Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
Tech Team - Need Help - WinAntiviruspro Tech Team - Need Help - WinAntiviruspro
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Reply
Page 1 of 2 1 2 >
 
Thread Tools
Old 09-07-2007, 01:46 PM   #1 (permalink)
Registered User
 
Join Date: Sep 2007
Posts: 15
OS: XP


Tech Team - Need Help - WinAntiviruspro
Team,

Im a huge promoter of your community and after years of successful net use I finally got hit with a virus and can't shake it off.

I too am getting the WinAntiviruspro pop up, along with several other popup sites and need your help. Im not really ready to F disk my box yet so I need your helping hands.

Please let me know where to start so we can troubleshoot this together.

thank you all for your wonderful support and Im looking forward you a successful mission is killing this virus.
Last edited by stingfish : 09-07-2007 at 01:47 PM.
stingfish is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 09-09-2007, 10:14 AM   #2 (permalink)
Moderator, Analyst, Security Team
 
TheBruce1's Avatar
 
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 3,208
OS: XP


Re: Tech Team - Need Help - WinAntiviruspro
Hello and welcome to TSF.

--------------------------------

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.
What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

=================================================
Logs Required
C:\Deckard\System Scanner\main.txt
C:\Deckard\System Scanner\extra.txt<-------Attached

Let us know how your system is behaving,thanks.
__________________
Member of ASAP since 2007
Member of UNITE since 2008

**Notice to BT customers**
Trial of BT-Phorm spyware to start 30th September, 2008- for more information please visit No DPI website for more information.



Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit.


If we have helped you in anyway,please consider Donating
TheBruce1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 09-14-2007, 06:05 AM   #3 (permalink)
Registered User
 
Join Date: Sep 2007
Posts: 15
OS: XP


Re: Tech Team - Need Help - WinAntiviruspro
Deckard's System Scanner v20070905.67
Run by Bad *** Box on 2007-09-14 08:00:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-09-14 12:00:59 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-09-14 08:01:35
Platform: Windows XP Service Pack 1 (5.01.2600)
MSIE: Internet Explorer (6.00.2800.1106)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Bad *** Box\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: (no name) - {517626EE-559E-46E4-A025-05115C986983} - C:\WINDOWS\system32\ssttq.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\nxapvbku.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKEY_LOCAL_MACHINE\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\System32\ctumxcgj.dll",forkonce
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - "C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 ABIT-IO - c:\windows\system32\drivers\abit-io.sys
R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 SaiMini - c:\windows\system32\drivers\saimini.sys <Not Verified; Saitek; Configuration Software>
R3 SaiNtBus - c:\windows\system32\drivers\saibus.sys <Not Verified; Saitek; Configuration Software>

S0 NVStrap - c:\windows\system32\drivers\nvstrap.sys
S3 Memctl - c:\program files\abit\flashmenu\memctl.sys
S3 RivaTuner32 - c:\program files\rivatuner v2.0 rc 16.2\rivatuner32.sys
S3 WINFLASH - c:\program files\abit\flashmenu\winflash.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ForcewareWebInterface (Forceware Web Interface) - "c:\program files\nvidia corporation\networkaccessmanager\apache group\apache2\bin\apache.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>

S4 ForceWare Intelligent Application Manager (IAM) - c:\program files\nvidia corporation\networkaccessmanager\bin\nsvcappflt.exe <Not Verified; ; app_filter Module>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&1692F1D&0&00
Manufacturer: NVIDIA
Name: NVIDIA nForce Networking Controller #2
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&1692F1D&0&00
Service: NVENETFD


