PDA

View Full Version : Heeeelp! Work PC Infected!



thecustomshop
2008-05-22, 19:24
I am running a Dell PC with WinXP Service Pack 2 and all of a sudden got slammed with viruses. I just ran AVG Free, Spyware Terminator, Malwarebytes, and HijackThis. Here is the report I got.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:19 AM, on 5/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: gktxaspm - {F8028315-F932-431F-B16A-DB39815818F0} - C:\WINDOWS\gktxaspm.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174412081625
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.gocarnuts.com/uploadActiveX/ImageUploader4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFA2F358-2C5B-4D05-B9EC-D2892141B833}: NameServer = 85.255.113.150,85.255.112.172
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.150 85.255.112.172
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.150 85.255.112.172
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: khfFxXoN - khfFxXoN.dll (file missing)
O21 - SSODL: pxgdslro - {6ED98AC7-C3FC-4F97-B203-848958C79F28} - C:\WINDOWS\pxgdslro.dll (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5149 bytes

thecustomshop
2008-05-22, 21:13
I dont know how to read these logs.... can anyone tell me if it shows files that need to be submitted to ComboFix? Other solutions?

tashi
2008-05-22, 22:52
Hello,

Please read our sticky topics:

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Personal computers or..... (http://forums.spybot.info/showpost.php?p=25712&postcount=5)

Do NOT run 'fixes' before helpers have analyzed HJT/KAV scans (http://forums.spybot.info/showthread.php?t=16806 )

Regards. ;)

thecustomshop
2008-05-22, 22:53
I ran Trend Housecall Online Scan, got these errors that have to be manually removed....

Detected vulnerabilities

Vulnerability in Print Spooler Service Could Allow Remote Code Execution

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
A remote code execution vulnerability in the Printer Spooler service allows an attacker who successfully exploits this vulnerability to take complete control ...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Malware exploiting this vulnerability: unknown
A remote code execution vulnerability in the Printer Spooler service allows an attacker who successfully exploits this vulnerability to take complete control of the affected system.
More information about this vulnerability and its elimination.

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (934233)

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory addresses several vulnerabilities in Microsoft Excel. These vulnerabilities exist because of the way Microsoft Excel handles specially crafted files that contain mal...
More information about this vulnerability and its elimination.
Affected programs and services: 2007 Microsoft Office System
Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 2003
Microsoft Excel 2003 Viewer
Microsoft Office 2000 Service Pack 3
Microsoft Office 2003 Service Pack 2
Microsoft Office 2004 for Mac
Microsoft Office 2007
Microsoft Office Compatibility Pack for Word
Excel
and PowerPoint 2007 File Formats
Microsoft Office XP Service Pack 3
Malware exploiting this vulnerability: unknown
This security advisory addresses several vulnerabilities in Microsoft Excel. These vulnerabilities exist because of the way Microsoft Excel handles specially crafted files that contain malformed records or font values. Once successfully exploited, these vulnerabilities allow an attacker to gain user rights similar to the currently logged on user.
More information about this vulnerability and its elimination.

Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873)

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update replaces security update MS07-015. A remote code execution vulnerability exists in the way Microsoft Office handles a specially crafted drawing object, which may be included as an attachment to ...
More information about this vulnerability and its elimination.
Affected programs and services: 2007 Microsoft Office System
Microsoft Office 2000 Service Pack 3
Microsoft Office 2003 Service Pack 2
Microsoft Office 2004 for Mac
Microsoft Office XP Service Pack 3
Malware exploiting this vulnerability: unknown
This update replaces security update MS07-015. A remote code execution vulnerability exists in the way Microsoft Office handles a specially crafted drawing object, which may be included as an attachment to an email message or hosted on a malicious Web site. A remote malicious user could exploit this vulnerability by constructing a specially crafted Office file containing a malformed drawing object that could allow remote code execution.
More information about this vulnerability and its elimination.

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (936542)

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update solves a vulnerability that exists in the way Microsoft Excel handles malformed Excel files. This vulnerability can be expoited by a remote malicious user by sending a malformed file as an email message attachment o...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Excel 2000 Service Pack 3 (Microsoft Office 2000 Service Pack 3)
Microsoft Excel 2002 Service Pack 3 (Microsoft Office XP Service Pack 3)
Microsoft Excel 2003 Service Pack 2 (Microsoft Office 2003 Service Pack 2)
Microsoft Excel 2003 Viewer
Microsoft Office Compatibility Pack for Word
Excel
and PowerPoint 2007 File Formats
Microsoft Office Excel 2007 (2007 Microsoft Office System)
Malware exploiting this vulnerability: unknown
This update solves a vulnerability that exists in the way Microsoft Excel handles malformed Excel files. This vulnerability can be expoited by a remote malicious user by sending a malformed file as an email message attachment or as a file hosted on a malicious Web site. Once successfully exploited, the remote user can gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
More information about this vulnerability and its elimination.

Vulnerability in Microsoft Office Publisher 2007 Could Allow Remote Code Execution (936548)

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
A vulnerability exists in the way Microsoft Publisher inadequately clears our memory resources when writing application data from memory to disk. A remote malicious user can exploit this vulnerability b...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Office Publisher 2007 (2007 Microsoft Office System)
Malware exploiting this vulnerability: unknown
A vulnerability exists in the way Microsoft Publisher inadequately clears our memory resources when writing application data from memory to disk. A remote malicious user can exploit this vulnerability by creating a specially crafted Publisher page file (*.PUB), which when viewed, allows remote code execution on the affected system. A remote malicious user can also take complete control over the compromised system.
More information about this vulnerability and its elimination.

MS07-042

Transfering more information about this vulnerability...