|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
|
Topic Tools |
#1
|
|||
|
|||
MalwareCrush Virus
Hello,
An icon recently appeared on my computer called MalwareCrush. It said I have 55 viruses on my computer. I did not install this program; it installed itself. I scanned it with AVG, no viruses found. I tried to delete it from my C: files, it replied that I couldn't delete this file. I tried to get rid of it through Pocket Killbox (it couldn't delete it). I need help fast!!!! I don't know anything about computers. I know know this is a big problem for me. Any help would be appreciated. Thanks |
#2
|
||||
|
||||
Welcome to CTH lisaoje,
If you would, don't make any additional changes there for now and let's see what all is loaded at this time. Please download HijackThis from Here. Then click on the downloaded file to install HijackThis. After it is installed open HijackThis and select Do a system scan and save logfile. Use copy/paste and post that log back here for review. Also go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your AV queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here. You can use separate posts here if needed. |
#3
|
|||
|
|||
Tom'
Thanks for your prompt reply. Here is my HijackThis Log you requested: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:59:48 PM, on 1/1/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\avg\avgamsvr.exe C:\PROGRA~1\avg\avgupsvc.exe C:\PROGRA~1\avg\avgemc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ALCXMNTR.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\PROGRA~1\avg\avgcc.exe C:\WINDOWS\LTMSG.exe C:\WINDOWS\system32\wupeng.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MalwareCrush\MalwareCrush.exe C:\Program Files\MalwareCrush\MalwareCrush.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Internet Explorer\iexplore.exe C:\temp\Temporary Internet Files\Content.IE5\96XSD1M8\hijackthis[1].exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\avg\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\AdobeReader\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7 O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser O4 - HKLM\..\Run: [Winupdate Engine] C:\WINDOWS\system32\wupeng.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\avg\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\avg\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\avg\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\avg\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1187923921843 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187923974937 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\avg\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\avg\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\avg\avgemc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- End of file - 5201 bytes When I ran downloaded and ran the Silent Runners to my desktop. I never could locate the log it created. It was not in the Startup Programs. I even did a search of the file it created. Still no results. I did see the Startup Program files folder, but it was empty. I hope this information is helpful. Any assistance you can provide will be greatly appreciated. Thanks, Lisa |
#4
|
||||
|
||||
Might need a little rewording - the file itself is called Startup Programs, and if it was successful would be located in the same location as the Silent Runners.vbs tool you ran. But enough information from the HijackThis log for us to move forward here.
You will want to copy or have other access to these steps, as they will be done while offline. Be sure to temporarily disable any protective software when running the scan tools we use here. Download SDFix.exe and save it to your desktop. Download ComboFix.exe from here to your desktop. Then disconnect from net access. If cable/dsl physically disconnect the modem cable, if dial-up disconnect the phone line. This will keep infection from reinstalling right now. ================================================== = Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode). In Safe Mode, click the SDFix.exe and allow it to extract to it's own folder (C:\SDFix). Navigate to that folder and double click RunThis.bat to start the script. Next type Y to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons. Then open the C:\SDFix folder and copy and paste the contents of the results file Report.txt back here. ============================= After the reboot click on the downloaded ComboFix.exe to run the scan. When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. (ComboFix will also disable any screensaver settings made, so know that at some point when we complete repairs you will need to reset your screensaver) Reconnect to net access, and post back the C:\ComboFix.txt log as well as the SFDix report.txt and a new HijackThis log please. |
#5
|
|||
|
|||
MalwareCrush Virus
Tom,
