View Full Version : please help infected

2007-12-22, 15:47
Hi, today i was online and my isp home page popped up and said my email just mass emailed, so i did a scan with lavasoft, spybot, and superantispyware, all 3 found alot and deleted, then i noticed the start run and shut down tabs gone, so i fixed that in reg. deleted all it found in avg, and also noticed this change,

MSIE 7.0; Embedded Web Browser from: http://bsalsa.com/; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727

also noticed changes in hijack that are not there ever, it deleted some but still some remane,

here is my hijack log, thanks bignight

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:20 PM, on 12/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] -"C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] -C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1197323345703
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - -"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - -"C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: PurgPro XP Service (PurgProService) - Unknown owner - -C:\Program Files\PurgeIE\PurgPro_Service.exe (file missing)
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - -"C:\Program Files\MSN Messenger\usnsvc.exe" (file missing)
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - -C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

End of file - 3561 bytes

i ran active scan found this

Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix\nircmd.cfexe
Virus:Generic Trojan Not disinfected C:\Documents and Settings\Owner\My Documents\Bieffe_UTI_VID5673_XDVD.rar[convertxtodvd.2.1.x.xxx-patch.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\My Documents\SmitFraudFix\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Owner\My Documents\SmitFraudFix\SmitfraudFix\restart.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\My Documents\spy prs\VirtumundoBeGone.exe
Adware:Adware/Trymedia Not disinfected C:\Downloads\ChickenChaseSetup-dm[1].exe
Adware:Adware/Trymedia Not disinfected C:\Downloads\ChickenChaseSetup-dm[2].exe
Adware:Adware/Trymedia Not disinfected C:\Downloads\Monopoly3-dm[1].exe
Adware:Adware/WebSearch Not disinfected C:\Program Files\bfgtoolbar\bfgtoolbar.dll_0_
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\IA\KE.vbs
Potentially unwanted tool:Application/MSNContentPlus Not disinfected C:\WINDOWS\MSNImport.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

2007-12-30, 17:00

Navigate into C:\Program Files\Trend Micro\HijackThis folder and rename HijackThis.exe file -> paul44.exe. Post a fresh hjt log after renaming is done. :)

2008-01-04, 12:18
