View Full Version : Struck down with unknown malware
G'day there,
Firstly, I came across your forum while googling for the symptoms my computr has. It seems to be the best out the wide range I've seen! Hopefully my problem isn't too varied from all the other Smitfraud/NTVDM etc problems that are similar to mine.
To the problem: I have a serious attack of malware that I can't seem to shake. I've got the latest Win XP updates, the latest Trend PC-cillin version, I've tried running a Trend Housecall and SpyBot S&D all to no avail.
In short, I keep getting pop-ups from these sorts of sites:
hxxx://65....60/trafc-2/.........
WinAntivirus (I'm getting pop-up advertisments while at your forum!)
Amaena.com
etc and so forth. I've blocked heaps of these sites using PC-cillin, but I still get pop-ups from PC-cillin saying I'm trying to access a blocked site.
My computer is running very slowly... typing this has to be slow due so the thing can keep up!
Also, on start-up, I get a "Cannot find csrss.exe in Windows\config\" error. There's a csrss.exe in /system32, I copied a version across to \config, but the error remains.
Even worse, periodically I get a 16-bit MSDOS window opening that's trying to run Windows\Temp files... the file name always changes, I keep emptying out the Temp folder with no success. Here's an example of the error:
C:\Windows\Temp\Win70T~1.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0526 IP:01A4 OP:63 72 6f 3c 2f
Close or Ignore
That CS:0526... etc is always the same, while the WinXXX~1.exe changes.
I've had viruses etc in the past, and pride myself on being able to find the solutions on the net myself, but I think this is a bit much for me. I just hate reformatting!
Any help you could give would be emensly appreciated.
Thanks!
Sorry about that URL you had to edit Tashi!
I ran VundoFix, managed to get rid of a few nasties. Here's my current HJT log, still a few gremlins in there:
-------------
Logfile of HijackThis v1.99.1
Scan saved at 10:18:04 p.m., on 28/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.exe
F:\WINDOWS\system32\taskswitch.exe
F:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
F:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
F:\Program Files\TrojanHunter 4.6\THGuard.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
F:\Program Files\Netropa\Onscreen Display\OSD.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
F:\WINDOWS\system32\svchost.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///F:/Documents%20and%20Settings/Ollie%20Wright/My%20Documents/Publish%20HTML/home/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - F:\WINDOWS\system32\bxygocea.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5B83AADF-52F8-4AB1-AC2E-8BC64CF4AE86} - F:\WINDOWS\system32\mljgf.dll (file missing)
O2 - BHO: (no name) - {8071E65A-3F56-4426-8372-8667CD213057} - F:\WINDOWS\system32\ddccdcc.dll (file missing)
O2 - BHO: (no name) - {BC5659C2-3B62-46C7-8884-2168FF33B276} - F:\WINDOWS\system32\xqnrjwpp.dll
O4 - HKLM\..\Run: [CoolSwitch] F:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [pccguide.exe] "F:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] F:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.hotmail.com
O15 - Trusted Zone: http://www.trademe.co.nz
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/17.17/uploader2.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by118fd.bay118.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171233884895
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
Making some more headway. I'm not getting anymore popups or NTVDM windows opening, so that's a big plus. Computer's running a lot faster.
Ran SpyBot and VundoFix in Safe Mode, didn't find anything.
However, still have the csrss.exe problem on startup.
Thanks to this forum, I'm learning quite a lot!
Here's my most recent HJT log:
---------------
Logfile of HijackThis v1.99.1
Scan saved at 9:28:26 a.m., on 29/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.exe
F:\WINDOWS\system32\taskswitch.exe
F:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
F:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
F:\Program Files\Netropa\Onscreen Display\OSD.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
F:\WINDOWS\system32\svchost.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///F:/Documents%20and%20Settings/Ollie%20Wright/My%20Documents/Publish%20HTML/home/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [CoolSwitch] F:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [pccguide.exe] "F:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] F:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.hotmail.com
O15 - Trusted Zone: http://www.trademe.co.nz
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/17.17/uploader2.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by118fd.bay118.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171233884895
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
Hello and welcome to the Forums :)
You're infected.
Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINDOWS\Config\csrss.exe
Click on Send
Wait for the scan to end.
Copy & Paste the scan results to here.
Cheers for coming to my rescue!
