Quick Help Needed Pls!! Virus!! System Security

Winjackie

That might have been remotely funny if I hadn't spent nearly 5 hours last night and the whole of this morning trying to sort this out :rolleyes:

Browntoa

use system restore to roll back to before this happened

http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore.mspx

then download and scan with combofix straight away , do a scan that should take 20 minutes

Reluctant_spender

Right, I see a trojan in the original Combofix log. Can you run the following programme for me I want to see what else is hiding,

• Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

lupyloo

Wrong place sorry

Browntoa

you need to start your own thread , each infection/response is unique

lupyloo

OK thanks for that will do, I will delete my above post

Winjackie

Browntoa wrote: »

use system restore to roll back to before this happened

http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore.mspx

then download and scan with combofix straight away , do a scan that should take 20 minutes

Okay, I have done a system restore and the pop ups have stopped and the system security icons have disappeared, Iam now running combofix. But I have noticed that the little icons you get in your address bar of a webpage have all changed for me. For example, a lot of them have the letters BT??? BT is not my internet provider even?? I used to get a little pic of Martin Lewis in my address bar on the moneysaving webpages..... now I'm getting BT

Winjackie

Here is the log from the Combofix notepad

ComboFix 09-02-21.01 - Jackie 2009-02-22 6:43:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1019 [GMT 0:00]
Running from: c:\documents and settings\Jackie\My Documents\ComboFix1.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-01-22 to 2009-02-22 )))))))))))))))))))))))))))))))
.
2009-02-21 12:46 . 2009-02-21 12:46 <DIR> d

---

c:\documents and settings\All Users\Application Data\SITEguard
2009-02-21 12:45 . 2009-02-21 12:45 <DIR> d

---

c:\program files\Common Files\iS3
2009-02-21 12:45 . 2009-02-22 06:32 <DIR> d

---

c:\documents and settings\All Users\Application Data\STOPzilla!
2009-02-21 10:54 . 2009-02-22 06:33 <DIR> d

---

c:\program files\SUPERAntiSpyware
2009-02-21 10:54 . 2009-02-21 10:54 <DIR> d

---

c:\documents and settings\Jackie\Application Data\SUPERAntiSpyware.com
2009-02-21 10:02 . 2009-02-22 06:32 <DIR> d

---

C:\RECYCLER(2)
2009-02-21 08:24 . 2009-02-22 06:40 <DIR> d

---

C:\ComboFix
2009-02-21 08:03 . 2009-02-21 08:03 <DIR> d

---

c:\program files\Trend Micro
2009-02-21 06:34 . 2009-02-22 06:32 <DIR> d

---

c:\documents and settings\All Users\Application Data\1527240312
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-22 06:44

---

d

---

w c:\documents and settings\All Users\Application Data\Kontiki
2009-02-22 06:32

---

d

---

w c:\program files\Malwarebytes' Anti-Malware
2009-02-20 13:11

---

d

---

w c:\program files\McAfee
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-09-21 19:36 61,224 -c--a-w c:\documents and settings\Jackie\GoToAssistDownloadHelper.exe
2007-09-27 17:20 168 -csh--r c:\windows\system32\3B8AC5DE95.sys
2007-09-27 17:20 2,516 -csha-w c:\windows\system32\KGyGaAvL.sys
2008-09-28 02:07 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092820080929\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [BU]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-18 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-08-29 160592]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2004-09-02 83968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 344064]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 28672]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-01-03 26112]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"LogitechCommunicationsManager"="c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-06-26 497200]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2006-06-26 614960]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 487424]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-03 98304]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 c:\windows\SOUNDMAN.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 28672]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2004-08-25 28672]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 581693]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-06-21 67128]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2008-03-31 884840]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\aol\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\ACS\\AOLacsd.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\Common Files\\aol\\1190534892\\ee\\aolsoftware.exe"=
"c:\\Program Files\\NETGEAR\\WG111T\\wlan111t.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-12-02 206096]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2008-02-22 17149]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\!!97da2ef8-9a7b-11db-a1e0-000feac34a73}]
\Shell\AutoRun\command - E:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
2009-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2009-02-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://www.sky.com/
uInternet Settings,ProxyOverride = localhost
IE: !!!!08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: bwfile-8876480 - !!9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Jackie\Application Data\Mozilla\Firefox\Profiles\d0m0bs06.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-22 06:44:56
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.

---

DLLs Loaded Under Running Processes

---

- - - - - - - > 'winlogon.exe'(932)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-22 6:47:14
ComboFix-quarantined-files.txt 2009-02-22 06:46:37
ComboFix2.txt 2009-02-21 08:33:36
Pre-Run: 91,654,565,888 bytes free
Post-Run: 91,731,083,264 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
159 --- E O F --- 2009-02-10 10:33:23

Reluctant_spender

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Killall::

DirLook::
c:\documents and settings\All Users\Application Data\1527240312

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Winjackie

Okay, as well as the above Combofix log, I have just run a quick scan in malwarebytes and here is the log for this

Malwarebytes' Anti-Malware 1.34
Database version: 1793
Windows 5.1.2600 Service Pack 3
22/02/2009 07:30:55
mbam-log-2009-02-22 (07-30-55).txt
Scan type: Quick Scan
Objects scanned: 64312
Time elapsed: 5 minute(s), 0 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.SoftMate) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)


PS: Sorry reluctant_spender, just seen your post, do you still want me to follow your instructions?