Again, thanks for your prompt reply. Below are the three logs you requested. Please advise me of my next move. ComboFix Log ComboFix 07-12-31.4 - lisa 2008-01-02 13:10:46.4 - NTFSx86 Running from: C:\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-12-02 to 2008-01-02 ))))))))))))))))))))))))))))))) . 2008-01-02 13:11 . 2008-01-02 13:11 <DIR> d-------- C:\temp\WPDNSE 2008-01-02 12:33 . 2008-01-02 12:33 1,484,544 --a------ C:\ComboFix.exe 2008-01-02 12:32 . 2008-01-02 12:32 1,212,248 --a------ C:\SDFix.exe 2008-01-02 12:17 . 2008-01-02 12:17 <DIR> d-------- C:\temp\Google Toolbar 2008-01-02 11:27 . 2008-01-02 11:27 <DIR> d-------- C:\WINDOWS\ERUNT 2008-01-02 11:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-12-31 12:37 . 2007-12-31 14:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-12-30 23:51 . 2007-10-10 18:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll 2007-12-30 23:44 . 2007-10-10 18:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll 2007-12-30 23:44 . 2007-04-17 04:28 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat 2007-12-30 23:44 . 2007-01-31 01:47 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui 2007-12-30 23:44 . 2007-10-10 18:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll 2007-12-30 23:44 . 2007-10-10 18:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll 2007-12-30 23:44 . 2007-10-10 18:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll 2007-12-30 23:44 . 2007-10-10 18:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2007-12-30 23:44 . 2007-10-10 05:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe 2007-12-30 16:52 . 2007-12-30 15:34 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-12-30 15:34 . 2007-12-30 15:58 <DIR> d-------- C:\Documents and Settings\lisa\.housecall6.6 2007-12-30 15:31 . 2007-12-30 15:31 <DIR> d-------- C:\WINDOWS\Sun 2007-12-30 15:30 . 2007-12-31 00:29 <DIR> d-------- C:\Program Files\Google 2007-12-30 15:30 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2007-12-30 15:29 . 2007-12-30 15:30 <DIR> d-------- C:\Program Files\Java 2007-12-30 15:29 . 2007-12-30 15:29 <DIR> d-------- C:\Program Files\Common Files\Java 2007-12-30 08:18 . 2008-01-02 09:41 <DIR> d-ah----- C:\Program Files\MalwareCrush 2007-12-27 19:27 . 2007-12-27 19:27 <DIR> d-------- C:\Program Files\PureEdge 2007-12-27 19:27 . 2007-12-27 19:27 <DIR> d-------- C:\Documents and Settings\lisa\Application Data\PureEdge 2007-12-27 19:27 . 2007-12-27 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PureEdge 2007-12-27 19:27 . 2003-11-21 18:02 2,101,248 --a------ C:\WINDOWS\system32\pe_cc.dll 2007-12-27 19:27 . 2003-11-21 18:02 1,167,360 --a------ C:\WINDOWS\system32\pe_java.dll 2007-12-27 19:27 . 2003-11-21 18:02 712,704 --a------ C:\WINDOWS\system32\uwi_java.dll 2007-12-27 19:27 . 2003-02-21 12:44 172,032 --a------ C:\WINDOWS\system32\SSCE5332.dll 2007-12-27 19:27 . 2003-02-21 10:44 167,936 --a------ C:\WINDOWS\system32\MSQOLE.DLL 2007-12-27 19:27 . 2007-12-27 19:27 61 --a------ C:\WINDOWS\PureEdgeAPI.ini 2007-12-05 07:35 . 2007-12-05 07:35 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-01-02 18:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2008-01-02 14:41 --------- d-----w C:\Program Files\avg 2007-12-31 05:35 --------- d-----w C:\Documents and Settings\lisa\Application Data\AVG7 2007-12-28 00:27 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-11-19 15:38 --------- d-----w C:\Documents and Settings\lisa\Application Data\SmartDraw 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll . ((((((((((((((((((((((((((((( snapshot@2008-01-02_11.14.16.57 ))))))))))))))))))))))))))))))))))))))))) . + 2008-01-02 08:44:46 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE + 2008-01-02 17:37:51 2,830,336 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT + 2008-01-02 17:37:51 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2008-01-02 08:44:46 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE + 2008-01-02 16:27:10 2,818,048 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT + 2008-01-02 16:27:10 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 20:07 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 12:47 57344 C:\WINDOWS\ALCXMNTR.EXE] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 08:03 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 07:59 126976] "AVG7_CC"="C:\PROGRA~1\avg\avgcc.exe" [2007-12-21 07:35 579072] "Adobe Reader Speed Launcher"="C:\Program Files\AdobeReader\Reader\Reader_sl.exe" [2007-05-11 02:06 40048] "LTMSG"="LTMSG.exe" [2003-07-14 09:52 40960 C:\WINDOWS\ltmsg.exe] "masqform.exe"="C:\Program Files\PureEdge\Viewer 6.0\masqform.exe" [2003-12-03 12:43 1052672] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "MalwareCrush"="C:\Program Files\MalwareCrush\MalwareCrush.exe" [2007-12-31 14:01 1613824] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "AVG7_Run"="C:\PROGRA~1\avg\avgw.exe" [2007-10-25 06:36 219136] R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2004-08-06 07:50] [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{2e910d79-51f0-11dc-bb2f-000c6ecb9e90}] \Shell\AutoRun\command - D:\Info.exe folder.htt 480 480 . ************************************************** ************************ catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-02 13:17:45 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************** ************************ . Completion time: 2008-01-02 13:19:26 C:\qoobox\ComboFix-quarantined-files.txt 2008-01-02 18:18:29 C:\qoobox\ComboFix2.txt 2008-01-02 16:14:54 . 2007-12-30 19:45:40 --- E O F --- SFDix Report SDFix: Version 1.122 Run by lisa on 2008-01-02 at 12:38 Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFIX\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: No Trojan Files Found Removing Temp Files... ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-02 12:59:21 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... IPC error: 2 The system cannot find the file specified. scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list] Remaining Files: --------------- Files with Hidden Attributes: Thu 23 Aug 2007 211 A.SH. --- "C:\BOOT.BAK" Mon 31 Dec 2007 1,613,824 A..H. --- "C:\Program Files\MalwareCrush\MalwareCrush.exe" Sat 19 Feb 2005 1,697,280 A..H. --- "C:\0_OLD_DATA\My Documents\13346 Wilshire\~WRL0005.tmp" Wed 13 Oct 2004 1,694,208 A.SH. --- "C:\0_OLD_DATA\Program Files\Messenger\msmsgs.exe" Wed 4 Aug 2004 60,416 A.SH. --- "C:\0_OLD_DATA\Program Files\Outlook Express\msimn.exe" Tue 11 Nov 2003 56 A.SHR --- "C:\0_OLD_DATA\WINDOWS\system32\6AC0C3163A.sys " Fri 16 Jun 2006 4,348 A..H. --- "C:\0_OLD_DATA\My Documents\My Music\License Backup\drmv1key.bak" Fri 16 Jun 2006 20 A..H. --- "C:\0_OLD_DATA\My Documents\My Music\License Backup\drmv1lic.bak" Mon 9 May 2005 312 A.SH. --- "C:\0_OLD_DATA\My Documents\My Music\License Backup\drmv2key.bak" Wed 29 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Sat 25 Aug 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1a72abe4 120e101373a4e6a8f3333cc4\download\BIT64.tmp" Finished! HiackThis Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:28:21 PM, on 1/2/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\avg\avgamsvr.exe C:\PROGRA~1\avg\avgupsvc.exe C:\PROGRA~1\avg\avgemc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ALCXMNTR.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\PROGRA~1\avg\avgcc.exe C:\Program Files\AdobeReader\Reader\Reader_sl.exe C:\WINDOWS\LTMSG.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\MalwareCrush\MalwareCrush.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MalwareCrush\MalwareCrush.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\hijackthis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\avg\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\AdobeReader\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7 O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [MalwareCrush] C:\Program Files\MalwareCrush\MalwareCrush.exe /h O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\avg\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\avg\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\avg\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\avg\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1187923921843 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187923974937 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\avg\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\avg\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\avg\avgemc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- End of file - 5186 bytes |
#6
|
||||
|
||||
I am surprised that none of the infection (Zlob) known for these was picked up in that. Let's check for those then just give this one a complete removal. This is all assuming you have tried an uninstall through Add/Remove Programs (if not, do so now).
Download SmitfraudFix (by S!Ri) Double-click SmitfraudFix.exe Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. **If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually the C drive), and launch from there. NOTE: Please do not run any other options from SmitfraudFix until we discuss the results. |
#7
|
|||
|
|||
MalwareCrush Virus
Tom,
Thanks again. I really appreciate all of your support. Below is the SmithfraudFix report you requested. SmitFraudFix v2.274 Scan done at 8:49:28.76, Thu 01/03/2008 Run from C:\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\avg\avgamsvr.exe C:\PROGRA~1\avg\avgupsvc.exe C:\PROGRA~1\avg\avgemc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ALCXMNTR.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\PROGRA~1\avg\avgcc.exe C:\WINDOWS\LTMSG.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\MalwareCrush\MalwareCrush.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MalwareCrush\MalwareCrush.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\lisa »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\lisa\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\lisa\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» IEDFix !!!Attention, following keys are not inevitably infected!!! IEDFix.exe by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Rustock »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport DNS Server Search Order: 68.87.77.130 DNS Server Search Order: 68.87.72.130 DNS Server Search Order: 192.168.0.1 HKLM\SYSTEM\CCS\Services\Tcpip\..\{4524D3B1-A79A-421E-86D3-4FEB22211092}: DhcpNameServer=68.87.77.130 68.87.72.130 192.168.0.1 HKLM\SYSTEM\CS1\Services\Tcpip\..\{4524D3B1-A79A-421E-86D3-4FEB22211092}: DhcpNameServer=68.87.77.130 68.87.72.130 192.168.0.1 HKLM\SYSTEM\CS2\Services\Tcpip\..\{4524D3B1-A79A-421E-86D3-4FEB22211092}: DhcpNameServer=68.87.77.130 68.87.72.130 192.168.0.1 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130 192.168.0.1 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130 192.168.0.1 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130 192.168.0.1 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End Please advise. Lisa |
#8
|
||||
|
||||
Just the startup and the associated Malware Crush files so far, which we surely will remove now.