Complete scanning result of "csrss.exe", received in VirusTotal at 06.06.2007, 06:44:38 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.05.2007 no virus found
AntiVir 7.4.0.32 06.05.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.05.2007 no virus found
AVG 7.5.0.467 06.05.2007 no virus found
BitDefender 7.2 06.06.2007 no virus found
CAT-QuickHeal 9.00 06.05.2007 no virus found
ClamAV devel-20070416 06.06.2007 no virus found
DrWeb 4.33 06.06.2007 no virus found
eSafe 7.0.15.0 06.05.2007 no virus found
eTrust-Vet 30.7.3695 06.06.2007 no virus found
Ewido 4.0 06.05.2007 no virus found
FileAdvisor 1 06.06.2007 No threat detected
Fortinet 2.85.0.0 06.06.2007 no virus found
F-Prot 4.3.2.48 06.05.2007 no virus found
F-Secure 6.70.13030.0 06.05.2007 no virus found
Ikarus T3.1.1.8 06.06.2007 no virus found
Kaspersky 4.0.2.24 06.06.2007 no virus found
McAfee 5046 06.05.2007 no virus found
Microsoft 1.2503 06.06.2007 no virus found
NOD32v2 2311 06.06.2007 no virus found
Norman 5.80.02 06.05.2007 no virus found
Panda 9.0.0.4 06.06.2007 no virus found
Prevx1 V2 06.06.2007 no virus found
Sophos 4.18.0 06.01.2007 no virus found
Sunbelt 2.2.907.0 06.04.2007 no virus found
Symantec 10 06.06.2007 no virus found
TheHacker 6.1.6.129 06.04.2007 no virus found
VBA32 3.12.0 06.06.2007 no virus found
VirusBuster 4.3.23:9 06.05.2007 no virus found
Webwasher-Gateway 6.0.1 06.06.2007 no virus found
Aditional Information
File size: 6144 bytes
MD5: f12b178b1678d778cfd3ff1fc38c71fb
SHA1: d9aa29288951e94773caa1054237d29734e79f34
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=f12b178b1678d778cfd3ff1fc38c71fb
Hello :)
Ok let's continue...
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
OK, did that. A few virus warnings popped up in the process, like Smitfraud (it thought one of the ComboFix files was a virus).
Anyhow, here's the log:
----------
"Ollie Wright" - 2007-06-07 11:22:29 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "F:\Documents and Settings\Ollie Wright\Desktop\Installed Progs\"
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
F:\DOCUME~1\OLLIEW~1\Desktop.\internet explorer.lnk
((((((((((((((((((((((((( Files Created from 2007-05-06 to 2007-06-06 )))))))))))))))))))))))))))))))
2007-06-06 10:13 30 --a------ F:\WINDOWS\INTURS.DAT
2007-06-05 19:50 1,699,913 --a------ F:\WINDOWS\system32\InetClnt.dll
2007-06-05 19:50 <DIR> d-------- F:\Program Files\Common Files\AnswerWorks 4.0
2007-06-05 19:49 339,968 --a------ F:\WINDOWS\system32\cdintf.dll
2007-06-05 19:49 <DIR> d-------- F:\Program Files\Common Files\Intuit
2007-06-05 19:48 974,848 --a------ F:\WINDOWS\system32\mfc70.dll
2007-06-05 19:48 737,280 --a------ F:\WINDOWS\system32\spr32d30.dll
2007-06-05 19:48 54,784 --a------ F:\WINDOWS\system32\msvci70.dll
2007-06-05 19:48 487,424 --a------ F:\WINDOWS\system32\msvcp70.dll
2007-06-05 19:48 1,694,992 --a------ F:\WINDOWS\system32\vba6.dll
2007-06-05 19:48 <DIR> d-------- F:\Program Files\Intuit
2007-06-05 19:43 <DIR> d-------- F:\Program Files\Common Files\SWF Studio
2007-06-05 19:18 5,856 --a------ F:\WINDOWS\system32\INET16.DLL
2007-06-05 19:18 5,776 --a------ F:\WINDOWS\icoadb32.dat
2007-06-05 19:18 40,448 --a------ F:\WINDOWS\ICG32.DLL
2007-06-05 19:17 73,728 --a------ F:\WINDOWS\system32\Q_ENCLIB.DLL
2007-06-05 19:17 41,472 --a------ F:\WINDOWS\system32\IPROF32.DLL
2007-06-05 19:17 40,960 --a------ F:\WINDOWS\system32\Q_ENCUTL.DLL
2007-06-05 19:17 393,728 --a------ F:\WINDOWS\system32\MSVCRTD.DLL
2007-06-05 19:17 258,560 --a------ F:\WINDOWS\system32\Qcon32.dll
2007-06-05 19:17 196,848 --a------ F:\WINDOWS\system32\QCONNECT.DLL
2007-06-05 19:17 193,024 --a------ F:\WINDOWS\system32\Qcon3216.exe
2007-06-05 19:17 1,393,152 --a------ F:\WINDOWS\system32\MFC42D.DLL
2007-06-05 19:17 <DIR> d-------- F:\WINDOWS\Intuit
2007-06-05 19:17 <DIR> d-------- F:\QUICKENW
2007-05-28 22:16 <DIR> d-------- F:\HijackThis
2007-05-28 18:53 <DIR> d-------- F:\VundoFix Backups
2007-05-28 18:52 <DIR> d-------- F:\DOCUME~1\OLLIEW~1\APPLIC~1\TrojanHunter
2007-05-28 18:03 <DIR> d-------- F:\Program Files\TrojanHunter 4.6
2007-05-28 14:18 <DIR> d-------- F:\WINDOWS\Prefetch
2007-05-28 09:02 <DIR> d-------- F:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-28 00:06 <DIR> d-------- F:\DOCUME~1\OLLIEW~1\.housecall6.6
2007-05-27 23:42 6,144 --a------ F:\WINDOWS\system32\csrss original.exe
2007-05-26 20:42 <DIR> d-------- F:\Program Files\PDF Editor 2
2007-05-26 18:36 <DIR> d-------- F:\WINDOWS\system32\appmgmt
2007-05-26 18:35 336 --a------ F:\Program Files\temp995.bat
2007-05-26 17:48 51,716 --a------ F:\WINDOWS\system32\pdf995mon.dll
2007-05-26 17:48 249,856 --a------ F:\WINDOWS\system32\pdfmona.dll
2007-05-26 17:48 <DIR> d-------- F:\DOCUME~1\ALLUSE~1\APPLIC~1\pdf995
2007-05-25 17:41 <DIR> d-------- F:\WINDOWS\system32\The Economist dir
2007-05-25 12:30 60,457 --a------ F:\WINDOWS\system32\EBPMON3.DLL
