|
|
||
07-23-2008, 01:53 PM
|
#1 (permalink) |
|
Silver Member
 Join Date: Jun 2007
Posts: 124
|
A machine with over 400 virus and trojans
Hey guys
My friend brought me his pc, Which he said it has various problem that he can't name all. Like it restart by itself while he is working, it shows various errors ... I checked it, (windows xp). and first run spybot search and destroy. It found over 400 problems. after "fixing" those. I run ComboFix and it took more time than i expected. After that i run hijackthis and saved a log. Can someone help me with these logs to see every things fine now ? or should i do something else ? thanks in advance ComboFix HijackThis |
|
|
|
07-24-2008, 03:32 AM
|
#2 (permalink) |
|
Diamond Member
 
Join Date: Jan 2008
Location: Melbourne, Australia
Age: 14
Posts: 8,206
|
Was the hijackthis log, before or after the combo fix????
PLs post the logs in a reply, the hijack this logs especially, combo fix won't fit i understand.
__________________
My Website
Desktop / Laptop Motherboard: Asus M2N X SE / Unknown CPU: AMD 4000+ 2.1GHZ x 2 / Intel Pentium M 1.60GHZ Ram: 2GB Transcend / 512MB Hard Drive: 320GB / 60GB Video Card: Both Intergrated Monitor: 19" Benq / 15.4" OS: Windows Vista Home Premium Service Pack 1 / Windows XP Professional Service Pack 3 |
|
|
|
|
07-24-2008, 07:08 AM
|
#3 (permalink) |
|
Silver Member
Join Date: Jun 2007
Posts: 124
|
hijackthis log is after combofix.
The forum didn't let me upload the combofix log, because it said the size of the file (35k) is more than the amount defined for that extension. and didn't let me copy and paste, as it exceed 30000 characters. so i upload it on a server. but here the hijack this log : Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 04:17:17 ?.?, on 2008/07/23 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe C:\Program Files\Intense Language Office\COMMON\Offman.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wuauclt.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_ 7_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_ 7_0.dll O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK O4 - HKLM\..\Run: [BM0b6ee4c9] Rundll32.exe "C:\WINDOWS\system32\jnqihrlu.dll",s O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: NaturalColorLoad.lnk = ? O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O20 - AppInit_DLLs: O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe O24 - Desktop Component 0: (no name) - http://us.js1.yimg.com/us.yimg.com/l...ilcommonlib.js -- End of file - 6452 bytes |
|
|
|
|
07-24-2008, 01:23 PM
|
#4 (permalink) |
|
Moderator
 
Join Date: Dec 2005
Location: Melbourne, Australia
Age: 21
Posts: 5,305
|
I'm afraid there's more work to do. Your logfile shows a flash drive infection. Any portable drives or memory sticks that have been plugged into this computer since contracting the infection are likely infected, as may be any computers that these drives have been connected to. I recommend you run scans on any computers that have shared portable drives or memory sticks with this one, and post logfiles if necessary. This infection is designed to steal passwords to an instant messaging program called QQ, if you use that program I recommend changing your password immediately.
I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following: 1) Run Spybot-S&D 2) Go to the Mode menu, and make sure Advanced Mode is selected 3) On the left hand side, choose Tools -> Resident 4) Uncheck Resident TeaTimer and OK any prompts You can reenable TeaTimer once your system is clean.
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall. Also, please do NOT adjust your time format while ComboFix is running. Please download Flash Disinfector and save it to your Desktop. Please connect any flash drives that have been used in this PC. Double click on Flash Disinfector and follow the prompts. Please do a scan with Kaspersky Online Scanner Click on the Accept button and install any components it needs.
Please post
__________________
CPU: Core 2 Duo E6600 / MOBO: Gigabyte 965P-DS3 / GPU: Gigabyte HD4870 RAM: 2GB G.Skill F2-6400CL4D-2GBPK / HDD: 2TB Total HDD / PSU: Antec NeoPower 480W Cheap PSUs - 2% of system costs, responsible for 28% of system deaths As Sealed Stick was removed, lost or damaged, it shall be out of warranty validity. - The "Warranty void if removed" sticker on numerous CoolerMaster PSUs. |
|
|
|
|
07-28-2008, 09:49 AM
|
#5 (permalink) |
|
Silver Member
Join Date: Jun 2007
Posts: 124
|
Ok, Kasper took so long.
