All sorts of malware/trojan issues I believe (HJT log inside)

footballstevo75

footballstevo75

Active Member
So a guy at work has helped me fix my car many times so I am attempting to fix his pc up. He got hit with some nasty trojan I believe. I have been working on it just tonight, it already had AVG so I scanned it, it found like 19 and I cleaned them, then used malwarebytes and it found a bunch of registry things so I did that as well.

Now when I try to do a system restore, when I click the next button to confirm, nothing happens. Also when attempting to do a full scan, at some point the computer will always shut off, one time in safe mode, it said it was NT authority system shutdown because the dcom server process was terminated early.

Otherwise when not doing virus scans, the computer will run kinda slow, but it'll run, however internet will not work, even when it says its connected in the network settings (gives an ip address as well).

Attached is a HiJack This log, I was wondering if somebody could tell me where to go next?

START
------Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:23 AM, on 1/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=...zF++ZG0DFffAtwv0kdly9pcMgqUFgR1BgJ7NvpulDJYgm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.gateway.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5EC137A91A475760EA83FA5EF80752B94E2DD7D58744E293DC4 - {56F1D444-11BF-4879-A12B-79CF0177F038} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\docume~1\bobjon~1\locals~1\temp\ntdll64.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://cam1.aftonalps.com/kxhcm10.ocx
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166108547421
O20 - AppInit_DLLs:
O20 - Winlogon Notify: __c003C2E1 - C:\WINNT\system32\__c003C2E1.dat (file missing)
O20 - Winlogon Notify: __c0048D10 - C:\WINNT\system32\__c0048D10.dat (file missing)
O20 - Winlogon Notify: __c0082B29 - C:\WINNT\system32\__c0082B29.dat (file missing)
O20 - Winlogon Notify: __c00DABBC - C:\WINNT\system32\__c00DABBC.dat (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

--
End of file - 5243 bytes
 
Ohh I just noticed this line-
"O10 - Broken Internet access because of LSP provider 'c:\docume~1\bobjon~1\locals~1\temp\ntdll64.dll' missing"
Earlier I believe malwarebytes found a problem in ntdll64.dll and I cleaned it, but internet wasn't working before that so the virus did something to it?

EDIT-Also it would be nice to just take the HD, put it in slave then put it in my current rig and scan it using vista. BUT The IDE cable pins on my mobo are bent :(
 
Last edited:
Download and run combofix at the page here. Follow the instructions and post the log that it displays back here along with a new hijack this log.
 
It restarts before the scan can be completed...

EDIT-
OK, so I got it to start scanning but it said it had to restart because of presence of a rootkit? Now on restart it started all over again.

AND I told dcom to do nothing when it fails so hopefully that will temporarily fix the restart problem.
 
Last edited:
I always get an error at the end,
findstr: cannot open temp01 and nor report is ever made, what's up with that?

EDIT-internet works now after running combofix twice more, but it seems a little sluggish, almost like dial up.

Check out new HJT log attached.
START
-------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:15, on 2009-01-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://cam1.aftonalps.com/kxhcm10.ocx
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166108547421
O20 - Winlogon Notify: __c003C2E1 - C:\WINNT\system32\__c003C2E1.dat (file missing)
O20 - Winlogon Notify: __c0048D10 - C:\WINNT\system32\__c0048D10.dat (file missing)
O20 - Winlogon Notify: __c0082B29 - C:\WINNT\system32\__c0082B29.dat (file missing)
O20 - Winlogon Notify: __c00DABBC - C:\WINNT\system32\__c00DABBC.dat (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

--
End of file - 4565 bytes
 
Last edited:
If the log never appeared on your screen, then it never finished. But try looking in the root directory of C for the combofix log. Should be this c:\combofix.txt

Have you tried running it in safemode? We really need to see the log, according to your hijackthis log there is still malware present.
 
Last edited:
johnb35 said:
If the log never appeared on your screen, then it never finished. But try looking in the root directory of C for the combofix log. Should be this c:\combofix.txt

Have you tried running it in safemode? We really need to see the log, according to your hijackthis log there is still malware present.
Click to expand...

Yeah it wasn't at that location. Was done in safe mode. I am scanning with malwarebytes (just update definitions) ATM and it shows 9 infected objects so far.

Question- how do you read a HJT log? What shows mine has malware? I believe I still do have malware because it runs pretty slow.
 
It takes time and experience to determine what items are infections in a hijackthis log. If you want we can link you to some forums that have bootcamps to learn how to go through hijackthis logs and clean up malware.

Sometimes combofix takes awhile to complete. It will reboot the computer before the log appears. Sometimes when i'm cleaning customers computers i will get that error message that you got (findstr: cannot open temp01 ) Its not done at this point. You need to let it finish, might take 20-30 minutes if your machine is badly infected.
 
Ohh I thought the error signified the end. I will run it again then.

BTW I just removed 15 things with malware bytes, here is the log of that-
START
------Malwarebytes' Anti-Malware 1.32
Database version: 1638
Windows 5.1.2600 Service Pack 2

2009-01-10 17:29:28
mbam-log-2009-01-10 (17-28-39).txt

Scan type: Full Scan (C:\|)
Objects scanned: 119409
Time elapsed: 51 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0048d10 (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0082b29 (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c003c2e1 (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00dabbc (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\winnt\system32\userinit.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINNT\system32\ntdll64.exe.vir (Trojan.Agent) -> No action taken.
C:\Qoobox\Quarantine\C\WINNT\system32\senekadectasft.dll.vir (Trojan.Seneka) -> No action taken.
C:\Qoobox\Quarantine\C\WINNT\system32\drivers\senekauxnkbmec.sys.vir (Rootkit.Agent) -> No action taken.
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1693\A0113655.sys (Rootkit.Agent) -> No action taken.
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1693\A0113657.dll (Trojan.Seneka) -> No action taken.
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1693\A0113671.exe (Trojan.Agent) -> No action taken.
C:\WINNT\system32\dllcache\userinit.exe (Trojan.Agent) -> No action taken.


