Jump to content

I think I am in deep trouble


Recommended Posts

Hey,

Great forum I watched it in the past and used some of the repair and recommendations! But now I think i do have a more serious problem.

I cannot acces the internet (I do not even get the screen it shows it a fraction of a second and disappears momentarily) and it turns out that part of the services can't be started (rpcc for instance). I do use the labtop of my wive now to connect to the outer world.

I can not run mbam anymore (it gives a runtime error 372 failed to load vbalgrid from vbalsgrid.ocx etc), but i was able to run HJT (yesterday) and I will add that here.

You will see some words in Dutch for I am using window xp in the Dutch version (I am originally from Holland but now living in the USA).

I hope you will have some suggestions, good luck!!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:02:48 PM, on 1/26/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\netdde.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\clipsrv.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\ctfmon.exe

H:\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Rmn plugin - {47D92EB6-E52C-4cda-92A6-2369963F4913} - (no file)

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [b071c38c] rundll32.exe "C:\WINDOWS\system32\exbddbap.dll",b

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')

O4 - HKUS\S-1-5-21-375612493-2163411867-2876842818-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O10 - Broken Internet access because of LSP provider 'ghkl.dll' missing

O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.polkrod.com/view/tiffx.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179088510531

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: xrcxhe.dll,avgrsstx.dll,

O21 - SSODL: leorop - {1843A5BD-F649-4D42-BD28-6DE9098B57A0} - (no file)

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: AvgServ - Unknown owner - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: dmadmin - Unknown owner - C:\WINDOWS\TEMP\130265.exe (file missing)

O23 - Service: gusvc - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: NVSvc - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)

O23 - Service: RasMan - Unknown owner - C:\WINDOWS\TEMP\14958937.exe (file missing)

O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\TEMP\124781.exe (file missing)

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--

End of file - 7896 bytes

Link to post
Share on other sites

  • Replies 54
  • Created
  • Last Reply

Top Posters In This Topic

  • Root Admin

If possible burn the tools to a CD and copy them to the affected computer.

On the affected PC please click on START - RUN and type in MSCONFIG and make sure it's set to NORMAL

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.

  • F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
  • O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
  • O4 - HKLM\..\Run: [b071c38c] rundll32.exe "C:\WINDOWS\system32\exbddbap.dll",b
  • O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
  • O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  • O20 - AppInit_DLLs: xrcxhe.dll,avgrsstx.dll,
  • O21 - SSODL: leorop - {1843A5BD-F649-4D42-BD28-6DE9098B57A0} - (no file)
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

Please download the following scanning tool. GMER

  • Open the zip file and copy the file
    gmer.exe
    to your Desktop.
  • Double click on
    gmer.exe
    and run it.

  • It may take a minute to load and become available.

  • Do not make any changes. As soon as it's done and the
    COPY
    button is available click on the
    COPY
    button.

  • DO NOT
    Click on the
    SCAN
    button.

  • This will place the scan in your clipboard. Paste that into notepad or into your next reply post please.

  • Click OK and quit the GMER program.

If you can download and burn a CD it may be faster to download and burn this tool and use it to do some basic cleanup.

Then we can use other tools as needed to finish up.

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

    Avira AntiVir Rescue System
    Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to:


  • repair a damaged system,
  • rescue data,

  • scan the system for virus infections.


    Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer.
    The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available.

Link to post
Share on other sites

Hello AdvancedSetup,

Thanks for the fast reply, I had to go to the dendist so it took me some time to do what you recommended.

I Opened HJK and fixed the lines you have given.

Next i ran GMER and that gave the following results:

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-01-28 15:34:14

Windows 5.1.2600 Service Pack 2

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.14 ----

Then I copied the Avira stuff on a cd, but i can not copy it on my bad computer, maybe a stupid question but how do I boot from the cd?

Thanks in advance

Link to post
Share on other sites

  • Root Admin

It depends on the computer you have. What MFG, and model?

Typically most show a quick screen when it boots for stuff like BIOS, MENU, SETUP, etc and provide a key like F2, F10 etc to choose.

If you know how to get into the BIOS it can be set in there to have the CD boot first instead of the hard drive.

Link to post
Share on other sites

Yep I was able to go into BIOS by pressing F1 (or DEL) I cange all the boot drives (3) to start at the cd drives.

However when Istarted the computer it gave the following message: disk boot failure, insert system disk and press enter

I am using a CD.R and both the programs you mentioned are on it (GMER and Avira rescue) does that cause the problem?

This was my last clean CD so I think I have to get new ones (and then the rewritables).

thanks for your patience.

Link to post
Share on other sites

I am probably something stupidly wrong.