Be sure to temporarily disable any protective software when running the scan tools we use here. Open HijackThis, and choose None of the above, just start the program. Click Config – Misc Tools – Open process manager. From the list, click any instances of the following if it is present, and Kill Process. Close HijackThis. C:\Program Files\MalwareCrush\MalwareCrush.exe ----------------------------------- Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it: Code:
Folder:: C:\Program Files\MalwareCrush C:\temp Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MalwareCrush"=- (include the "quotation marks" with the name) Referring to the picture above, drag CFScript.txt into ComboFix.exe ComboFix will now run as it did before. When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. ----------------------- Also Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE). To use the scan, once the download has completed click Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click My Computer to begin the scan. Save the Report as a text file and post that back here. To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)". Post back that log along with with ComboFix log and a new HijackThis log please. |
#9
|
|||
|
|||
MalwareCrush Virus - Kaspersky Report & Combo Fix Log
Tom,
Thanks! FYI, When I started the first part of the process with the HijackThis and Kill process; I received an air message that stated : "The selected process could not be killed. It may be protected by Windows". Then I saw the *C:\Program Files\MalwareCrush\MalwareCrush.exe* disappear from the list of items. Just thought you needed to know that. Nevertheless, below are the reports you requested. Thanks Abundantly!! ------------------------------------------------------------------------------ KASPERSKY ONLINE SCANNER REPORT Thursday, January 03, 2008 12:44:28 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 3/01/2008 Kaspersky Anti-Virus database records: 502025 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ F:\ G:\ H:\ I:\ X:\ Y:\ Scan Statistics: Total number of scanned objects: 84047 Number of viruses found: 2 Number of infected objects: 6 Number of suspicious objects: 0 Duration of the scan process: 01:18:27 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\lisa\Cookies\index.dat Object is locked skipped C:\Documents and Settings\lisa\Local Settings\Application Data\Identities\{94D76E0B-8986-4AE8-8BD3-2BB71AEF0DA3}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped C:\Documents and Settings\lisa\Local Settings\Application Data\Identities\{94D76E0B-8986-4AE8-8BD3-2BB71AEF0DA3}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped C:\Documents and Settings\lisa\Local Settings\Application Data\Identities\{94D76E0B-8986-4AE8-8BD3-2BB71AEF0DA3}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped C:\Documents and Settings\lisa\Local Settings\Application Data\Identities\{94D76E0B-8986-4AE8-8BD3-2BB71AEF0DA3}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped C:\Documents and Settings\lisa\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\lisa\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\lisa\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\lisa\NTUSER.DAT Object is locked skipped C:\Documents and Settings\lisa\NTUSER.DAT.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\QooBox\Quarantine\C\Program Files\MalwareCrush\MalwareCrush.exe.vir Infected: not-a-virus:FraudTool.Win32.MalwareCrush.a skipped C:\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\SmitfraudFix.exe RarSFX: infected - 2 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{16363A7F-51A0-4467-9016-3F7C5D75E9CA}\RP4\A0000394.exe Infected: not-a-virus:FraudTool.Win32.MalwareCrush.a skipped C:\System Volume Information\_restore{16363A7F-51A0-4467-9016-3F7C5D75E9CA}\RP4\change.log Object is locked skipped C:\temp\avg\emc.log Object is locked skipped C:\temp\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. Combo Fix Log: ComboFix 07-12-31.4 - lisa 2008-01-03 10:51:30.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.250 [GMT -5:00] Running from: C:\ComboFix.exe Command switches used :: C:\CFScript * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\MalwareCrush C:\Program Files\MalwareCrush\blacklist.txt C:\Program Files\MalwareCrush\Lang\English.ini C:\Program Files\MalwareCrush\MalwareCrush.exe C:\Program Files\MalwareCrush\MalwareCrush.url C:\Program Files\MalwareCrush\msvcp71.dll C:\Program Files\MalwareCrush\msvcr71.dll C:\Program Files\MalwareCrush\ref.dat C:\Program Files\MalwareCrush\uninst.exe . ((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 ))))))))))))))))))))))))))))))) . 