2007-05-25 12:30 57,344 --a------ F:\WINDOWS\system32\ECBTEG.DLL
2007-05-25 12:30 34,304 --a------ F:\WINDOWS\system32\EBPCHP.DLL
2007-05-25 12:30 166,400 --a------ F:\WINDOWS\system32\EBAPI3.DLL
2007-05-25 12:30 145 --a------ F:\WINDOWS\system32\EBPPORT3.DAT
2007-05-25 12:30 <DIR> d-------- F:\Program Files\EPSON
2007-05-25 12:29 <DIR> d-------- F:\EPSON
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-06 10:51:35 24 ----a-w F:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-00000009-00001102-00000002-80271102}.dat
2007-06-06 10:51:35 24 ----a-w F:\WINDOWS\system32\DVCState-{00000000-00000000-00000009-00001102-00000002-80271102}.dat
2007-06-05 07:50:51 -------- d--h--w F:\Program Files\InstallShield Installation Information
2007-05-01 04:21:02 -------- d-----w F:\Program Files\GlobalSCAPE
2007-05-01 04:10:13 -------- d-----w F:\DOCUME~1\OLLIEW~1\APPLIC~1\GlobalSCAPE
2007-04-18 16:12:23 2,854,400 ----a-w F:\WINDOWS\system32\msi.dll
2007-03-22 18:07:56 1,683,280 ------w F:\WINDOWS\system32\XpsSvcs.dll
2007-03-22 18:07:54 583,504 ------w F:\WINDOWS\system32\XPSSHHDR.dll
2007-03-22 08:25:02 124,928 ------w F:\WINDOWS\system32\prntvpt.dll
2007-03-17 13:43:01 292,864 ----a-w F:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w F:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w F:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w F:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w F:\WINDOWS\system32\win32k.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pccguide.exe"="F:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-12-29 13:52]
"MULTIMEDIA KEYBOARD"="F:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2001-12-05 08:13]
"CoolSwitch"="F:\WINDOWS\system32\taskswitch.exe" [2002-03-19 16:30]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-05 00:00]
"SpybotSD TeaTimer"="F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=F:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=F:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=F:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=F:\WINDOWS\pss\Symantec Fax Starter Edition Port.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioHQ]
F:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CardBus-PCI]
"F:\Program Files\DSE\CardBus-PCI\CardBus-PCI.exe" -nogui
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDElbyCDFL]
"F:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"F:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Launcher]
F:\Program Files\Creative\Launcher\CTLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlmMgr]
"F:\Program Files\Common Files\Adobe\ESD\AdobeDownloadManager.exe" restart=1
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
"f:\Program Files\Microsoft IntelliPoint\ipoint.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
"F:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"F:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
F:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"F:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup]
rundll32.exe "F:\WINDOWS\system32\oqbrtdyw.dll",realset
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"F:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
F:\WINDOWS\UpdReg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"F:\Program Files\Winamp\Winampa.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
CTHELPER.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"nhksrv"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
**************************************************************************
catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-07 11:32:16
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
Completion time: 2007-06-07 11:33:50
F:\ComboFix-quarantined-files.txt ... 2007-06-07 11:33
--- E O F ---
Quarantine log file was as follows:
2007-02-13 08:57 807 --a------ F:\Qoobox\Quarantine\F\DOCUME~1\OLLIEW~1\Desktop\Internet Explorer.lnk.vir
Folder PATH listing for volume Focke-Wulf
Volume serial number is F461-606C
F:\QOOBOX
\---Quarantine
+---F
| +---avenger
| \---DOCUME~1
| \---OLLIEW~1
| \---Desktop
| Internet Explorer.lnk.vir
|
\---Registry_backups
Try that again:
2007-02-13 08:57 807 --a------ F:\Qoobox\Quarantine\F\DOCUME~1\OLLIEW~1\Desktop\Internet Explorer.lnk.vir
Folder PATH listing for volume Focke-Wulf
Volume serial number is F461-606C
F:\QOOBOX
\---Quarantine
+---F
| +---avenger
| \---DOCUME~1
| \---OLLIEW~1
| \---Desktop
| Internet Explorer.lnk.vir
|
\---Registry_backups
Hi again, we'll continue :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
==================
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following files (if present):
C:\WINDOWS\Config\csrss.exe
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Restart the computer to the normal mode.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
All done.
