|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
01-15-2008, 03:38 PM
|
#1 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 30
OS: Windows XP Home SP2 V.5.1
|
Bad Malware infection - Spy-rid, InfeStop, Easy Spyware Cleaner
The titles listed in the subject line recently appeared on my desktop along with a VERY hijacked machine.
I get a common pop up that states "Warning! Potential Spyware Operation! Your computer is making unauthorised copies of your system and internet files. Run full scan now to prevent any unauthorised access to your files! Click here to download Spyware Remover..." This is a personal home computer. I tried the five step process and met with the following results: 1) Can not access addd/remove tab - following error message: Restrictions This operation has been cancelled due to restrictions in effect on this computer. PLease contact your system adminstrator. 2) Can not run Panda ActiveScan - get message "internet explorer cannot display the webpage" when scan window attempts to run, all pop-up blockers disabled 3) Successful instal of both Spyware Blaster and IE-Spyad 4) Could not use windows update - following error message: Network policy prevents you from using this website to get updates for your computer 5) Deckard's maint.txt log: Deckard's System Scanner v20071014.68 Run by Daddy on 2008-01-15 17:51:57 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 2 Restore Point(s) -- 2: 2008-01-15 22:52:08 UTC - RP2 - Deckard's System Scanner Restore Point 1: 2008-01-15 21:30:09 UTC - RP1 - System Checkpoint Backed up registry hives. Performed disk cleanup. Total Physical Memory: 511 MiB (512 MiB recommended). -- HijackThis (run as Daddy.exe) ----------------------------------------------- Unable to find log (file not found); running clone. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2008-01-15 17:53:43 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\SYSTEM32\SMSS.EXE C:\WINDOWS\SYSTEM32\WINLOGON.EXE C:\WINDOWS\SYSTEM32\SERVICES.EXE C:\WINDOWS\SYSTEM32\LSASS.EXE C:\WINDOWS\SYSTEM32\ati2evxx.exe C:\WINDOWS\SYSTEM32\SVCHOST.EXE C:\WINDOWS\SYSTEM32\SVCHOST.EXE C:\Program Files\Grisoft\AVG7\avgrssvc.exe C:\WINDOWS\SYSTEM32\LEXBCES.EXE C:\WINDOWS\SYSTEM32\spoolsv.exe C:\WINDOWS\SYSTEM32\LEXPPS.EXE C:\WINDOWS\explorer.exe C:\Program Files\HP\HP Software Update\hpwuschd2.exe C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\ctsysvol.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG7\avgamsvr.exe C:\Program Files\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Grisoft\AVG7\avgrssvc.exe C:\WINDOWS\SYSTEM32\CTFMON.EXE C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\logitechdesktopmessenger.exe C:\Program Files\PurgeIE\PurgeIE_Service.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\WINDOWS\SYSTEM32\SVCHOST.EXE C:\WINDOWS\SYSTEM32\MsPMSPSv.exe C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe C:\WINDOWS\SYSTEM32\WSCNTFY.EXE C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\Daddy\Local Settings\Temporary Internet Files\Content.IE5\8MK37HXO\dss[1].exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo! R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file) R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe O1 - Hosts: 10.18.250.4 ad.doubleclick.net O1 - Hosts: 10.18.250.4 ad.fastclick.net O1 - Hosts: 10.18.250.4 ads.fastclick.net O1 - Hosts: 10.18.250.4 ar.atwola.com O1 - Hosts: 10.18.250.4 atdmt.com O1 - Hosts: 10.18.250.4 avp.ch O1 - Hosts: 10.18.250.4 avp.com O1 - Hosts: 10.18.250.4 avp.ru O1 - Hosts: 10.18.250.4 awaps.net O1 - Hosts: 10.18.250.4 banner.fastclick.net O1 - Hosts: 10.18.250.4 banners.fastclick.net O1 - Hosts: 10.18.250.4 ca.com O1 - Hosts: 10.18.250.4 click.atdmt.com O1 - Hosts: 10.18.250.4 clicks.atdmt.com O1 - Hosts: 10.18.250.4 customer.symantec.com O1 - Hosts: 10.18.250.4 