When i try to save the program on the cd.r it is OK but ad the end it asks me to burn it on the CD.R, so yes i am using a tool to burn it on the CD.R

When I just dunbbelclick the Avira program it starts downloading but apparently it doesn't really burn it directly on the CD.R

Sorry I am pretty illiterate in this department.

Link to post
Share on other sites

Hey AdvancedSetup,

I was finally able to burn the Avira program and I do have now a bootable disk, I ran it on the infected computer and scanned for virusses and tried to repair the stuff.

It had the following messages:

records 14

suspected files 0

warnings 625

I tried to restart the computer in normal mode that went good but still a lot of services are not running (and can not be started) The Internet is not running either.

What next?

Link to post
Share on other sites

  • Root Admin

Please see if you can run MBAM now or not. Try renaming the installer to a different name and see if it will install and run.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

If it will not then try to download this program and burn to CD and copy to the infected computer.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Hello AdvancedSetup,

When i run MBAM it gives to following message:

Run-time error 372, failed to load vbalGrid from vbalsgrid6.ocx your version of vbalsgrid6.ocx may be outdated.

When I reinstalled the MBAM under different name it gave the same message.

I downloaded and burned the MBAM fresh on a cd and removed the old one from the infected computer.

At the installation of the newly downloaded MBAM I got the same message about vbalsbrid.ocx.

I could run HJN by the way and ad the logfile here.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:18:37 PM, on 1/31/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\netdde.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\clipsrv.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Hello\Hello.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\mozilla.org\Mozilla\Mozilla.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\PROGRA~1\AVG\AVG8\avgscanx.exe

H:\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Rmn plugin - {47D92EB6-E52C-4cda-92A6-2369963F4913} - (no file)

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')

O4 - HKUS\S-1-5-21-375612493-2163411867-2876842818-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-21-375612493-2163411867-2876842818-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')

O4 - HKUS\S-1-5-21-375612493-2163411867-2876842818-1007\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo (User '?')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O10 - Broken Internet access because of LSP provider 'ghkl.dll' missing

O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.polkrod.com/view/tiffx.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179088510531

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: AvgServ - Unknown owner - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: dmadmin - Unknown owner - C:\WINDOWS\TEMP\130265.exe (file missing)

O23 - Service: gusvc - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: NVSvc - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)

O23 - Service: RasMan - Unknown owner - C:\WINDOWS\TEMP\14958937.exe (file missing)

O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\TEMP\124781.exe (file missing)

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--

End of file - 8304 bytes

I did not go to the Combofix yet I wanted to have your opinion first.

Link to post
Share on other sites

Dear AdvancedSetup,

Remember I do not have an internet connection with the infected computer, so i cannot download and save the Combofix program on the infected computer. I burned the Combofix on CD but it doen's run on the bad machine .

Have fun today!!

Link to post
Share on other sites

  • Root Admin

Yes I understand but burning tools to a CD and copying them to the affected system is fine and what needs to be done.

So, just to confirm. You copied combofix.exe to the DESKTOP of the running system and it did not work.

1. Did you try renaming the file to another name?

2. Did you start in SAFE MODE and copy combofix.exe to the DESKTOP and try running it?

3. Did you try renaming it in SAFE MODE and running it from the desktop?

If yes to all of the above and it still would not run, then please download and burn this tool to a CD and copy it over to the affected system.

RootRepeal - Rootkit Detector

  • Please download the following tool:
    RootRepeal - Rootkit Detector
  • Direct download link is here:
    RootRepeal.rar

  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here:
    WinRAR

  • Extract the program file to a new folder such as
    C:\RootRepeal

  • Run the program
    RootRepeal.exe
    and go to the
    REPORT
    tab and click on the
    Scan
    button

  • Select
    ALL
    of the checkboxes and then click
    OK
    and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.

  • When done, click on
    Save Report

  • Save it to the same location where you ran it from, such as
    C:\RootRepeal

  • Save it as
    your_name_rootrepeal.txt
    - where your_name is your
    forum name

  • This makes it more easy to track who the log belongs to.

  • Then open that log and select all and copy/paste it back on your next reply please.

  • Quit the RootRepeal program.

Link to post
Share on other sites

Hey AdvanvedSetup,

Sorry for the delay but today was my volonteers day at "Habitat for Humanity".

When I start Combofix in normal mode it gives an error in prep.com, after renaming and running again the same message.

BUT I was able to run Combofix in safe mode (because of no internet I was able to install the recovery console).

The logfile I ad here: (stupid I didn't think to do this in safe mode myself).

ComboFix 09-02-02.04 - Rolf van den Berg 2009-02-03 15:30:18.1 - NTFSx86 MINIMAL

Gestart vanuit: G:\ComboFix.exe

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator\Cookies\MM2048.DAT

c:\documents and settings\Administrator\Cookies\MM256.DAT

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

C:\setup.exe

c:\windows\Readme.txt

c:\windows\search_res.txt

c:\windows\system32\bb1.dat

c:\windows\system32\cookie1.dat

c:\windows\system32\mcrh.tmp

c:\windows\system32\rtc.dat

c:\windows\system32\sirenacm(2).dll

c:\windows\system32\sirenacm(3).dll

c:\windows\system32\wtsit.exe

----- BITS: Mogelijk ge

Link to post
Share on other sites

Hello AdvancedSetup,

Thanks for the mail and I tried to do what you recommended

I downloaded the subinacl.msi file but I cannot run it on the infected machine. The windows installer is not available, service is not started.

When I go to services and try to start wnauserv it gives error code 0x800706ba, the RPC server is not available.

When I try to start the RPC service is gives error 1058, cannot start the service.

So I am in a loop here??

I saved the file you wrote as a batch file, I can run it on the infected computer but I think I need the first the other Microsoft file I couldn't run.

You asked me to edit the code you gave but I have no idea where to find the name etc??

Thanks sofar GREAT forum !!!!

Link to post
Share on other sites

Hello AdvancedSetup,

I downloaded the file you gave me, but I am not able to copy the file on the infected computer. I can only make connection on the desktop but the program stays on the recource drives so I can not copy it to C:\WINDOWS folder.

I tried to copy it from a cd and also from a usb drive but it looks like the copy function in windows doesn't work.

Also running in safe mode gave the same result.

I can copy in some other programs like notepath and word!!

By the way only the windows xp version I use on that amchine is in Dutch, and it is not really all in Dutch for quite some additional window programs are in English and there seems to be no difference in running them. So it is nicely mixed up but I never encoutered a problem with that.

The CMD/DOS box is running in English only.

You know I am not a computer expert (yet), but what names do you mean have to be changed in the script you provided me with?

There are 3 names (or users I am not sure) and none of them are password protected.

In the safe mode it gives : Administrator - Rolf van den Berg - Joelle

In the normal working mode it is : Rolf van den Berg - Joelle.

I think you can probably make sense of this.

Thanks so much.

Link to post
Share on other sites

  • Root Admin

At this point I really think this tool is the BEST solution. If at all possible you should try to use it.

Please download this, place a blank CD in your burner and double-click on the downloaded file. It will automatically burn the CD for you.

At the bottom left should be 2 flags. If you use your mouse and click on the British flag the interface should switch to English for you.

Have it scan ALL files. There is no way that I'm aware of to save a log, so you may need to write down any special errors or infections found and their outcome.

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

    Avira AntiVir Rescue System
    Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to:


  • repair a damaged system,
  • rescue data,

  • scan the system for virus infections.


    Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer.
    The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available.

Rescue CD screen resolution problem

Please see the post here if you're unable to view the entire screen of Avira.

Link to post
Share on other sites

Hello AdvancedSetup,

I downloaded and burned the Avira Rescue file on a new cd and used this bootable cd to start the infected computer.

I didn't have any screen resolution problems.

I scanned ALL files and even try to copy ansd save the log file but I have not the slightest idea where it is.

But I studied the log file and it came up with a lot of warnings (622) and 14 Alerts.

I looked at these alerts and they can be divided as follows:

- is the Trojan Horse TR/Crypt.XPack.Gen (this has a count of 4x)

- is the Trojan Horse TR/Drop.Agent.apc (1x)

- is the Trojan Horse TR/Start Page.ET (8x)

- contains detection pattern of Ad- or Spyware ADSPY/Viewpro (1x)

I looked at the warnings a little too but I think they are not that alarming as these alerts.

Link to post
Share on other sites

  • Root Admin

Good, that hopefully should have corrected most of the problems.

Please try the following again.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

Hey AdvancedSetup,

I tried to update and run the mbam program, but at installing the mbam program it gives the following error message;

runtime error 372 failed to load control vbalgrid from vbalsgrid6.ocx

The same message I get when i use the mbam program which is already on the infected computer.

I checked both the versions and they are the same (version 1.33.0.0)

I also gave the newly downloaded program a diffent name, but at aetup it gives the same error code.

Next I tried to reset the ocx file in C:Program Files\malwarebytes anti-malware with the regsvr32 vbalsgrid6.ocx command it mentions the action is succesful but MBAM will still not run and gives the same error code.

Thanks sofar!!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.