2008-01-03 10:51 . 2008-01-03 10:51 <DIR> d-------- C:\temp\WPDNSE 2008-01-03 08:49 . 2008-01-03 08:49 2,220 --a------ C:\WINDOWS\system32\tmp.reg 2008-01-03 08:48 . 2008-01-03 08:50 <DIR> d-------- C:\SmitfraudFix 2008-01-03 08:48 . 2008-01-03 08:48 1,129,580 --a------ C:\SmitfraudFix.exe 2008-01-02 13:27 . 2008-01-02 13:27 <DIR> d-------- C:\temp\Google Toolbar 2008-01-02 13:27 . 2008-01-02 13:27 401,720 --a------ C:\hijackthis.exe 2008-01-02 12:33 . 2008-01-02 12:33 1,484,544 --a------ C:\ComboFix.exe 2008-01-02 12:32 . 2008-01-02 12:32 1,212,248 --a------ C:\SDFix.exe 2008-01-02 11:27 . 2008-01-02 11:27 <DIR> d-------- C:\WINDOWS\ERUNT 2008-01-02 11:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-12-31 12:37 . 2007-12-31 14:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-12-30 23:51 . 2007-10-10 18:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll 2007-12-30 23:44 . 2007-10-10 18:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll 2007-12-30 23:44 . 2007-04-17 04:28 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat 2007-12-30 23:44 . 2007-01-31 01:47 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui 2007-12-30 23:44 . 2007-10-10 18:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll 2007-12-30 23:44 . 2007-10-10 18:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll 2007-12-30 23:44 . 2007-10-10 18:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll 2007-12-30 23:44 . 2007-10-10 18:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2007-12-30 23:44 . 2007-10-10 05:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe 2007-12-30 16:52 . 2007-12-30 15:34 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-12-30 15:34 . 2007-12-30 15:58 <DIR> d-------- C:\Documents and Settings\lisa\.housecall6.6 2007-12-30 15:31 . 2007-12-30 15:31 <DIR> d-------- C:\WINDOWS\Sun 2007-12-30 15:30 . 2007-12-31 00:29 <DIR> d-------- C:\Program Files\Google 2007-12-30 15:30 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2007-12-30 15:29 . 2007-12-30 15:30 <DIR> d-------- C:\Program Files\Java 2007-12-30 15:29 . 2007-12-30 15:29 <DIR> d-------- C:\Program Files\Common Files\Java 2007-12-27 19:27 . 2007-12-27 19:27 <DIR> d-------- C:\Program Files\PureEdge 2007-12-27 19:27 . 2007-12-27 19:27 <DIR> d-------- C:\Documents and Settings\lisa\Application Data\PureEdge 2007-12-27 19:27 . 2007-12-27 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PureEdge 2007-12-27 19:27 . 2003-11-21 18:02 2,101,248 --a------ C:\WINDOWS\system32\pe_cc.dll 2007-12-27 19:27 . 2003-11-21 18:02 1,167,360 --a------ C:\WINDOWS\system32\pe_java.dll 2007-12-27 19:27 . 2003-11-21 18:02 712,704 --a------ C:\WINDOWS\system32\uwi_java.dll 2007-12-27 19:27 . 2003-02-21 12:44 172,032 --a------ C:\WINDOWS\system32\SSCE5332.dll 2007-12-27 19:27 . 2003-02-21 10:44 167,936 --a------ C:\WINDOWS\system32\MSQOLE.DLL 2007-12-27 19:27 . 2007-12-27 19:27 61 --a------ C:\WINDOWS\PureEdgeAPI.ini 2007-12-05 07:35 . 2007-12-05 07:35 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-01-02 18:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2008-01-02 14:41 --------- d-----w C:\Program Files\avg 2007-12-31 05:35 --------- d-----w C:\Documents and Settings\lisa\Application Data\AVG7 2007-12-28 00:27 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-11-19 15:38 --------- d-----w C:\Documents and Settings\lisa\Application Data\SmartDraw 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll . ((((((((((((((((((((((((((((( snapshot@2008-01-02_11.14.16.57 ))))))))))))))))))))))))))))))))))))))))) . + 2008-01-02 08:44:46 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE + 2008-01-02 17:37:51 2,830,336 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT + 2008-01-02 17:37:51 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2008-01-02 08:44:46 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE + 2008-01-02 16:27:10 2,818,048 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT + 2008-01-02 16:27:10 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 20:07 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 12:47 57344 C:\WINDOWS\ALCXMNTR.EXE] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 08:03 