Virus? I need some help please.

H

Hdk20

New Member
My computer started to act funny started changing passwords to things.


Malwarebytes' Anti-Malware 1.37
Database version: 2234
Windows 5.1.2600 Service Pack 2

6/5/2009 4:19:04 PM
mbam-log-2009-06-05 (16-19-04).txt

Scan type: Quick Scan
Objects scanned: 78293
Time elapsed: 1 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\NoAdware (Rogue.NoAdware) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\NoAdware\noadware4_032609.na (Rogue.NoAdware) -> Quarantined and deleted successfully.
c:\program files\NoAdware\nutilities.dll (Rogue.NoAdware) -> Quarantined and deleted successfully.
 
H

Hdk20

New Member
heres the combofix log...


ComboFix 09-06-05.03 - Administrator 06/05/2009 16:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2660 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Windows Live\Messenger\msnmsgr.exe
c:\windows\system32\Drivers\sptd.sys
I:\Desktop.ini

c:\windows\system32\proquota.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-05-05 to 2009-06-05 )))))))))))))))))))))))))))))))
.

2009-06-05 21:16 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-05 21:16 . 2009-06-05 21:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-05 21:16 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-28 20:23 . 2009-05-28 20:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\KALiNKOsoft
2009-05-28 20:21 . 1998-06-18 05:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2009-05-28 20:21 . 2009-05-28 20:23 119296 ----a-w- c:\windows\system32\zlib.dll
2009-05-28 20:21 . 2008-01-14 00:59 36864 ----a-w- c:\windows\system32\dxinputdll.dll
2009-05-28 20:21 . 2008-01-13 21:36 91632 ----a-w- c:\windows\system32\dsofile.dll
2009-05-28 20:21 . 2003-01-26 18:41 40960 ----a-w- c:\windows\system32\SSubTmr6.dll
2009-05-28 20:21 . 1999-05-17 18:55 57344 ------w- c:\windows\system32\ADsSecurity.dll
2009-05-28 20:07 . 2007-06-01 00:30 266088 ----a-w- c:\windows\system32\xactengine2_8.dll
2009-05-28 20:07 . 2007-06-01 00:29 18280 ----a-w- c:\windows\system32\x3daudio1_2.dll
2009-05-28 20:07 . 2007-05-16 21:45 443752 ----a-w- c:\windows\system32\d3dx10_34.dll
2009-05-28 20:07 . 2007-05-16 21:45 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2009-05-28 20:07 . 2007-05-16 21:45 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll
2009-05-28 20:07 . 2007-04-04 23:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2009-05-28 20:07 . 2007-03-15 21:57 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2009-05-28 20:07 . 2007-03-12 21:42 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2009-05-28 20:07 . 2007-03-12 21:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2009-05-28 20:07 . 2007-01-24 20:27 255848 ----a-w- c:\windows\system32\xactengine2_6.dll
2009-05-28 20:06 . 2009-05-28 20:40 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-05-28 20:06 . 2009-05-28 20:06 22328 ----a-w- c:\documents and settings\Administrator\Application Data\PnkBstrK.sys
2009-05-28 20:06 . 2009-05-28 20:40 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-05-28 20:06 . 2009-05-28 20:08 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-05-28 19:57 . 2009-05-28 19:57 -------- d-----w- c:\program files\Activision
2009-05-28 19:56 . 2009-05-28 19:56 -------- d-sh--w- c:\windows\ftpcache
2009-05-09 00:39 . 2009-06-05 21:22 -------- d-----w- c:\documents and settings\Administrator\Tracing
2009-05-09 00:39 . 2009-05-09 00:39 -------- d-----w- c:\program files\Microsoft
2009-05-09 00:38 . 2009-05-09 00:38 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-05-09 00:38 . 2009-05-09 00:39 -------- d-----w- c:\program files\Windows Live
2009-05-09 00:37 . 2009-05-09 00:37 -------- d-----w- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-05 21:13 . 2008-11-30 22:26 34 ----a-w- c:\documents and settings\Administrator\jagex_runescape_preferences.dat
2009-05-28 20:21 . 2008-11-29 05:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-25 20:41 . 2009-01-16 20:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-05-18 15:01 . 2008-12-21 23:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2009-05-17 22:04 . 2009-03-01 23:29 -------- d-----w- c:\program files\LimeWire
2009-05-09 00:39 . 2008-12-21 22:57 51224 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-27 00:03 . 2008-11-29 04:14 -------- d-----w- c:\program files\Java
2009-04-27 00:03 . 2009-04-27 00:02 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-12 02:01 . 2008-12-21 20:49 -------- d-----w- c:\program files\Common Files\AOL
2009-04-12 01:51 . 2009-01-20 00:53 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-03-27 20:46 . 2009-03-27 20:46 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-03-23 02:20 . 2009-03-23 02:20 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-09 10:19 . 2008-12-12 18:52 410984 ----a-w- c:\windows\system32\deploytk.dll
.

