all of this is my ability to change the desktop background is disabled. For a while, I only had a blue desktop, but since going through the steps, it since changed it back to my original background. However, I'm still unable to change the background. That's all I have for now, if I come across any other issues, I'll post them.

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:00 PM

Posted 15 May 2007 - 05:44 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 SnackPack

SnackPack
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 16 May 2007 - 11:02 AM

Hello, Sam

Thank you for responding so quickly. I did the scan as you said. One thing throughout the scan I noticed was the Google Toolbar kept notifying me that something was trying to change the default search, and when I rebooted and got on Internet Explorer, I got the "IE is not my default browser, would you like to change it?" message. Maybe that's just ComboFix doing that, but I wasn't sure.

Here is the log:

"Owner" - 2007-05-16 10:46:22 Service Pack 2
ComboFix 07-05.13.2.V - Running from: "C:\Documents and Settings\Owner\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\~.exe
C:\DOCUME~1\Owner\APPLIC~1\Install.dat
C:\WINDOWS\system32\wincom32.ini
C:\WINDOWS\system32\wincom32.sys
C:\WINDOWS\system32\perfc000.dat
C:\WINDOWS\system32\helper.sys
C:\WINDOWS\system32\windev-2979-7815.sys
C:\WINDOWS\system32\windev-peers.ini
C:\WINDOWS\system32\perfc000.dat


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_WINCOM32
-------\windev-2979-7815


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-16 ))))))))))))))))))))))))))))))))))


2007-05-14 13:25 <DIR> d-------- C:\DOCUME~1\Owner\.housecall6.6
2007-05-14 12:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-14 11:18 110,531 --a------ C:\WINDOWS\system32\sams.exe
2007-05-13 20:20 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-05-13 09:31 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-13 09:31 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-05-13 09:31 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\You've Got Pictures Screensaver
2007-05-13 09:31 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SampleView
2007-05-13 09:31 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-05-13 09:31 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AOL
2007-05-13 09:29 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-05-10 22:35 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-10 22:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-09 18:17 <DIR> d-------- C:\Program Files\Ofb11
2007-05-09 18:16 94,208 --a------ C:\WINDOWS\system32\dnsersnd.dll
2007-05-06 07:48 1 --a------ C:\WINDOWS\system32\ps.dat
2007-05-03 15:27 <DIR> d-------- C:\DOCUME~1\Owner\.alice
2007-04-16 22:18 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Aim


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-30 14:06:58 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-04-23 15:31:31 -------- d-----w C:\Program Files\Viewpoint
2007-04-17 03:30:48 -------- d-----w C:\Program Files\AIM
2007-04-17 03:18:00 -------- d-----w C:\Program Files\AOD
2007-03-29 04:03:09 -------- d-----w C:\Program Files\MSN Messenger
2007-03-26 03:29:25 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-03-26 03:26:14 -------- d-----w C:\Program Files\Atari
2007-03-24 19:29:57 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\InterTrust
2007-03-20 18:16:03 -------- d-----w C:\Program Files\Wildlife Tycoon Venture Africa
2007-03-20 18:15:00 -------- d-----w C:\Program Files\ReflexiveArcade
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-13 21:02:48 -------- d-----w C:\Program Files\LimeWire
2007-03-10 03:21:48 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Viewpoint
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-21 21:16:35 19 ----a-w C:\WINDOWS\popcinfo.dat
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 16:39]
{3E1500AC-87A5-416b-A211-82E848649DA9}=C:\PROGRA~1\Ofb11\Ofb11.dll [2007-05-09 18:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 04:23]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-20 00:55]
{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}=C:\WINDOWS\system32\dnsersnd.dll [2007-05-09 18:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"VTTimer"="VTTimer.exe"
"VTTrayp"="VTtrayp.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-07 08:52]
"VTTimer"="VTTimer.exe" [2005-03-07 23:33 C:\WINDOWS\system32\VTTimer.exe])
"VTTrayp"="VTtrayp.exe" [2005-11-01 00:15 C:\WINDOWS\system32\VTTrayp.exe])
"AGRSMMSG"="AGRSMMSG.exe" [])
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-24 12:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 04:23]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-24 21:15]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"="NA"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^microsoft office.lnk
C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^owner^start menu^programs^startup^ta_start.lnk
C:\WINDOWS\TISKY004.exe SKY004

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aol spyware protection
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\configuration manager

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hostmanager
C:\Program Files\Common Files\AOL\1161733470\EE\AOLHostManager.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\recguard
%WINDIR%\SMINST\RECGUARD.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\remotecontrol
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\system

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{65-58-89-9c-zn}
c:\windows\system32\rmdsregs.exe SKY004


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a45bfba8-6524-11db-8c8e-00038a000015}]

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Low Battery Alarm Program.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-16 10:53:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-16 10:54:53 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-16 10:54

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:00 PM

Posted 16 May 2007 - 01:38 PM

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\Program Files\Ofb11
    C:\WINDOWS\system32\dnsersnd.dll



  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
  • Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.
In that case, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log (where "********_******" is the "date_time")




====================




Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 SnackPack

SnackPack
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 24 May 2007 - 04:26 PM

I appreciate the response, and apologize for taking so long to get back to you. I did not have access to this computer for nearly a week, but I did as you said to do.

The OTMoveIt Log:

C:\Program Files\Ofb11 moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\dnsersnd.dll
C:\WINDOWS\system32\dnsersnd.dll NOT unregistered.
C:\WINDOWS\system32\dnsersnd.dll moved successfully.

Created on 05/24/2007 12:15:04




The Panda ActiveScan Log:


Incident Status Location

Adware:adware/statblaster Not disinfected Windows Registry
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adtech[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Owner\Cookies\owner@azjmp[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner\Cookies\owner@burstnet[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ccbill[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Cookies\owner@com[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Cookies\owner@overture[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@realmedia[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Cookies\owner@serving-sys[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Owner\Cookies\owner@xiti[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Owner\Cookies\owner@yadro[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner\Desktop\ComboFix.exe[ComboFixT\nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:00 PM

Posted 26 May 2007 - 09:17 AM

That doesn't look too bad. Are you still having the same issues?

Please post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users