The intial HJT scan didn't show the "F2 - REG:system.ini: Shell=Explorer.exe F:\WINDOWS\Config\csrss.exe" entry.
In Safe Mode I deleted F:\WINDOWS\Config\csrss.exe
The AVG run detected two things:
- Backdoor.Theef.111, high risk.
- Adware.Virtumonde, medium risk.
However, after clicking "Apply all actions" in AVG, it wouldn't let me save a report.
In the "Analysis" tab of AVG, under "Processes", it shows F:\WINDOWS\system32\csrss.exe running, as well as services.exe, smss.exe, and lsass.exe among others (all in the system32 folder). I assume this is normal? system32\csrss.exe doesn't show up in the HJT log though.
Here is my new HJT log:
--------------
Logfile of HijackThis v1.99.1
Scan saved at 11:17:04 a.m., on 9/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
F:\WINDOWS\system32\taskswitch.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
F:\Program Files\Netropa\Onscreen Display\OSD.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\WINDOWS\system32\svchost.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
F:\Program Files\Microsoft Office\Office\WINWORD.EXE
F:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
F:\WINDOWS\System32\svchost.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///F:/Documents%20and%20Settings/Ollie%20Wright/My%20Documents/Publish%20HTML/home/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [pccguide.exe] "F:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] F:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [CoolSwitch] F:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.hotmail.com
O15 - Trusted Zone: http://www.trademe.co.nz
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/17.17/uploader2.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by118fd.bay118.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171233884895
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
Hmm ok looks pretty good. I forgot that AVG has problems with the log...
It is normal to have those files running under system32
Let's see...
You should print these instructions or save these to a text file. Follow these instructions carefully.
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
Whmen the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log
Let me know how the coputer is running.
Computer seems to be running fine, haven't had a cssrs.exe pop-up for a while.
Did the scan in Safe Mode, only found a couple of things in the Vundo and HijackThis backup folders. Here's the log:
backup-20070528-222421-836.dll;F:\HijackThis\backups;Adware.Crew;Incurable.Moved.;
mljgf.dll.bad;F:\VundoFix Backups;Trojan.Virtumod;Deleted.;
Here's my current HJT log:
---------
Logfile of HijackThis v1.99.1
Scan saved at 3:02:00 p.m., on 11/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
F:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
F:\WINDOWS\system32\taskswitch.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
F:\Program Files\Netropa\Onscreen Display\OSD.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
F:\WINDOWS\system32\svchost.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
F:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///F:/Documents%20and%20Settings/Ollie%20Wright/My%20Documents/Publish%20HTML/home/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [pccguide.exe] "F:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] F:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [CoolSwitch] F:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.hotmail.com
O15 - Trusted Zone: http://www.trademe.co.nz
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/17.17/uploader2.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by118fd.bay118.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171233884895
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
Quick observation: is there any reason why I should have three instances of svchost.exe running?
Hi again, it is looking clean now :)
It is normal to have multiple instances of svchost running.
You can remove the tools we used.
Then you should update your Java to the latest version (6u1) Start
Control Panel
Add/Remove Programs
Delete the old Java,
J2SE Runtime Environment 5.0 Update 11
Download the latest version of Java Runtime Environment (JRE) 6u1 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it
Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)
Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)
Brilliant!
I've updated Java, set everything back to normal and cleaned out System Restore (and turned it back on afterwards).
I'll download those programs that you've recommended in the next few days. Will this topic stay up for that long so I can access the links?
Thanks for all your help Mr_JAk3, it's a testament to the power of the internet. I'll make sure this computer stays out of trouble in the future!
That's great news and you're very welcome :D:
I'll archive the topic but you'll be able to access this.
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.
Glad we could help :2thumb: