All sorts of malware/trojan issues I believe (HJT log inside)
- Thread starter footballstevo75
- Start date
2 more things you can do.
Do another hijackthis scan and place a check next to this item and then click on fix checked.
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Another issue i saw was that the computer is running a very old version of Java. Please unistall any and all old versions using add/remove programs and then install the newest version here.
The owner of the system really should install at least another 512mb of memory to speed up his system. With it only having 256mb and most likely having onboard video that doesn't leave much for the system. Thats the main reason the computer is slow.
Do another hijackthis scan and place a check next to this item and then click on fix checked.
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Another issue i saw was that the computer is running a very old version of Java. Please unistall any and all old versions using add/remove programs and then install the newest version here.
The owner of the system really should install at least another 512mb of memory to speed up his system. With it only having 256mb and most likely having onboard video that doesn't leave much for the system. Thats the main reason the computer is slow.
footballstevo75
Active Member
OK So how do I know if I still have stuff floating around?
Just installed avira antivir and it found a tr/crypt.xpack.gen-trojan I think.
Seems like every time I scan I find something new lol.
Just installed avira antivir and it found a tr/crypt.xpack.gen-trojan I think.
Seems like every time I scan I find something new lol.
Last edited:
Well, if combofix would work, we would be able to know but according to the latest hijackthis log, the system is clean. All you need to do is the steps I told you do in my last post.
Antivirus scanners will usually find something that the malware programs won't and vice versa. its always best to run them together.
Antivirus scanners will usually find something that the malware programs won't and vice versa. its always best to run them together.
footballstevo75
Active Member
Alrighty well I will run a couple more scans. Hey thanks a lot for your help.
Respital
Active Member
Also are you running any firewall software or hardware such as a router? And do you have anti-spyware installed?
footballstevo75
Active Member
I am, but am afraid he isn't. I believe it was coming straight out of the modem and his only defense was windows firewall, if it was enabled...
I will be putting something on there before I give it back however.
Respital
Active Member
For a great firewall i recommend Comodo, i use it myself it and works great.
Also you need a real time anti-spyware, keep in mind that Malwarebytes' is only an on demand scanner unless you pay for the real time. For anti-spyware i recommend Spybot Search & Destroy.
Are you running Firefox on this computer? If you aren't i recommend getting it it's better then IE by a long shot also if you decide to get Firefox it's best getting these two add ons; Ad Block Plus and WOT (Web Of Trust)
footballstevo75
Active Member
Yeah I know all about firefox 
Also could combofix not running right be because I never installed the recovery console?
EDIT-so combofix just ran and didn't give me that error, but rather at the same spot decided to restart my computer.
and its trying to post the report, just got the findstr error again, but I will leave it go all night and hopefully it will post up a report so I can be sure this is all gone.
Also could combofix not running right be because I never installed the recovery console?
EDIT-so combofix just ran and didn't give me that error, but rather at the same spot decided to restart my computer.
and its trying to post the report, just got the findstr error again, but I will leave it go all night and hopefully it will post up a report so I can be sure this is all gone.
Last edited:
footballstevo75
Active Member
Here we go, finally got the log for combofix after using recommendations from here
START
------
ComboFix 09-01-10.02 - Owner 2009-01-10 23:51:44.12 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.239.68 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
Infected copy of c:\winnt\system32\userinit.exe was found and disinfected
Restored copy from - c:\winnt\ServicePackFiles\i386\userinit.exe
.
((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 )))))))))))))))))))))))))))))))
.