------- Sigcheck -------

[-] 2006-12-18 19:04 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\system32\user32.dll

[-] 2006-12-18 19:04 664576 231EF4179ACABE486376B5CA893F1076 c:\windows\system32\wininet.dll

[-] 2006-12-30 09:26 360576 504C18ABFB3E6B0B8CACBE0BA3A5C63A c:\windows\system32\drivers\tcpip.sys

[-] 2006-12-18 19:04 2015232 2B6DCEB39E160AA37B141E59C81B2427 c:\windows\system32\ntkrnlpa.exe

[-] 2006-12-18 19:04 2135552 34CABA7B91DD6A9208A5A612F87D05A6 c:\windows\system32\ntoskrnl.exe

[-] 2004-08-04 10:00 949760 9BE29C2873DF44DD301EC57EEE9A6440 c:\windows\explorer.exe
[7] 2004-08-04 10:00 1032192 A0732187050030AE399B241436565E64 c:\windows\XPize\Backup\explorer.exe

[-] 2004-08-04 10:00 30208 DE8FA9CF18F95341079C7E6A215C226A c:\windows\system32\ctfmon.exe
[7] 2004-08-04 10:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\XPize\Backup\ctfmon.exe

[-] 2006-12-18 19:04 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\system32\spoolsv.exe

[-] 2006-12-18 19:03 985088 0FDD84928A5DDE2510761B7EC76CCEC9 c:\windows\system32\kernel32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 30208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"UVS10 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe" [2006-08-09 36864]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-11-07 17421824]
"StandardKeyboard"="KBDaemonA.exe" - c:\windows\system32\KBDaemonA.exe [2004-11-26 57344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-12-18 12451]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2004-08-04 99840]
"_nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2004-08-04 99840]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):58,50,69,7a,65,5f,4c,6f,67,6f,6e,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.sys

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

S3 KBNTXP;Standard PS/2 Multi-Keyboard Filter Driver for WinXp;c:\windows\system32\drivers\KBNTXP.sys [3/30/2009 9:01 AM 7296]

NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Netman
Nla
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
ShellHWDetection
helpsvc
wuauserv
WmdmPmSN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.
Contents of the 'Scheduled Tasks' folder

2008-12-25 c:\windows\Tasks\Microsoft_Hardware_Launch_setup_exe.job
- E:\setup.exe [2007-10-04 07:45]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.windowsue.com/
uLocal Page = \blank.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e9n3ee1n.default\
FF - plugin: c:\mozilla firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-05 16:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-06-05 16:26
ComboFix-quarantined-files.txt 2009-06-05 21:26
ComboFix2.txt 2009-01-16 20:24

Pre-Run: 284,169,519,104 bytes free
Post-Run: 284,271,144,960 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
i:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

209
 
Respital

Respital

Active Member
I'd say this is worth a try.

Please download the HostsXpert.

  • Extract the HostsXpert.zip by doing the following:
    • Right-click HostsXpert.zip and select extract all – Follow the wizard and extract it to your Desktop
    • Click Finish, double-click the HostsXpert folder and then double-click HostsXpert.exe
  • Press Restore MS Hosts File and press OK.
  • Exit the program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself.
 
L

linf

New Member
Hijacker.controlpanelstyle

I found the only way to get rid of this Hijacker is to use Malwarebytes in safemode to remove it. I also delete all cookies, Temporary Internet Files, and clear all temp folders. Anybody have any idea where it is coming from?



Hdk20 said:
My computer started to act funny started changing passwords to things.


Malwarebytes' Anti-Malware 1.37
Database version: 2234
Windows 5.1.2600 Service Pack 2

6/5/2009 4:19:04 PM
mbam-log-2009-06-05 (16-19-04).txt

Scan type: Quick Scan
Objects scanned: 78293
Time elapsed: 1 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\NoAdware (Rogue.NoAdware) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\NoAdware\noadware4_032609.na (Rogue.NoAdware) -> Quarantined and deleted successfully.
c:\program files\NoAdware\nutilities.dll (Rogue.NoAdware) -> Quarantined and deleted successfully.
Click to expand...
 
You must log in or register to reply here.
Top