-- Files created between 2007-08-14 and 2007-09-14 -----------------------------

2007-09-13 21:53:37 0 dr-h---c- C:\Documents and Settings\Bad *** Box\Recent
2007-09-13 21:14:07 125504 --a----c- C:\WINDOWS\System32\ctumxcgj.dll
2007-09-13 21:11:07 69184 --a----c- C:\WINDOWS\System32\nxapvbku.dll
2007-09-06 20:07:44 0 d------c- C:\VundoFix Backups
2007-09-06 19:26:46 0 d------c- C:\WINDOWS\Prefetch
2007-09-06 19:24:23 0 d------c- C:\WINDOWS\ServicePackFiles
2007-09-06 19:24:23 0 d------c- C:\WINDOWS\ehome
2007-09-06 18:25:29 2034829 ---hs--c- C:\WINDOWS\System32\qttss.bak2
2007-09-05 20:29:49 6448 ---hs--c- C:\WINDOWS\System32\qttss.bak1
2007-09-05 20:29:33 3633152 --a------ C:\Documents and Settings\Bad *** Box\ntuser.dat
2007-09-05 20:28:49 244832 --a----c- C:\WINDOWS\System32\ssttq.dll
2007-09-05 19:44:20 0 d------c- C:\WINDOWS\System32\f02WtR
2007-09-04 19:02:05 0 d------c- C:\Program Files\ArmA Edit
2007-09-02 16:03:32 13824 -ra----c- C:\WINDOWS\System32\drivers\SaiMini.sys <Not Verified; Saitek; Configuration Software>
2007-09-02 16:01:55 35328 -ra----c- C:\WINDOWS\System32\drivers\SaiBus.sys <Not Verified; Saitek; Configuration Software>
2007-09-02 16:01:49 155648 --a----c- C:\WINDOWS\System32\nY.exe <Not Verified; ; NukeUYp Application>
2007-09-02 16:01:48 45056 --a----c- C:\WINDOWS\System32\SAIKICK.dll <Not Verified; Saitek; Configuration Software>
2007-09-02 16:01:48 57344 --a----c- C:\WINDOWS\System32\SAIGON.dll <Not Verified; Saitek; Configuration Software>
2007-09-02 16:01:43 0 d------c- C:\Program Files\Saitek
2007-08-30 19:50:35 6488 ---hs--c- C:\WINDOWS\System32\ihkmp.bak1
2007-08-30 19:43:51 0 d------c- C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007
2007-08-30 16:15:06 0 d------c- C:\WINDOWS\NV12561796.TMP


-- Find3M Report ---------------------------------------------------------------

2007-09-07 19:16:09 0 d------c- C:\Program Files\SpywareBlaster
2007-09-06 19:24:23 0 d------c- C:\Program Files\Messenger
2007-09-04 20:01:13 0 d------c- C:\Program Files\Trillian
2007-09-02 16:01:43 0 d--h---c- C:\Program Files\InstallShield Installation Information
2007-08-30 20:11:49 0 d------c- C:\Program Files\Common Files
2007-08-11 19:57:26 0 d------c- C:\Program Files\NVIDIA Corporation
2007-08-11 19:52:21 6461 ---hs--c- C:\WINDOWS\System32\ggjlm.bak1
2007-08-11 19:52:15 231520 --a----c- C:\WINDOWS\System32\mljgg.dll
2007-08-11 19:47:14 0 d------c- C:\Program Files\WSS
2007-07-17 18:44:38 0 d------c- C:\Program Files\MediaCoder


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{517626EE-559E-46E4-A025-05115C986983}]
09/05/2007 08:28 PM 244832 --a--c--- C:\WINDOWS\System32\ssttq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}]
09/13/2007 09:11 PM 69184 --a--c--- C:\WINDOWS\System32\nxapvbku.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [08/12/2006 12:43 AM]
"SystemOptimizer"="C:\WINDOWS\System32\ctumxcgj.dll" [09/13/2007 09:14 PM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\System32\\ssttq

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABIT uGuruIII]
C:\Program Files\ABIT\ABITEQ\ABITEQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RunDLL32.exe NvMCTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe




-- End of Deckard's System Scanner: finished at 2007-09-14 08:02:52 ------------
Last edited by stingfish : 09-14-2007 at 06:13 AM.
stingfish is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 09-14-2007, 06:17 AM   #4 (permalink)
Registered User
 
Join Date: Sep 2007
Posts: 15
OS: XP


Re: Tech Team - Need Help - WinAntiviruspro
here is the data from the extra, it wont attach for some reason.