I did everything you said. Here's the files exactly as you wanted : I did first drag that txt file to combo fix . then did kasper scan. and hijackthis log at last. Combofix Kasper hijackthis |
|
|
|
|
07-28-2008, 09:54 AM
|
#6 (permalink) |
|
Diamond Member
Join Date: Jan 2008
Location: Melbourne, Australia
Age: 14
Posts: 8,206
|
This one is big, i'll leave it to the higher guys, like ceewi1.
Force123, you will be well looked after by ceewi1.
__________________
My Website
Desktop / Laptop Motherboard: Asus M2N X SE / Unknown CPU: AMD 4000+ 2.1GHZ x 2 / Intel Pentium M 1.60GHZ Ram: 2GB Transcend / 512MB Hard Drive: 320GB / 60GB Video Card: Both Intergrated Monitor: 19" Benq / 15.4" OS: Windows Vista Home Premium Service Pack 1 / Windows XP Professional Service Pack 3 |
|
|
|
|
08-01-2008, 12:44 PM
|
#7 (permalink) |
|
Moderator
Join Date: Dec 2005
Location: Melbourne, Australia
Age: 21
Posts: 5,305
|
My apologies for the delay, there is still more to do.
Please download the OTMoveIt2 by OldTimer.
Please download FindAWF Save the file to the Desktop Double-click the FindAWF icon. If a Security Alert shows, allow the program to run. As instructed, press any key to continue. Use the following option: Press 1 then Enter to scan for bak folders The scan may take a while, please be patient. When done, a text file, Find AWF report is produced. Please provide Find AWF report in your reply. Please download Deckard's System Scanner (DSS) and save it to your Desktop.
Please post
__________________
CPU: Core 2 Duo E6600 / MOBO: Gigabyte 965P-DS3 / GPU: Gigabyte HD4870 RAM: 2GB G.Skill F2-6400CL4D-2GBPK / HDD: 2TB Total HDD / PSU: Antec NeoPower 480W Cheap PSUs - 2% of system costs, responsible for 28% of system deaths As Sealed Stick was removed, lost or damaged, it shall be out of warranty validity. - The "Warranty void if removed" sticker on numerous CoolerMaster PSUs. |
|
|
|
|
08-02-2008, 01:57 PM
|
#9 (permalink) |
|
Moderator
Join Date: Dec 2005
Location: Melbourne, Australia
Age: 21
Posts: 5,305
|
Much better, those logs now appear to be clean. How is the system running?
__________________
CPU: Core 2 Duo E6600 / MOBO: Gigabyte 965P-DS3 / GPU: Gigabyte HD4870 RAM: 2GB G.Skill F2-6400CL4D-2GBPK / HDD: 2TB Total HDD / PSU: Antec NeoPower 480W Cheap PSUs - 2% of system costs, responsible for 28% of system deaths As Sealed Stick was removed, lost or damaged, it shall be out of warranty validity. - The "Warranty void if removed" sticker on numerous CoolerMaster PSUs. |
|
|
|
|
08-02-2008, 02:19 PM
|
#10 (permalink) | |
|
Silver Member
Join Date: Jun 2007
Posts: 124
|
Perfect
 After ComboFix it got way much better . But now it is running so much faster and load quick on startup. I really really don't know how to thank you, I have nothing to say. Thanks A TON man. Just for the last thing : How can i learn it what you did ? Is it pure experience ? Somewhere I can read about it ? for example how did you know that you must put these addresses ? Quote:
|
|
|
|
|
 |
| Bookmarks |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Error message virus, very annoying { HJT Log } | Dazzeerr | Computer Security | 14 | 07-01-2008 02:10 PM |
| Virus Identified | alyoob | Computer Security | 13 | 03-17-2008 08:22 PM |
| 7 Trojans and another virus | Clairzy | Computer Security | 1 | 12-02-2006 06:59 AM |
| Viri, Trojans & Pings | jackz4000 | Computer Security | 1 | 09-27-2006 11:59 AM |
| Help Infected with virus | SidneyJ | Computer Security | 9 | 03-20-2006 04:00 PM |
Linear Mode