2009-01-10 21:10 . 2009-01-10 21:10 <DIR> d-------- c:\program files\Avira
2009-01-10 21:10 . 2009-01-10 21:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-01-10 19:41 . 2009-01-10 19:41 <DIR> d-------- C:\VundoFix Backups
2009-01-10 01:15 . 2009-01-10 01:15 <DIR> d-------- c:\program files\Trend Micro
2009-01-10 00:36 . 2009-01-10 00:36 <DIR> d-------- c:\program files\CCleaner
2009-01-10 00:36 . 2009-01-10 00:36 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder
2009-01-10 00:13 . 2009-01-10 00:13 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-01-09 23:45 . 2009-01-09 23:45 <DIR> d-------- c:\documents and settings\Bob Jones\Application Data\Malwarebytes
2009-01-09 23:17 . 2009-01-09 23:17 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-09 23:17 . 2009-01-09 23:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-09 23:17 . 2009-01-09 23:17 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-09 23:17 . 2009-01-04 18:41 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys
2009-01-09 23:17 . 2009-01-04 18:41 15,504 --a------ c:\winnt\system32\drivers\mbam.sys
2009-01-09 22:14 . 2003-10-14 15:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-01-09 22:14 . 2003-11-04 13:02 <DIR> d-------- c:\documents and settings\Administrator\Application Data\MSN6
2009-01-09 22:14 . 2009-01-10 15:47 <DIR> d-------- c:\documents and settings\Administrator
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 00:53 --------- d-----w c:\program files\Zinio
2009-01-11 00:53 --------- d-----w c:\program files\Lavasoft
2009-01-11 00:53 --------- d-----w c:\documents and settings\Bob Jones\Application Data\Lavasoft
2008-10-26 16:30 9,182 ----a-w c:\documents and settings\Bob Jones\Application Data\wklnhst.dat
2006-12-03 00:01 77,352 ----a-w c:\documents and settings\Bob Jones\Application Data\GDIPFONTCACHEV1.DAT
2004-04-17 15:18 2,092 ----a-w c:\program files\uninstal.log
2004-03-08 23:35 0 ----a-w c:\documents and settings\Ginny\Application Data\wklnhst.dat
2003-03-31 11:00 94,784 --sh--w c:\winnt\twain.dll
2004-08-04 07:56 50,688 --sh--w c:\winnt\twain_32.dll
2004-08-04 07:56 1,028,096 --sha-w c:\winnt\system32\mfc42.dll
2004-08-04 07:56 54,784 --sha-w c:\winnt\system32\msvcirt.dll
2004-08-04 07:56 413,696 --sha-w c:\winnt\system32\msvcp60.dll
2004-08-04 07:56 343,040 --sha-w c:\winnt\system32\msvcrt.dll
2007-12-04 18:38 550,912 --sha-w c:\winnt\system32\oleaut32.dll
2004-08-04 07:56 83,456 --sha-w c:\winnt\system32\olepro32.dll
2004-08-04 07:56 11,776 --sha-w c:\winnt\system32\regsvr32.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0stera
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
--- Other Services/Drivers In Memory ---
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - W32Time
*Deregistered* - WANMiniportService
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder
2009-01-08 c:\winnt\Tasks\20080718_182500_Bob Jones3.job
- c:\program files\Nero\Nero 7\Nero BackItUp\BackItUp.exe [2006-09-12 22:04]
2008-09-25 c:\winnt\Tasks\20080925_171200_Bob Jones6.job
- c:\program files\Nero\Nero 7\Nero BackItUp\BackItUp.exe [2006-09-12 22:04]
2009-01-03 c:\winnt\Tasks\20080925_172300_Backup My Data.job
- c:\program files\Nero\Nero 7\Nero BackItUp\BackItUp.exe [2006-09-12 22:04]
2009-01-11 c:\winnt\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
- - - - ORPHANS REMOVED - - - -
HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe
Notify-nnnnKaBQ - nnnnKaBQ.dll
Notify-qoMeBsSI - qoMeBsSI.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.net
mStart Page = hxxp://www.gateway.net
c:\winnt\Downloaded Program Files\kxhcm10.ocx - O16 -: {2E28242B-A689-11D4-80F2-0040266CBB8D}
hxxp://cam1.aftonalps.com/kxhcm10.ocx
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-10 23:57:16
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\winnt\wanmpsvc.exe
.
**************************************************************************
.
Completion time: 2009-01-11 0:05:02 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2009-01-11 06:04:57
Pre-Run: 40,221,888,512 bytes free
Post-Run: 40,211,107,840 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
150 --- E O F --- 2008-12-18 09:02:02
-------
END
So did I get it all? lol I have no idea.
START
------
ComboFix 09-01-10.02 - Owner 2009-01-10 23:51:44.12 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.239.68 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
Infected copy of c:\winnt\system32\userinit.exe was found and disinfected
Restored copy from - c:\winnt\ServicePackFiles\i386\userinit.exe
.
((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 )))))))))))))))))))))))))))))))
.