BTW I told it to remove all of them.
 
Now combofix says C:\WINNT\system32 is not recognized as an internal or external operable program or batch file and it hangs on that.
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:02, on 2009-01-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\CF26237.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://cam1.aftonalps.com/kxhcm10.ocx
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166108547421
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

--
End of file - 3564 bytes

Have restarted it several times and attemped still does it, its after it scans all the parts though.
 
Did by chance you upgrade to XP from Windows 2000? I think combofix has certain issues with 2000. If you did, I will hand you over to someone else, I'll PM him when you reply with the answer to my question.
 
johnb35 said:
Did by chance you upgrade to XP from Windows 2000? I think combofix has certain issues with 2000. If you did, I will hand you over to someone else, I'll PM him when you reply with the answer to my question.
Click to expand...

No this computer has always had XP on it. I appreciate the help though. Also was I supposed to disable system restore? Because I just did this and malwarebytes found 7 more right off the bat.
 
Well according to these running processes, WINNT represents an earlier installation of Windows 2000.


Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\CF26237.exe

If it was pure XP, it would be c:\windows\

I searched online and found an instance where someone reinstalled XP and it changed the old installation to WINNT and the new installation to windows. Its very possible you have a corrupted installation. Might just be easier for you to format the whole drive and start fresh? Let me know what you want to do.


Post the fresh malwarebytes log please.
 
johnb35 said:
Well according to these running processes, WINNT represents an earlier installation of Windows 2000.


Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\CF26237.exe

If it was pure XP, it would be c:\windows\

I searched online and found an instance where someone reinstalled XP and it changed the old installation to WINNT and the new installation to windows. Its very possible you have a corrupted installation. Might just be easier for you to format the whole drive and start fresh? Let me know what you want to do.


Post the fresh malwarebytes log please.
Click to expand...
Hmm interesting. While this is not my pc so I don't have full knowledge I assumed it was only XP because its a premanufactured PC and has an XP code sticker on it, and the user has always used XP.

But this error didn't occur all the time, although I was never able to complete a full scan.

Is there any way to make this work without a new install? He doesn't totally want to reinstall it. He has all these inventory things set up on it.

EDIT-also doing a full malwarebytes scan ATM and will post results. The one before said it was a vundo trojan and I cleaned it.
 
Here it is-
Malwarebytes' Anti-Malware 1.32
Database version: 1638
Windows 5.1.2600 Service Pack 2

2009-01-10 20:38:27
mbam-log-2009-01-10 (20-38-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 138773
Time elapsed: 43 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 22
Files Infected: 40

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\winnt\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Brad\Application Data\WinAntiVirus Pro 2006 (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\WinAntiVirus Pro 2006\Logs (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\BrowserSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\Configurator (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\EntertainmentMarketingSP (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\ErrorSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\Games (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\JokeSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\Layouts (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\Manager (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\Movies (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\Pranks (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\RelatedSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\ScreensaversMarketingSitePager (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\SearchAssistPlus (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\SearchMatch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\SearchMatch\searchMatchPages (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\Toolbar (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\ToolbarLogo (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\ToolbarSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\TravelSearch (Adware.Starware) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Brad\Application Data\WinAntiVirus Pro 2006\Logs\wa6Support.log (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\WinAntiVirus Pro 2006\Logs\winav.log (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\BrowserSearch\BrowserSearch.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\BrowserSearch\BrowserSearch.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\Configurator\Configurator.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\Configurator\Configurator.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\EntertainmentMarketingSP\EntertainmentMarketingSPOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\EntertainmentMarketingSP\EntertainmentMarketingSPOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\ErrorSearch\ErrorSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\ErrorSearch\ErrorSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\Games\GamesOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\Games\GamesOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\JokeSearch\JokeSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\JokeSearch\JokeSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\Layouts\PitchLayout.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\Layouts\PitchLayout.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\Layouts\ToolbarLayout.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\Layouts\ToolbarLayout.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\Manager\ManagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\Manager\ManagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\Movies\MoviesOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\Movies\MoviesOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\Pranks\PranksOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\Pranks\PranksOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\RelatedSearch\RelatedSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\RelatedSearch\RelatedSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\SearchAssistPlus\SearchAssistPlusOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\SearchAssistPlus\SearchAssistPlusOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\SearchMatch\SearchMatchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\SearchMatch\SearchMatchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\Toolbar\TBProductsOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\Toolbar\TBProductsOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\ToolbarLogo\ToolbarLogoOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\ToolbarLogo\ToolbarLogoOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\ToolbarSearch\ToolbarSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\ToolbarSearch\ToolbarSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\TravelSearch\TravelSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brad\Application Data\Starware347\TravelSearch\TravelSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
 
Reboot the computer if you haven't done it already and post a fresh hijackthis log. Also let me know how the computer is running.
 
Seems to be running quite a bit better than it was before, but it is a P4 with 256mb of ram, kinda different compared to the rig I am used to lol.

Here's the log--
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:55, on 2009-01-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://cam1.aftonalps.com/kxhcm10.ocx
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166108547421
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

--
End of file - 3564 bytes
 
I also unistalled AVG in order to try to get it out of combofix's way. Now I can't get it back installed, because it says it can't write to the registry.
 
You must log in or register to reply here.
Back
Top