dispatch.mcafee.com O1 - Hosts: 10.18.250.4 download.mcafee.com O1 - Hosts: 10.18.250.4 download.microsoft.com O1 - Hosts: 10.18.250.4 downloads-us1.kaspersky-labs.com O1 - Hosts: 10.18.250.4 downloads-us2.kaspersky-labs.com O1 - Hosts: 10.18.250.4 downloads-us3.kaspersky-labs.com O1 - Hosts: 10.18.250.4 downloads.microsoft.com O1 - Hosts: 10.18.250.4 downloads1.kaspersky-labs.com O1 - Hosts: 10.18.250.4 downloads2.kaspersky-labs.com O1 - Hosts: 10.18.250.4 downloads3.kaspersky-labs.com O1 - Hosts: 10.18.250.4 downloads4.kaspersky-labs.com O1 - Hosts: 10.18.250.4 engine.awaps.net O1 - Hosts: 10.18.250.4 f-secure.com O1 - Hosts: 10.18.250.4 fastclick.net O1 - Hosts: 10.18.250.4 ftp.avp.ch O1 - Hosts: 10.18.250.4 ftp.downloads1.kaspersky-labs.com O1 - Hosts: 10.18.250.4 ftp.downloads2.kaspersky-labs.com O1 - Hosts: 10.18.250.4 ftp.downloads3.kaspersky-labs.com O1 - Hosts: 10.18.250.4 ftp.f-secure.com O1 - Hosts: 10.18.250.4 ftp.kasperskylab.ru O1 - Hosts: 10.18.250.4 ftp.sophos.com O1 - Hosts: 10.18.250.4 go.microsoft.com O1 - Hosts: 10.18.250.4 ids.kaspersky-labs.com O1 - Hosts: 10.18.250.4 kaspersky-labs.com O1 - Hosts: 10.18.250.4 kaspersky.com O1 - Hosts: 10.18.250.4 liveupdate.symantec.com O1 - Hosts: 10.18.250.4 liveupdate.symantecliveupdate.com O1 - Hosts: 10.18.250.4 mast.mcafee.com O1 - Hosts: 10.18.250.4 mcafee.com O1 - Hosts: 10.18.250.4 media.fastclick.net O1 - Hosts: 10.18.250.4 microsoft.com O1 - Hosts: 10.18.250.4 msdn.microsoft.com O1 - Hosts: 10.18.250.4 my-etrust.com O1 - Hosts: 10.18.250.4 nai.com O1 - Hosts: 10.18.250.4 networkassociates.com O1 - Hosts: 10.18.250.4 norton.com O1 - Hosts: 10.18.250.4 office.microsoft.com O1 - Hosts: 10.18.250.4 pandasoftware.com O1 - Hosts: 10.18.250.4 phx.corporate-ir.net O1 - Hosts: 10.18.250.4 rads.mcafee.com O1 - Hosts: 10.18.250.4 secure.nai.com O1 - Hosts: 10.18.250.4 securityresponse.symantec.com O1 - Hosts: 10.18.250.4 service1.symantec.com O1 - Hosts: 10.18.250.4 sophos.com O1 - Hosts: 10.18.250.4 spd.atdmt.com O1 - Hosts: 10.18.250.4 support.microsoft.com O1 - Hosts: 10.18.250.4 symantec.com O1 - Hosts: 10.18.250.4 trendmicro.com O1 - Hosts: 10.18.250.4 update.symantec.com O1 - Hosts: 10.18.250.4 updates.symantec.com O1 - Hosts: 10.18.250.4 updates1.kaspersky-labs.com O1 - Hosts: 10.18.250.4 updates2.kaspersky-labs.com O1 - Hosts: 10.18.250.4 updates3.kaspersky-labs.com O1 - Hosts: 10.18.250.4 updates4.kaspersky-labs.com O1 - Hosts: 10.18.250.4 updates5.kaspersky-labs.com O1 - Hosts: 10.18.250.4 us.mcafee.com O1 - Hosts: 10.18.250.4 vil.nai.com O1 - Hosts: 10.18.250.4 viruslist.com O1 - Hosts: 10.18.250.4 viruslist.ru O1 - Hosts: 10.18.250.4 virusscan.jotti.org O1 - Hosts: 10.18.250.4 virustotal.com O1 - Hosts: 10.18.250.4 windowsupdate.microsoft.com O1 - Hosts: 10.18.250.4 www.avp.ch O1 - Hosts: 10.18.250.4 www.avp.com O1 - Hosts: 10.18.250.4 www.avp.ru O1 - Hosts: 10.18.250.4 www.awaps.net O1 - Hosts: 10.18.250.4 www.ca.com O1 - Hosts: 10.18.250.4 www.f-secure.com O1 - Hosts: 10.18.250.4 www.fastclick.net O1 - Hosts: 10.18.250.4 www.grisoft.com O1 - Hosts: 10.18.250.4 www.kaspersky-labs.com O1 - Hosts: 10.18.250.4 www.kaspersky.com O1 - Hosts: 10.18.250.4 www.kaspersky.ru O1 - Hosts: 10.18.250.4 www.mcafee.com O1 - Hosts: 10.18.250.4 www.microsoft.com O1 - Hosts: 10.18.250.4 www.my-etrust.com O1 - Hosts: 10.18.250.4 www.nai.com O1 - Hosts: 10.18.250.4 www.networkassociates.com O1 - Hosts: 10.18.250.4 www.pandasoftware.com O1 - Hosts: 10.18.250.4 www.sophos.com O1 - Hosts: 10.18.250.4 www.symantec.com O1 - Hosts: 10.18.250.4 www.trendmicro.com O1 - Hosts: 10.18.250.4 www.viruslist.com O1 - Hosts: 10.18.250.4 www.viruslist.ru O1 - Hosts: 10.18.250.4 www.virustotal.com O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll O4 - HKLM\..