2009-01-10 21:10 . 2009-01-10 21:10 <DIR> d-------- c:\program files\Avira
2009-01-10 21:10 . 2009-01-10 21:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-01-10 19:41 . 2009-01-10 19:41 <DIR> d-------- C:\VundoFix Backups
2009-01-10 01:15 . 2009-01-10 01:15 <DIR> d-------- c:\program files\Trend Micro
2009-01-10 00:36 . 2009-01-10 00:36 <DIR> d-------- c:\program files\CCleaner
2009-01-10 00:36 . 2009-01-10 00:36 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder
2009-01-10 00:13 . 2009-01-10 00:13 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-01-09 23:45 . 2009-01-09 23:45 <DIR> d-------- c:\documents and settings\Bob Jones\Application Data\Malwarebytes
2009-01-09 23:17 . 2009-01-09 23:17 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-09 23:17 . 2009-01-09 23:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-09 23:17 . 2009-01-09 23:17 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-09 23:17 . 2009-01-04 18:41 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys
2009-01-09 23:17 . 2009-01-04 18:41 15,504 --a------ c:\winnt\system32\drivers\mbam.sys
2009-01-09 22:14 . 2003-10-14 15:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-01-09 22:14 . 2003-11-04 13:02 <DIR> d-------- c:\documents and settings\Administrator\Application Data\MSN6
2009-01-09 22:14 . 2009-01-10 15:47 <DIR> d-------- c:\documents and settings\Administrator
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 00:53 --------- d-----w c:\program files\Zinio
2009-01-11 00:53 --------- d-----w c:\program files\Lavasoft
2009-01-11 00:53 --------- d-----w c:\documents and settings\Bob Jones\Application Data\Lavasoft
2008-10-26 16:30 9,182 ----a-w c:\documents and settings\Bob Jones\Application Data\wklnhst.dat
2006-12-03 00:01 77,352 ----a-w c:\documents and settings\Bob Jones\Application Data\GDIPFONTCACHEV1.DAT
2004-04-17 15:18 2,092 ----a-w c:\program files\uninstal.log
2004-03-08 23:35 0 ----a-w c:\documents and settings\Ginny\Application Data\wklnhst.dat
2003-03-31 11:00 94,784 --sh--w c:\winnt\twain.dll
2004-08-04 07:56 50,688 --sh--w c:\winnt\twain_32.dll
2004-08-04 07:56 1,028,096 --sha-w c:\winnt\system32\mfc42.dll
2004-08-04 07:56 54,784 --sha-w c:\winnt\system32\msvcirt.dll
2004-08-04 07:56 413,696 --sha-w c:\winnt\system32\msvcp60.dll
2004-08-04 07:56 343,040 --sha-w c:\winnt\system32\msvcrt.dll
2007-12-04 18:38 550,912 --sha-w c:\winnt\system32\oleaut32.dll
2004-08-04 07:56 83,456 --sha-w c:\winnt\system32\olepro32.dll
2004-08-04 07:56 11,776 --sha-w c:\winnt\system32\regsvr32.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0stera
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
--- Other Services/Drivers In Memory ---
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - W32Time
*Deregistered* - WANMiniportService
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder
2009-01-08 c:\winnt\Tasks\20080718_182500_Bob Jones3.job
- c:\program files\Nero\Nero 7\Nero BackItUp\BackItUp.exe [2006-09-12 22:04]
2008-09-25 c:\winnt\Tasks\20080925_171200_Bob Jones6.job
- c:\program files\Nero\Nero 7\Nero BackItUp\BackItUp.exe [2006-09-12 22:04]
2009-01-03 c:\winnt\Tasks\20080925_172300_Backup My Data.job
- c:\program files\Nero\Nero 7\Nero BackItUp\BackItUp.exe [2006-09-12 22:04]
2009-01-11 c:\winnt\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
- - - - ORPHANS REMOVED - - - -
HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe
Notify-nnnnKaBQ - nnnnKaBQ.dll
Notify-qoMeBsSI - qoMeBsSI.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.net
mStart Page = hxxp://www.gateway.net
c:\winnt\Downloaded Program Files\kxhcm10.ocx - O16 -: {2E28242B-A689-11D4-80F2-0040266CBB8D}
hxxp://cam1.aftonalps.com/kxhcm10.ocx
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-10 23:57:16
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\winnt\wanmpsvc.exe
.
**************************************************************************
.
Completion time: 2009-01-11 0:05:02 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2009-01-11 06:04:57
Pre-Run: 40,221,888,512 bytes free
Post-Run: 40,211,107,840 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
150 --- E O F --- 2008-12-18 09:02:02
-------
END
So did I get it all? lol I have no idea.