Deckard's System Scanner v20070905.67
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: AMD Athlon(tm) 64 Processor 3800+
Percentage of Memory in Use: 17%
Physical Memory (total/avail): 2047.48 MiB / 1694.12 MiB
Pagefile Memory (total/avail): 3944.37 MiB / 3752.03 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1975.39 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 232.88 GiB total, 199.05 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - WDC WD2500JS-00NCB1 - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 232.88 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is not configured.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Bad *** Box\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BADASSBOX
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Bad *** Box
LOGONSERVER=\\BADASSBOX
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 95 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=5f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\BADASS~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\BADASS~1\LOCALS~1\Temp
USERDOMAIN=BADASSBOX
USERNAME=Bad *** Box
USERPROFILE=C:\Documents and Settings\Bad *** Box
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Bad *** Box (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNNMP.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABITEQ V1.0.2.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2B18397C-473A-487B-B7A1-7B2A1A4FE245}\Setup.exe" -l0x9
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
ArmA Edit --> MsiExec.exe /I{30796680-61A7-429F-95DF-2BF598B652CC}
ArmA Uninstall --> C:\Program files\Bohemia Interactive\ArmA\UnInstall.exe
Athlon 64 Processor Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe"
BI's Tools drive Uninstall --> C:\Documents and Settings\Bad *** Box\My Documents\ArmAWork\UnInstall.exe
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
FlashMenu --> C:\Program Files\InstallShield Installation Information\{047E5F60-5357-43FB-A080-1912EB0132A4}\setup.exe -runfromtemp -l0x0009 -removeonly
FlashMenu --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{617A4A01-200A-4761-A4E5-3977AE89E8D2}\Setup.exe" -l0x9
Fraps --> "C:\Fraps\uninstall.exe"
Ghost Recon --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D89EF3B3-6F17-4665-B7A9-A4235A6DC787}\Setup.exe"
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXP$\spuninst\spuninst.exe"
IL-2 Sturmovik: Forgotten Battles --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{8DF712DA-D325-4FD0-8DE8-E2D78FC3CDC3} /l1033
IL-2 Sturmovik: Forgotten Battles AEP --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{D2BBEABB-A8DF-4451-A7C4-63C87B31E325} /l1033
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Java 2 Runtime Environment, SE v1.4.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CD0159C9-17FB-11D6-A76A-00B0D079AF64}\setup.exe" Anytext
Java Web Start --> "C:\Program Files\Java Web Start\uninst-javaws.exe"
LADSPA_plugins-win-0.4.15 --> "C:\Program Files\Audacity\Plug-Ins\unins000.exe"
LimeWire PRO 4.12.11 --> "C:\Program Files\LimeWire\uninstall.exe"
Lock On: Modern Air Combat --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E90DCEE9-DC27-401B-A7AC-B0AFF5B34E4D}\setup.exe" -l0x9
MediaCoder 0.6.0 --> C:\Program Files\MediaCoder\uninst.exe
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mission Mate v2.4 --> "C:\Program Files\Mission Mate v2.4\unins000.exe"
Mozilla Firefox (2.0.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
Nero Suite --> C:\Program Files\Common Files\Ahead\Uninstall\setup.exe /uninstall
NVIDIA Drivers --> C:\WINDOWS\System32\nvuide.exe UninstallGUI
NVIDIA ForceWare Network Access Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{1F6423DE-7959-4178-80E0-023C7EAA5347} /l1033
OpenAL --> "C:\Program Files\OpenAL\oalinst.exe" /U
Oxygen 2 Personal Edition Uninstall --> C:\Program Files\Bohemia Interactive\Tools\Oxygen 2 Personal Edition\UnInstall.exe
PF+FB+AEP --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{51F24145-A833-4BD5-AA38-AFC5268928E5} /l1033
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
RivaTuner v2.0 RC 16.2 --> "C:\Program Files\RivaTuner v2.0 RC 16.2\uninstall.exe"
Saitek SST Programming Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{967FB80D-56BD-42EF-A942-9E8C78F984A4}\Setup.exe" -l0x9 -removeonly
SiSoftware Sandra Lite XIb (Win64/32/CE) --> "C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
TexView 2 Uninstall --> C:\Program files\Bohemia Interactive\Tools\TexView 2\UnInstall.exe
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
Visitor 3 Uninstall --> C:\Program Files\Bohemia Interactive\Tools\Visitor 3\UnInstall.exe
VST Bridge 1.1 --> "C:\Program Files\Audacity\Plug-ins\VST Bridge\unins000.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WSS --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\WSS\ST6UNST.LOG"
Xtrem ArmA Mod Patch Solo 1.2 : 01 --> "C:\Program Files\Bohemia Interactive\ArmA\uninstall.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type752 / Error
Event Submitted/Written: 09/13/2007 09:40:27 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application ccleaner.exe, version 1.36.0.430, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type741 / Warning
Event Submitted/Written: 09/06/2007 07:24:43 PM
Event ID/Source: 63 / WinMgmt
Event Description:
A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Event Record #/Type740 / Error
Event Submitted/Written: 09/06/2007 06:37:28 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2800.1106, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type737 / Error
Event Submitted/Written: 09/03/2007 07:13:01 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application wmplayer.exe, version 9.0.0.2980, faulting module neaudio.ax, version 1.0.4.23, fault address 0x0000e9b8.

