HijackThis log - PC has major problems

[Paul4763]

Anti-trojan elite won't work. I just get error things, and when I have to register with ATE to remove the trojans, is there any other method of getting rid of them or can I just move on to the SDFix?


Ok, new problem. I keep receiving this error message: http://support.microsoft.com/kb/293077

And just now this has happened: http://support.microsoft.com/kb/315335

I went to download SDFix and it happened and it keeps happening.

 

[John McKenna]

The first error message is more than likely caused by the rootkit. most rootkits use drivers to hide themselves.

The second error message seems related to RAM which may or may not be faulty hardware.

Do you have access to another machine that you could download SDFix to and transfer it to your own machine via a USB pen or CD?

 

[Paul4763]

I do, I'm using a perfectly fine computer to make all these posts, but with the faulty computer when I turn it on it's only a matter of time before the blue screen error messages come up, even if I did use a USB pen or CD it would probably crash before I could install it.

 

[John McKenna]

Will the machine boot up in safe mode without the errors?

 

[Paul4763]

SDFix: Version 1.103

Run by Administrator on Sun 09/09/2007 at 11:16 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
new_drv
NtmlSvc

ImagePath:
\??\C:\WINDOWS\new_drv.sys
%SystemRoot%\System32\svchost.exe -k netsvcs

new_drv - Deleted
NtmlSvc - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Service asc3550v - Deleted after Reboot
Service xpdx - Deleted after Reboot

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\new_drv.sys - Deleted
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll - Deleted
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll - Deleted
C:\d.exe - Deleted
C:\WINDOWS\9129837.exe - Deleted
C:\WINDOWS\system32\cookie.dat - Deleted
C:\WINDOWS\system32\help.txt - Deleted
C:\WINDOWS\system32\mcacr.dll - Deleted
C:\WINDOWS\system32\ps.dat - Deleted
C:\WINDOWS\system32\win32.exe - Deleted
C:\WINDOWS\Temp\$_2341233.TMP - Deleted
C:\WINDOWS\Temp\$_2341234.TMP - Deleted
C:\WINDOWS\Temp\$b17a2e8.tmp - Deleted
C:\WINDOWS\system32\xpdx.sys - Deleted
C:\WINDOWS\system32\drivers\asc3550v.sys - Deleted


Folder C:\Temp\fse - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\TEMP\\win68.tmp.exe"="C:\\WINDOWS\\TEMP\\win68.tmp.exe:*:Enabled:win68.tmp"
"C:\\WINDOWS\\system32\\VT100.EXE"="C:\\WINDOWS\\system32\\VT100.EXE:*:Enabled:VT100 Emulator"
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\System Volume Information\_restore{440C682E-13DA-47AD-A06D-E09F5E2B572E}\RP175\A0023925.EXE
C:\System Volume Information\_restore{440C682E-13DA-47AD-A06D-E09F5E2B572E}\RP177\A0024989.EXE
C:\WINDOWS\system32\1033v.exe
C:\WINDOWS\system32\3076d.exe
C:\WINDOWS\system32\aaaamonv.exe
C:\WINDOWS\system32\acctresr.exe
C:\WINDOWS\system32\alrsvcb.exe
C:\WINDOWS\system32\appwizh.exe
C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\hgjlm.tmp

Finished!





When ComboFix finished it said it was unable to open the log file, but there are 2 notepad files, they're probably not the log file but I'll post them anyway:

ComboFix 07-09-09.4 - "default" 2007-09-09 11:50:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.218 [GMT 1:00]
* Created a new restore point
.
Rootkit driver pe386 is present. ... attempting disinfection
Rootkit driver msguard is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.
msguard ...... driver unloaded successfully.
ADS - ntoskrnl.exe: deleted 75046 bytes in 4 streams.
/wow section - STAGE 3
/wow section - STAGE 6
/wow section - STAGE 6A
/wow section - STAGE 7
/wow section - STAGE 8
/wow section - STAGE 11
/wow section - STAGE 15
/wow section - STAGE 16
/wow section - STAGE 25

And the other:

Files to delete:
C:\WINDOWS\system32\kprof
C:\WINDOWS\system32\koos.exe
C:\WINDOWS\system32\poof

 

[John McKenna]

Open notepad (Start > Run and type notepad) and copy/paste the text in the quote box below to it:

File::
C:\WINDOWS\system32\1033v.exe
C:\WINDOWS\system32\3076d.exe
C:\WINDOWS\system32\aaaamonv.exe
C:\WINDOWS\system32\acctresr.exe
C:\WINDOWS\system32\alrsvcb.exe
C:\WINDOWS\system32\appwizh.exe
C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\hgjlm.tmp

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"C:\\WINDOWS\\TEMP\\win68.tmp.exe"=-
"C:\\WINDOWS\\system32\\VT100.EXE"=-

Save this as "CFScript"

Refering to the picture above, drag CFScript into ComboFix.exe

Run ComboFix again and post the resultant log file please with a fresh HJT log.

Do not mouseclick Combofix's window whilst it's running. That may cause it to stall.



Paul, do you use this machine for any financial dealings like online banking or PayPal?

 

[Paul4763]

Not recently for financial dealings but has been used in the past, it's a been a few weeks, months maybe since the last time. Why do you ask, is there a problem?

 

[John McKenna]

Well your machine has been so badly infected with multiple rootkits (no doubt hiding all manner of system changes) that it may well be vulnerable in the future. Put it this way, if it were my machine, I'd format it.

Have a look at these links incase you decide to take that ultimate step.

When Should I Re-Format? How Do I Re-Install?

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud.

Otherwise, lets continue.

 

[Paul4763]

Ok, here's the deal. I did what you said dragging the script on to ComboFix, my computer rebooted and then Combofix started up and it was on the scanning screen for a very long time. And now when I boot up the computer it says it can't find "service.exe" and nothing functions. So I start up windows in safe mode and Combofix doesn't appear in safe mode. This computer is seriously damaged. Let me ask you, is it worth trying to remove the infections and going through all this? Or would formatting be the best way forward? The computer has been formatted a few times but I can't format this one by normal means, it says at the start "Press F10 for System Recovery", I do so but nothing happens. How would I go about it? Do I need a format disc and XP disc and stuff or should I just get the files I need off it and take it to a repair shop or something? Or is this computer actually fixable? Are we close to removing all the infections or not?

 

[Jabes]

if ur infected pretty bad then I would just save your files and then put in your xp disk (you have xp right?) and then just boot off of it

 

[Crimsonite]

You should only run Safe Mode without Networking.

 

[John McKenna]

As I said Paul, if this were my machine I'd format it without a second thought. There is no guarantee we could remove all the malware or reverse the damage already done and by the looks of it present for some time.

Do you have an XP CD-ROM or Manufacturers System Recovery disk?

Are you able to save your important data while in safe mode to removable storage?

 

[Jabes]

do you have norton ghost?