\Run: [Auto EPSON Stylus C64 Series on DADSOLD] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P39 "Auto EPSON Stylus C64 Series on DADSOLD" /O17 "\\DADSOLD\Printer" /M "Stylus C64" O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Startup: findfast.exe O4 - Global Startup: autorun.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - Global Startup: Logitech SetPoint.lnk = ? O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1 O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing) O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Daddy\Start Menu\Programs\MySpace\IMVU\Run IMVU.lnk (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://www.listen.com (HKCU) O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX) - https://www.taylorbeanonline.com/scriptx/smsx.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} () - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub...irector/sw.cab O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/...lMgr_v01_5.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} () - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1131834156593 O16 - DPF: {6F714D46-E4EF-11D4-93EF-00D0D7032099} (Active DJ Studio ActiveX Control) - http://www.christianrock2.net/amp3dj.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} () - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL O20 - AppInit_DLLs: murka.dat O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\system32\avgwlntf.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\SYSTEM32\ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgrssvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgfwsrv.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\kcvhrjdx.exe /service O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\SYSTEM32\LEXBCES.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\HPZipm12.exe O23 - Service: PurgeIE XP Service (PurgeIEservice) - Assistance & Resources for Computing, Inc. - C:\Program Files\PurgeIE\PurgeIE_Service.exe -- End of file - 17601 bytes -- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) -------------------- backup-20070819-150911-256 O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) backup-20070819-150911-339 O2 - BHO: (no name) - {72C57A80-EE08-428C-A365-01D38F1281F4} - C:\WINDOWS\system32\mllmj.dll (file missing) backup-20070819-150951-455 O20 - Winlogon Notify: jkhhg - C:\WINDOWS\system32\jkhhg.dll (file missing) -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver> R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path ManagerŪ (32-bit)> R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell> S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service> S2 DomainService - c:\windows\system32\kcvhrjdx.exe /service (file missing) -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Scheduled Tasks ------------------------------------------------------------- 2008-01-12 11:53:04 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job 2008-01-11 18:30:00 350 --a------ C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (1) (BUNNMAN-Daddy).job -- Files created between 2007-12-15 and 2008-01-15 ----------------------------- 2008-01-15 17:38:03 0 d-------- C:\ie-spyad_zo 2008-01-15 17:31:27 0 d-------- C:\Program Files\SpywareBlaster 2008-01-15 17  26 9728 --a------ C:\WINDOWS\shell.exe2008-01-15 16:57:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-01-15 16:49:29 16384 --a------ C:\WINDOWS\system32\nod32se.exe 2008-01-15 16:25:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7 2008-01-14 17:10:27 0 d-------- C:\Documents and Settings\Daddy\Application Data\InfeStop.com 2008-01-14 17:09:44 0 d-------- C:\Program Files\InfeStop 2008-01-14 14:00:22 0 d-------- C:\Documents and Settings\Daddy\Application Data\spy-rid.com 2008-01-14 14:00:10 0 d-------- C:\Program Files\Spy-Rid 2008-01-14 13:55:13 0 d-------- C:\Program Files\SystemDefender 2008-01-14 