Event Record #/Type736 / Error
Event Submitted/Written: 08/31/2007 07:21:36 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application ARMAEDIT.exe, version 1.2.2.0, hang module riched20.dll, version 5.30.23.1211, hang address 0x0002dfdd.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type21604 / Error
Event Submitted/Written: 09/13/2007 09:39:00 PM
Event ID/Source: 7031 / Service Control Manager
Event Description:
The DomainService service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

Event Record #/Type21602 / Error
Event Submitted/Written: 09/13/2007 09:37:44 PM
Event ID/Source: 7031 / Service Control Manager
Event Description:
The DomainService service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

Event Record #/Type21600 / Error
Event Submitted/Written: 09/13/2007 09:37:44 PM
Event ID/Source: 7031 / Service Control Manager
Event Description:
The DomainService service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

Event Record #/Type21542 / Error
Event Submitted/Written: 09/08/2007 02:45:10 PM
Event ID/Source: 7031 / Service Control Manager
Event Description:
The DomainService service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

Event Record #/Type21540 / Error
Event Submitted/Written: 09/08/2007 02:44:16 PM
Event ID/Source: 7031 / Service Control Manager
Event Description:
The DomainService service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.



-- End of Deckard's System Scanner: finished at 2007-09-14 08:02:52 ------------
stingfish is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 09-14-2007, 07:50 AM   #5 (permalink)
Moderator, Analyst, Security Team
 
TheBruce1's Avatar
 
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 3,208
OS: XP


Re: Tech Team - Need Help - WinAntiviruspro
Hello again

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

===============================================================

Please follow all instructions and in which order they come,if you have any questions,please ask before proceeding.

---------------------------------------------------------------

Its important that you follow this through until i give you the all clear,a lack of symptoms does not mean the infection is gone,its in your best interest that you follow this through to the end.

======================================================

P2P

P2P - I see you have P2P software LimeWire PRO 4.12.11 installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

=============================================

Download this file - http://download.bleepingcomputer.com...a/ComboFix.exe

* IMPORTANT !!! Place combofix.exe on your Desktop




Go to → Run → paste in the single line command & click OK
"%userprofile%\desktop\combofix.exe" /killall
When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

===================================================

Please download HijackThis to your desktop

Alternate link

This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

============================================
Logs Required
C:\Combofix.txt
Hijackthis log

Let us know how your system is running,thanks.
__________________
Member of ASAP since 2007
Member of UNITE since 2008

**Notice to BT customers**
Trial of BT-Phorm spyware to start 30th September, 2008- for more information please visit No DPI website for more information.



Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit.


If we have helped you in anyway,please consider Donating
TheBruce1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 09-14-2007, 11:25 AM   #6 (permalink)
Registered User
 
Join Date: Sep 2007
Posts: 15
OS: XP


Re: Tech Team - Need Help - WinAntiviruspro
ComboFix 07-09-14.2 - "Bad *** Box" 2007-09-14 13:21:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.1746 [GMT -4:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\system32\ggjlm.bak1
C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\qttss.bak1
C:\WINDOWS\system32\qttss.bak2
C:\WINDOWS\system32\qttss.ini
C:\WINDOWS\system32\ssttq.dll
C:\WINDOWS\system32\tmp42.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-08-14 to 2007-09-14 )))))))))))))))))))))))))))))))
.