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 07:59 126976] "AVG7_CC"="C:\PROGRA~1\avg\avgcc.exe" [2007-12-21 07:35 579072] "Adobe Reader Speed Launcher"="C:\Program Files\AdobeReader\Reader\Reader_sl.exe" [2007-05-11 02:06 40048] "LTMSG"="LTMSG.exe" [2003-07-14 09:52 40960 C:\WINDOWS\ltmsg.exe] "masqform.exe"="C:\Program Files\PureEdge\Viewer 6.0\masqform.exe" [2003-12-03 12:43 1052672] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "AVG7_Run"="C:\PROGRA~1\avg\avgw.exe" [2007-10-25 06:36 219136] R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2004-08-06 07:50] [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{2e910d79-51f0-11dc-bb2f-000c6ecb9e90}] \Shell\AutoRun\command - D:\Info.exe folder.htt 480 480 . ************************************************** ******** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-03 10:54:50 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ******** . Completion time: 2008-01-03 10:55:41 C:\qoobox\ComboFix-quarantined-files.txt 2008-01-03 15:55:20 C:\qoobox\ComboFix2.txt 2008-01-02 18:19:27 C:\qoobox\ComboFix3.txt 2008-01-02 16:14:54 . 2007-12-30 19:45:40 --- E O F --- |
#10
|
|||
|
|||
Below is the HijackThis Log. I couldn't post it with the other two. It was too long. Lisa
HijackThis Log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:48:03 PM, on 1/3/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\avg\avgamsvr.exe C:\PROGRA~1\avg\avgupsvc.exe C:\PROGRA~1\avg\avgemc.exe C:\WINDOWS\ALCXMNTR.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\LTMSG.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\Program Files\Outlook Express\msimn.exe C:\hijackthis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\avg\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\AdobeReader\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7 O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\avg\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\avg\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\avg\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\avg\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1187923921843 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187923974937 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\avg\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\avg\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\avg\avgemc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- End of file - 5074 bytes |
#11
|
||||
|
||||
Very good - Kaspersky only shows normally locked system functions, infection removed by ComboFix to it's Qoobox folder and mis-ID'd SmitFraudFix as a bad one (wish they would update and correct that). Only one folder I would like you to check for now - are there any problems there at this time?
Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types" Do a search ( Start - Search/Find - Files or Folders) for the following hilighted files/folders (shown in Bold), and tell me what type of files you find there (in general): C:\temp\WPDNSE |
#12
|
|||
|
|||
Tom,
Thanks again! I performed the search for Hidden Files and the Search/Find files and folders task. I found the C:\temp\WPDNSE file, but no files or documents were stored in it. The folder was EMPTY. Please advise. Lisa |
#13
|
||||
|
||||
It can be deleted without issues. Any problems you see there at this time?
|
#14
|
|||
|
|||
Tom,
How do you want me to delete it? Lisa |
#15
|
||||
|
||||
Sure - it is an empty folder in a temp location, so no issue either way. Before we clean up what we added to your system how are things running there now?
|
Bookmarks |
«
Previous Topic
|
Next Topic
»
Topic Tools | |
|
|
Similar Topics | ||||
Topic | Topic Starter | Forum | Replies | Last Post |
Win32myd virus, how to check any trace of virus, urgent | stars_l | Malware Removal | 1 | November 19th, 2011 06:48 PM |
Virus made desktop dissappear and blocking anti virus | ducttape | Malware Removal | 26 | October 20th, 2009 12:25 AM |
please help...virus wont let me run any anti virus...redirects all searches...!! | simmu88 | Malware Removal | 26 | July 16th, 2009 02:45 AM |
Removal of Winfixer 2006, Win Anti Virus Pro & Black Worm Virus | flyladiebugs | Malware Removal | 28 | April 21st, 2006 02:06 AM |
Virus Hoax: Microsoft Debugger Registrar for Java (Jdbgmgr.exe) Is Not a Virus | squirekat | Malware Removal | 3 | March 19th, 2003 04:25 AM |
All times are GMT +1. The time now is 10:52 AM.