13:55:12 98709 --a------ C:\Documents and Settings\Daddy\Application Data\sysdefender.exe 2008-01-14 13:39:29 16384 --a------ C:\WINDOWS\system32\suspend.exe 2008-01-14 13:39:29 80 --a------ C:\WINDOWS\system32\suspend.bin 2008-01-14 13:21:39 0 d-------- C:\Documents and Settings\Daddy\Application Data\EasySpywareCleaner.com 2008-01-14 13:21:34 0 d-------- C:\Program Files\EasySpywareCleaner 2008-01-14 13:21:26 19080 --a------ C:\WINDOWS\system32\ctfmona.exe 2008-01-14 11:47:05 16384 --a------ C:\WINDOWS\system32\userv32.dat 2008-01-14 11:46:33 6144 --a------ C:\WINDOWS\murka.dat 2008-01-14 11:46:33 18944 --a------ C:\WINDOWS\medichi2.exe 2008-01-14 11:46:33 4608 --a------ C:\WINDOWS\medichi.exe 2008-01-14 11:45:25 0 --a------ C:\WINDOWS\wsystmp_fpf.exe 2008-01-14 11:44:22 16384 --a------ C:\WINDOWS\system32\users32.dat 2008-01-14 11:44:15 47616 --a------ C:\WINDOWS\wsystmp_vss.exe 2008-01-14 11:43:03 21504 --a------ C:\WINDOWS\wsystmp_vxj.exe 2008-01-14 11:23:00 9728 --a------ C:\WINDOWS\system32\spoolvs.exe 2008-01-14 11:22:59 18944 --a------ C:\WINDOWS\system32\wowfx.dll 2008-01-14 11:22:59 18944 --a------ C:\WINDOWS\system32\wowfx(2).dll 2008-01-14 11:22:59 9728 --a------ C:\Documents and Settings\Daddy\Application Data\printer.exe 2008-01-14 11:22:45 15872 --a------ C:\WINDOWS\windsk.dll 2008-01-14 11:04:45 34049 --a------ C:\WINDOWS\trayicon.exe 2008-01-14 11:04:43 34049 --a------ C:\Documents and Settings\Daddy\wn852.exe 2008-01-08 21:45:29 11010048 --a------ C:\Documents and Settings\Daddy\ntuser.dat 2007-12-25 08:10:48 0 d-------- C:\Program Files\iPod 2007-12-25 08:10:28 0 d-------- C:\Program Files\iTunes 2007-12-25 08:00:16 0 d-------- C:\Program Files\QuickTime 2007-12-17 21:50:02 0 d-------- C:\17e1cd52be707f4e663a2f2138eaa160 -- Find3M Report --------------------------------------------------------------- 2008-01-15 17:13:26 0 d-------- C:\Program Files\Trend Micro 2008-01-15 16:40:29 0 d-------- C:\Program Files\Yahoo! 2008-01-15 16:40:15 0 d-------- C:\Program Files\Common Files\Scanner 2008-01-15 14:36:51 0 d-------- C:\Program Files\PurgeIE 2008-01-09 19:05:30 0 d-------- C:\Program Files\Quicken 2007-12-30 15:01:43 0 d-------- C:\Program Files\RealFlightG3 2007-12-25 07:58:42 0 d-------- C:\Program Files\Apple Software Update 2007-12-16 11:23:04 0 d-------- C:\Program Files\Common Files\KnifeEdge 2007-12-15 15:52:52 0 d-------- C:\Program Files\Napster 2007-12-15 15:52:42 0 d-------- C:\Program Files\Common Files 2007-11-19 19:28:42 0 d-------- C:\Program Files\Microsoft IntelliPoint 5.2 -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Auto EPSON Stylus C64 Series on DADSOLD"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.exe" [01/14/2008 11:44 AM] "Printer"="C:\WINDOWS\system32\printer.exe" [] "UpdReg"="C:\WINDOWS\UpdReg.EXE" [01/14/2008 11:44 AM] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [01/14/2008 11:44 AM] "CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [01/14/2008 11:44 AM] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [01/14/2008 11:44 AM] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [01/14/2008 11:44 AM] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [01/14/2008 11:44 AM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Spoolsv"="C:\WINDOWS\system32\spoolvs.exe" [05/14/2005 09:08 PM] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/2007 04:46 PM] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM] [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe C:\Documents and Settings\Daddy\Start Menu\Programs\Startup\ DESKTOP.INI [8/10/2004 2:04:12 PM] findfast.exe [5/14/2005 9:22:39 PM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ autorun.exe [5/14/2005 9:36:58 PM] DESKTOP.INI [8/10/2004 2:04:12 PM] HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/11/2005 10:23:26 PM] HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [5/12/2005 12:49:24 AM] Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2/12/2007 11:53:19 PM] Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [5/29/2006 10:30:02 AM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=1 (0x1) "DisableTaskMgr"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=1 (0x1) "DisableTaskMgr"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoControlPanel"=1 (0x1) "NoWindowsUpdate"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Shell"="Explorer.exe C:\WINDOWS\shell.