2007-09-14 13:21 51,200 --a--c--- C:\WINDOWS\NirCmd.exe
2007-09-14 09:13 <DIR> d----c--- C:\DOCUME~1\BADASS~1\APPLIC~1\Ahead
2007-09-14 09:11 <DIR> d----c--- C:\Program Files\CyberLink
2007-09-14 08:00 <DIR> d----c--- C:\Deckard
2007-09-06 20:07 <DIR> d----c--- C:\VundoFix Backups
2007-09-06 19:24 <DIR> d----c--- C:\WINDOWS\ServicePackFiles
2007-09-06 19:24 <DIR> d----c--- C:\WINDOWS\ehome
2007-09-04 19:02 <DIR> d----c--- C:\Program Files\ArmA Edit
2007-09-02 16:03 13,952 --a--c--- C:\WINDOWS\system32\drivers\kbdhid.sys
2007-09-02 16:03 13,952 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-09-02 16:03 13,824 -ra--c--- C:\WINDOWS\system32\drivers\SaiMini.sys
2007-09-02 16:03 12,160 --a--c--- C:\WINDOWS\system32\drivers\mouhid.sys
2007-09-02 16:03 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-09-02 16:01 57,344 --a--c--- C:\WINDOWS\system32\SAIGON.dll
2007-09-02 16:01 45,056 --a--c--- C:\WINDOWS\system32\SAIKICK.dll
2007-09-02 16:01 35,328 -ra--c--- C:\WINDOWS\system32\drivers\SaiBus.sys
2007-09-02 16:01 155,648 --a--c--- C:\WINDOWS\system32\nY.exe
2007-09-02 16:01 <DIR> d----c--- C:\Program Files\Saitek
2007-08-30 19:50 6,488 --ahsc--- C:\WINDOWS\system32\ihkmp.bak1
2007-08-30 16:15 <DIR> d----c--- C:\WINDOWS\NV12561796.TMP
2007-08-30 16:14 4,496,128 --a--c--- C:\WINDOWS\system32\nv4_disp(2).dll
2007-08-17 16:23 81,920 --a--c--- C:\WINDOWS\system32\nvmctray(2).dll
2007-08-17 16:23 8,478,720 --a--c--- C:\WINDOWS\system32\nvcpl(2).dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-14 09:11 --------- d--h-c--- C:\Program Files\InstallShield Installation Information
2007-09-07 19:16 --------- d----c--- C:\Program Files\SpywareBlaster
2007-09-05 20:23 --------- d-a--c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-04 20:01 --------- d----c--- C:\Program Files\Trillian
2007-08-11 19:57 --------- d----c--- C:\Program Files\NVIDIA Corporation
2007-08-11 19:47 --------- d----c--- C:\Program Files\WSS
2007-07-17 18:44 --------- d----c--- C:\Program Files\MediaCoder
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-08-12 00:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2004-09-22 17:10]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\System32\\ssttq

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABIT uGuruIII]
C:\Program Files\ABIT\ABITEQ\ABITEQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RunDLL32.exe NvMCTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

R0 ABIT-IO;ABIT-IO;C:\WINDOWS\System32\Drivers\ABIT-IO.sys
R3 SaiH0461;SaiH0461;C:\WINDOWS\System32\DRIVERS\SaiH0461.sys
S0 NVStrap;NVStrap;C:\WINDOWS\System32\drivers\NVStrap.sys
S3 Memctl;Memctl;\??\C:\Program Files\ABIT\FlashMenu\Memctl.sys
S3 RivaTuner32;RivaTuner32;\??\C:\Program Files\RivaTuner v2.0 RC 16.2\RivaTuner32.sys

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-14 13:23:47
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-14 13:24:17 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-14 13:24
.
--- E O F ---



HIJACKTHISLOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:25:34 PM, on 9/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe

--
End of file - 2490 bytes
stingfish is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 09-14-2007, 12:44 PM   #7 (permalink)
Moderator, Analyst, Security Team
 
TheBruce1's Avatar
 
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 3,208
OS: XP


Re: Tech Team - Need Help - WinAntiviruspro
Hello again

Please follow all instructions and in which order they come,if you have any questions,please ask before proceeding.

