PDA

View Full Version : Windows Searches Opening, Black Screens, Spammed Explorers, Spammed Text, Log Outs,



t1337Dude
2007-10-02, 07:03
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, October 01, 2007 8:59:29 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 2/10/2007
Kaspersky Anti-Virus database records: 426169
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 106049
Number of viruses found: 17
Number of infected objects: 36
Number of suspicious objects: 0
Duration of the scan process: 00:41:34

Infected Object Name / Virus Name / Last Action
C:\All Downloads\Crysis_MP_Beta_Release_3.exe.part Object is locked skipped
C:\All Downloads\Tools\SDFix\backups_old1\backups.zip/backups/svhost.exe Infected: Trojan.Win32.StartPage.ahg skipped
C:\All Downloads\Tools\SDFix\backups_old1\backups.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SearchClickAds.zip/cfg32r.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SearchClickAds.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SearchClickAds1.zip/cfg32s.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SearchClickAds1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SearchClickAds2.zip/cfg32o.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SearchClickAds2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SearchClickAds22.zip/cfg32s.dll_tobedeleted_old Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SearchClickAds22.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SearchClickAds23.zip/cfg32o.dll_tobedeleted_old Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SearchClickAds23.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService3.zip/core.sys Infected: Rootkit.Win32.Agent.eq skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick.zip/i113.tmp Infected: not-a-virus:AdWare.Win32.SurfSide.ax skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SurfSideKick.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/v1.7.8/webbuying.exe Infected: not-a-virus:AdWare.Win32.Agent.dk skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt.zip/retadpu1000106.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt5.zip/b122.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Rond.a skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt5.zip/b122.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt5.zip/b122.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt5.zip/b122.exe Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt5.zip ZIP: infected - 4 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Yazzle1.zip/Yazzle1549OinAdmin.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Yazzle1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Parsons Family\Application Data\Mozilla\Firefox\Profiles\bpg5peob.default\cert8.db Object is locked skipped
C:\Documents and Settings\Parsons Family\Application Data\Mozilla\Firefox\Profiles\bpg5peob.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Parsons Family\Application Data\Mozilla\Firefox\Profiles\bpg5peob.default\history.dat Object is locked skipped
C:\Documents and Settings\Parsons Family\Application Data\Mozilla\Firefox\Profiles\bpg5peob.default\key3.db Object is locked skipped
C:\Documents and Settings\Parsons Family\Application Data\Mozilla\Firefox\Profiles\bpg5peob.default\parent.lock Object is locked skipped
C:\Documents and Settings\Parsons Family\Application Data\Mozilla\Firefox\Profiles\bpg5peob.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Parsons Family\Application Data\Mozilla\Firefox\Profiles\bpg5peob.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Parsons Family\Application Data\Xfire\chatlog\peteyking\brownwalrus.txt Object is locked skipped
C:\Documents and Settings\Parsons Family\Application Data\Xfire\chatlog\peteyking\drewdools8.txt Object is locked skipped
C:\Documents and Settings\Parsons Family\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Parsons Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Parsons Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Parsons Family\Local Settings\Application Data\Mozilla\Firefox\Profiles\bpg5peob.default\Cache\F7CC5E6Fd01 Object is locked skipped
C:\Documents and Settings\Parsons Family\Local Settings\Application Data\Mozilla\Firefox\Profiles\bpg5peob.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Parsons Family\Local Settings\Application Data\Mozilla\Firefox\Profiles\bpg5peob.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Parsons Family\Local Settings\Application Data\Mozilla\Firefox\Profiles\bpg5peob.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Parsons Family\Local Settings\Application Data\Mozilla\Firefox\Profiles\bpg5peob.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Parsons Family\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Parsons Family\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Parsons Family\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Parsons Family\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Parsons Family\ntuser.dat.LOG Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\G1\kmhp83122.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.b skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\G1\kmhp83122.exe.vir NSIS: infected - 1 skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\G9\wb720.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\knfnfaky.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.lh skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\PPATCH~1\tаskmgr.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\TQ0\dl52.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_588.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\woasftxA.exe Infected: Trojan-Downloader.Win32.VB.ang skipped
F:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\27d53aef380ad8aef2d3d8d9abd3f35c_4c40984a-a8bd-405e-833d-7cd1339c2e62 Object is locked skipped
F:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\3284a2761e20e7a86f8d138eb0688370_4c40984a-a8bd-405e-833d-7cd1339c2e62 Object is locked skipped
F:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\77242e87b2dbbdd5eb7a941a93f7dbe0_4c40984a-a8bd-405e-833d-7cd1339c2e62 Object is locked skipped
F:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\bfd1cdfacc8a8719a0b3d92d1785b95c_4c40984a-a8bd-405e-833d-7cd1339c2e62 Object is locked skipped
F:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\dfa6916943d89858a788dd4a16788237_4c40984a-a8bd-405e-833d-7cd1339c2e62 Object is locked skipped
F:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_4c40984a-a8bd-405e-833d-7cd1339c2e62 Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl Object is locked skipped
F:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTumstartup.etl Object is locked skipped
F:\Windows\System32\TSUPDATE2.1.scr Infected: Backdoor.Win32.PoisonIvy.ag skipped
F:\Windows\TSUPDATE2r1.exe Infected: Backdoor.Win32.PoisonIvy.j skipped

Scan process completed.


Hijackthis Renamed as f**kincraz3132y.exe



Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:03:25 PM, on 10/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\SEC\MagicTune3.6\GammaTray.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\utilman.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\All Downloads\Tools\fuckincraz3132y.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.0 Final Release\RivaTuner.exe" /S
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Shortcut to CG-NVNF4.exe.lnk = C:\All Downloads\Tools\OC\CG-NVNF4.exe
O4 - Global Startup: Color Calibration.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_06) -
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3772 bytes

ndmmxiaomayi
2007-10-07, 10:35
Hi t1337Dude. :)

Welcome to Safer Networking. My name is mayi and I will be helping you. As I am still in training, I will need my fixes checked before posting back to you. Thank you for your patience.

ndmmxiaomayi
2007-10-08, 03:39
Hi t1337Dude,

From your Kaspersky log:


F:\Windows\System32\TSUPDATE2.1.scr Infected: Backdoor.Win32.PoisonIvy.ag skipped
F:\Windows\TSUPDATE2r1.exe Infected: Backdoor.Win32.PoisonIvy.j skipped

There are signs of backdoors on your computer.

A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

Disconnect the computer from the Internet and from any networked computers until it is cleaned.
Back up all your important data except programs. The programs can be reinstalled back from the orignal disc or from the Net.
Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password). Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the follwing articles:

What are Remote Access Trojans and why are they dangerous (http://www.microsoft.com/technet/security/alerts/info/virusrat.mspx)
How do I respond to a possible identity theft and how do I prevent it (http://www.dslreports.com/faq/10451)
When should do a reformat and reinstallation of my OS (http://www.dslreports.com/faq/10063)
Where to backup your files (http://www.microsoft.com/athome/security/update/wherebackup.mspx)
How to backup your files in Windows XP (http://www.microsoft.com/athome/security/update/howbackup.mspx)
Restoring your backups (http://support.microsoft.com/kb/309340)

If you don't have the resources to reformat and reinstall Windows or don't wish to reformat and reinstall Windows, please let me know.

tashi
2007-10-16, 01:25
This topic has been moved to archives.

If you need the thread re-opened, please send me a private message (pm) and provide a link.

Applies only to the original poster, anyone else with similar problems please start your own topic.