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf] avgwlntf.dll 08/22/2007 05:21 PM 9216 C:\WINDOWS\SYSTEM32\avgwlntf.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=murka.dat [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe backup=C:\WINDOWS\pss\autorun.exeCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Messenger.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DataViz Messenger.lnk backup=C:\WINDOWS\pss\DataViz Messenger.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Daddy^Start Menu^Programs^Startup^Epson printer Registration.lnk] path=C:\Documents and Settings\Daddy\Start Menu\Programs\Startup\Epson printer Registration.lnk backup=C:\WINDOWS\pss\Epson printer Registration.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Daddy^Start Menu^Programs^Startup^findfast.exe] path=C:\Documents and Settings\Daddy\Start Menu\Programs\Startup\findfast.exe backup=C:\WINDOWS\pss\findfast.exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Daddy^Start Menu^Programs^Startup^Forget Me Not.lnk] path=C:\Documents and Settings\Daddy\Start Menu\Programs\Startup\Forget Me Not.lnk backup=C:\WINDOWS\pss\Forget Me Not.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Daddy^Start Menu^Programs^Startup^HotSync Manager.lnk] path=C:\Documents and Settings\Daddy\Start Menu\Programs\Startup\HotSync Manager.lnk backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Daddy^Start Menu^Programs^Startup^IMVU.lnk] path=C:\Documents and Settings\Daddy\Start Menu\Programs\Startup\IMVU.lnk backup=C:\WINDOWS\pss\IMVU.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Daddy^Start Menu^Programs^Startup^TA_Start.lnk] path=C:\Documents and Settings\Daddy\Start Menu\Programs\Startup\TA_Start.lnk backup=C:\WINDOWS\pss\TA_Start.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON PictureMate Deluxe] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE /P24 "EPSON PictureMate Deluxe" /O6 "USB003" /M "PictureMate Deluxe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer] KHALMNPR.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper] Rundll32 P17.dll,P17Helper [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\samycanu] C:\Program Files\Messenger\samycanu22011.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\ihxkhqww.dll",forkonce [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck] %systemroot%\system32\dumprep 0 -u [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{79-94-4C-C9-ZN}] C:\windows\system32\lsdsrngr.exe CHD003 -- Hosts ----------------------------------------------------------------------- 10.18.250.4 ad.doubleclick.net 10.18.250.4 ad.fastclick.net 10.18.250.4 ads.fastclick.net 10.18.250.4 ar.atwola.com 10.18.250.4 atdmt.com 10.18.250.4 avp.ch 10.18.250.4 avp.com 10.18.250.4 avp.ru 10.18.250.4 awaps.net 10.18.250.4 banner.fastclick.net 90 more entries in hosts file. -- End of Deckard's System Scanner: finished at 2008-01-15 17:55:10 ------------ |
|
     |
| Sponsored Links |
|
01-16-2008, 02:51 AM
|
#2 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 30
OS: Windows XP Home SP2 V.5.1
|
Re: Bad Malware infection - Spy-rid, InfeStop, Easy Spyware Cleaner
SpyBot-SD Just caught a process identified as Virtumonde.crack. I told it to kill the process next time it is encountered.
|
|
|
|
|
01-19-2008, 08:13 AM
|
#4 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,569
OS: 2000 Pro; XP Pro; XP Home
|
Re: Bad Malware infection - Spy-rid, InfeStop, Easy Spyware Cleaner
Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- This machine is pretty well messed up. I strongly recommend you back up any valued data before performing the next steps. Aomong other infections showing, you have the latest version of the Vundo infection. It is a file infector, and replaces many legit exe files in startup. It's possible these applications will need to be reinstalled. --------------------------------------------------------------------------------------------- Please visit this webpage for instructions for downloading and running ComboFix. Take your time and read the page completely. If there's anything you don't understand, post back and ask questions first, before proceeding. http://www.bleepingcomputer.com/comb...o-use-combofix If, while you're performing those instructions, you need to install the Windows XP Recovery Console using ComboFix, a log will be produced, CF-RC.txt Post that log before continuing any further, and do NOT reboot your machine until I've reviewed it. If you have a Windows XP CD with which to install the Windows XP Recovery Console as directed in the Guide, or already have the Windows XP Recovery Console installed, post the log from ComboFix when you've accomplished all that, along with a new HijackThis log.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you.  Please do not ask for help via Private Message. |
|
|
|
|
01-19-2008, 02:06 PM
|
#5 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 30
OS: Windows XP Home SP2 V.5.1
|
Re: Bad Malware infection - Spy-rid, InfeStop, Easy Spyware Cleaner
Thank you so much for your assistance!
This thing is almost crippled. It will still browse the net somewhat but no printing, install, remove capabilities. I backed up everything that matters and then tried to proceed with the combofix instructions. When trying to get it to install the recovery console it doesn't do anything. I can't find an XP disc so I went to the microsoft website the onstructions direct me to and downloaded the appropriate file. The instructions then say to drag it overtop the combofix icon and drop it and then it should automatically install the console. I do that and a window pops up saying there's no digital certificate for combofix, I click "run", then the window goes away and nothing else happens, doesn't lock up, hard drive light doesn't blink like it's installing something, just back to the desktop. Thanks and God bless, -BunnMan |
|
|
|
|
01-19-2008, 02:13 PM
|
#6 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,569
OS: 2000 Pro; XP Pro; XP Home
|
Re: Bad Malware infection - Spy-rid, InfeStop, Easy Spyware Cleaner
Can you run task manager?
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Please do not ask for help via Private Message. |
|
|
|
|
01-19-2008, 02:16 PM
|
#8 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,569
OS: 2000 Pro; XP Pro; XP Home
|
Re: Bad Malware infection - Spy-rid, InfeStop, Easy Spyware Cleaner
Go to Start > Run > copy/paste> taskmgr > click OK.
If it opens, see if there's a running process, trayicon.exe
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Please do not ask for help via Private Message. |
|
|
|
|
01-19-2008, 02:21 PM
|
#10 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,569
OS: 2000 Pro; XP Pro; XP Home
|
Re: Bad Malware infection - Spy-rid, InfeStop, Easy Spyware Cleaner
As I expected...Ok, here's what we'll do.
Open NOTEPAD.exe and copy/paste the text in the quotebox below into it: Code:
[Version] Signature="$CHICAGO$" [DefaultInstall] AddReg=Fix DelReg=EnableRegTools [Fix] HKCR, "batfile\shell\open\command",,0,"""%1"" %*" HKCR, "comfile\shell\open\command",,0,"""%1"" %*" HKCR, "exefile\shell\open\command",,0,"""%1"" %*" HKCR, "piffile\shell\open\command",,0,"""%1"" %*" HKCR, "regfile\shell\open\command",,0,"regedit.exe ""%1""" HKCR, "scrfile\shell\open\command",,0,"""%1"" /S" HKCR, "scrfile\shell\config\command",,0,"%1" [EnableRegTools] HKCU, "software\microsoft\windows\currentversion\policies\system","DisableRegistryTools" It should look like this:  Right click on fix.inf & select 'Install' This should free ComboFix to do it's job. ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Please do not ask for help via Private Message. |
|
|
|
|
01-19-2008, 02:37 PM
|
#11 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 30
OS: Windows XP Home SP2 V.5.1
|
Re: Bad Malware infection - Spy-rid, InfeStop, Easy Spyware Cleaner
Did as you instructed, ComboFix icon was absolutely unresponsive when the file was dragged overtop or I simply doubleclicked combofix. Re-downloaded combo fix and the microsoft file. Tried again and got the digital signature warning when I dragged the file overtop, click run, still nothing.
|
|
|
|
|
01-19-2008, 02:41 PM
|
#12 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,569
OS: 2000 Pro; XP Pro; XP Home
|
Re: Bad Malware infection - Spy-rid, InfeStop, Easy Spyware Cleaner
Hi, I want you to ignore the recovery console step for now. Malware interference is a possible cause.
Restart the machine in safe mode. Perform the previous steps; i.e. install the .inf file, then double click on ComboFix.exe to run it. Allow ComboFix to restart the machine into normal mode. Post the resulting log.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Please do not ask for help via Private Message. |
|
|
|
|
01-19-2008, 03:05 PM
|
#13 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 30
OS: Windows XP Home SP2 V.5.1
|
Re: Bad Malware infection - Spy-rid, InfeStop, Easy Spyware Cleaner
same results. One of the icons the malware puts on my taskbar on the bottom right is still there is safe mode. ComboFix still will not run, even after installing the fix.inf.
|
|
|
|
|
01-19-2008, 04:27 PM
|
#14 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,569
OS: 2000 Pro; XP Pro; XP Home
|
Re: Bad Malware infection - Spy-rid, InfeStop, Easy Spyware Cleaner
Hello,
ComboFix is frequently updated. Please delete your existing version, and get the latest version from one of the following links: ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Please do not ask for help via Private Message. |
|
|
|
|
01-19-2008, 04:52 PM
|
#16 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,569
OS: 2000 Pro; XP Pro; XP Home
|
Re: Bad Malware infection - Spy-rid, InfeStop, Easy Spyware Cleaner
Navigate to this folder:
C:\Program Files\Trend Micro\HijackThis In it, there should be an executable, Daddy.exe This is a duplicate of HijackThis. Double click on it to run it, try the previous instructions.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Please do not ask for help via Private Message. |
|
|
|
|
01-20-2008, 08:47 AM
|
#18 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,569
OS: 2000 Pro; XP Pro; XP Home
|
Re: Bad Malware infection - Spy-rid, InfeStop, Easy Spyware Cleaner
Double click on the new version of Combofix to run it. Let me know what happens.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Please do not ask for help via Private Message. |
|
|
|
|
01-20-2008, 10:58 AM
|
#20 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,569
OS: 2000 Pro; XP Pro; XP Home
|
Re: Bad Malware infection - Spy-rid, InfeStop, Easy Spyware Cleaner
Rename ComboFix.exe to Comb.exe (right click on the file > Rename) then run it.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Please do not ask for help via Private Message. |
|
|
|
| Thread Tools | |
|
|