=================================================

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
File::
C:\WINDOWS\system32\nY.exe
C:\WINDOWS\system32\ihkmp.bak1

Folder::
C:\VundoFix Backups

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=-

DirLook::
C:\WINDOWS\NV12561796.TMP
Save this as CFscript




Refering to the picture above, drag CFscript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

====================================================

I see no evidence of an AntiVirus program on your system. This must be resolved. Here are a few very good free Antivirus products which are available:Select one of these, or another of your choice. Download, install, update definitions, and run a full system scan.

===================================================

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

===================================================
Logs Required
C:\Combofix.txt
Hijackthis log

How your system behaving now.
__________________
Member of ASAP since 2007
Member of UNITE since 2008

**Notice to BT customers**
Trial of BT-Phorm spyware to start 30th September, 2008- for more information please visit No DPI website for more information.



Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit.


If we have helped you in anyway,please consider Donating
TheBruce1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 09-14-2007, 01:33 PM   #8 (permalink)
Registered User
 
Join Date: Sep 2007
Posts: 15
OS: XP


Re: Tech Team - Need Help - WinAntiviruspro
well, after dragging the script into the combofix, it ran.

then... my computer rebooted and now it's asking me for my user account password... i never set one! now im logged out of my computer and can't get in. i rebooted in safe mode hoping to by pass it but it won't let me in. its asking for my user pw.

any ideas why its doing this now? and more importantly, how can i get back into my box?


im on my wifes computer now.
stingfish is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 09-14-2007, 01:37 PM   #9 (permalink)
Registered User
 
Join Date: Sep 2007
Posts: 15
OS: XP


Re: Tech Team - Need Help - WinAntiviruspro
strike last post, i got past it by rebooting to last known config.

COMBOFIX LOG

ComboFix 07-09-14.2 - "Bad *** Box" 2007-09-14 15:20:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.1745 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Bad *** Box\Desktop\CFscript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\nY.exe
C:\WINDOWS\system32\ihkmp.bak1
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\awttqqo.dll.bad
C:\VundoFix Backups\awvtr.dll.bad
C:\VundoFix Backups\cbxywur.dll.bad
C:\VundoFix Backups\ctumxcgj.dll.bad
C:\VundoFix Backups\dwesiurn.dll.bad
C:\VundoFix Backups\fqiqfien.ini.bad
C:\VundoFix Backups\gmyvxedp.ini.bad
C:\VundoFix Backups\hggdded.dll.bad
C:\VundoFix Backups\jgcxmutc.ini.bad
C:\VundoFix Backups\mljhgde.dll.bad
C:\VundoFix Backups\neifqiqf.dll.bad
C:\VundoFix Backups\nxapvbku.dll.bad
C:\VundoFix Backups\pdexvymg.dll.bad
C:\VundoFix Backups\pyfwqcbw.dll.bad
C:\VundoFix Backups\rtvwa.bak1.bad
C:\VundoFix Backups\semhqwlu.exe.bad
C:\WINDOWS\system32\ihkmp.bak1
C:\WINDOWS\system32\nY.exe

.
((((((((((((((((((((((((( Files Created from 2007-08-14 to 2007-09-14 )))))))))))))))))))))))))))))))
.

2007-09-14 13:25 <DIR> d----c--- C:\Program Files\Trend Micro
2007-09-14 13:21 51,200 --a--c--- C:\WINDOWS\NirCmd.exe
2007-09-14 09:13 <DIR> d----c--- C:\DOCUME~1\BADASS~1\APPLIC~1\Ahead
2007-09-14 09:11 <DIR> d----c--- C:\Program Files\CyberLink
2007-09-14 08:00 <DIR> d----c--- C:\Deckard
2007-09-06 19:24 <DIR> d----c--- C:\WINDOWS\ServicePackFiles
2007-09-06 19:24 <DIR> d----c--- C:\WINDOWS\ehome
2007-09-04 19:02 <DIR> d----c--- C:\Program Files\ArmA Edit
2007-09-02 16:03 13,952 --a--c--- C:\WINDOWS\system32\drivers\kbdhid.sys
2007-09-02 16:03 13,952 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-09-02 16:03 13,824 -ra--c--- C:\WINDOWS\system32\drivers\SaiMini.sys
2007-09-02 16:03 12,160 --a--c--- C:\WINDOWS\system32\drivers\mouhid.sys
2007-09-02 16:03 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-09-02 16:01 57,344 --a--c--- C:\WINDOWS\system32\SAIGON.dll
2007-09-02 16:01 45,056 --a--c--- C:\WINDOWS\system32\SAIKICK.dll
2007-09-02 16:01 35,328 -ra--c--- C:\WINDOWS\system32\drivers\SaiBus.sys
2007-09-02 16:01 <DIR> d----c--- C:\Program Files\Saitek
2007-08-30 16:15 <DIR> d----c--- C:\WINDOWS\NV12561796.TMP
2007-08-30 16:14 4,496,128 --a--c--- C:\WINDOWS\system32\nv4_disp(2).dll
2007-08-17 16:23 81,920 --a--c--- C:\WINDOWS\system32\nvmctray(2).dll
2007-08-17 16:23 8,478,720 --a--c--- C:\WINDOWS\system32\nvcpl(2).dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-14 09:11 --------- d--h-c--- C:\Program Files\InstallShield Installation Information
2007-09-07 19:16 --------- d----c--- C:\Program Files\SpywareBlaster
2007-09-05 20:23 --------- d-a--c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-04 20:01 --------- d----c--- C:\Program Files\Trillian
2007-08-11 19:57 --------- d----c--- C:\Program Files\NVIDIA Corporation
2007-08-11 19:47 --------- d----c--- C:\Program Files\WSS
2007-07-17 18:44 --------- d----c--- C:\Program Files\MediaCoder
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))


---- Directory of C:\WINDOWS\NV12561796.TMP ----

2007-08-17 16:23 91094 --a--c--- C:\WINDOWS\NV12561796.TMP\nv3d.chm
2007-08-17 16:23 54988 --a--c--- C:\WINDOWS\NV12561796.TMP\nvmob.chm
2007-08-17 16:23 170201 --a--c--- C:\WINDOWS\NV12561796.TMP\nvdsp.chm
2007-08-17 16:23 121441 --a--c--- C:\WINDOWS\NV12561796.TMP\nvcpl.chm


((((((((((((((((((((((((((((( snapshot_2007-09-14_132405.48 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 40,196 2007-09-14 17:24:47 C:\WINDOWS\system32\perfc009.dat
----a-w 311,934 2007-09-14 17:24:47 C:\WINDOWS\system32\perfh009.dat
-c--a-w 16,384 2007-09-14 19:34:40 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
-c--a-w 32,768 2007-09-14 19:34:40 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
-c--a-w 32,768 2007-09-14 19:34:40 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
----a-w 40,196 2007-04-01 15:30:09 C:\WINDOWS\system32\perfc009.dat
----a-w 311,934 2007-04-01 15:30:09 C:\WINDOWS\system32\perfh009.dat
-c--a-w 16,384 2007-09-14 17:23:27 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
-c--a-w 32,768 2007-09-14 17:23:27 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
-c--a-w 32,768 2007-09-14 17:23:27 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-08-12 00:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2004-09-22 17:10]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABIT uGuruIII]
C:\Program Files\ABIT\ABITEQ\ABITEQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RunDLL32.exe NvMCTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

R0 ABIT-IO;ABIT-IO;C:\WINDOWS\System32\Drivers\ABIT-IO.sys
R3 SaiH0461;SaiH0461;C:\WINDOWS\System32\DRIVERS\SaiH0461.sys
S0 NVStrap;NVStrap;C:\WINDOWS\System32\drivers\NVStrap.sys
S3 Memctl;Memctl;\??\C:\Program Files\ABIT\FlashMenu\Memctl.sys
S3 RivaTuner32;RivaTuner32;\??\C:\Program Files\RivaTuner v2.0 RC 16.2\RivaTuner32.sys

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-14 15:35:02
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-14 15:35:27 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-14 15:35
C:\ComboFix2.txt ... 2007-09-14 13:24
.
--- E O F ---


HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:37:08 PM, on 9/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe

--
End of file - 2490 bytes
stingfish is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 09-14-2007, 02:08 PM   #10 (permalink)
Moderator, Analyst, Security Team