Jakubas Posted August 29, 2010 ID:306523 Share Posted August 29, 2010 My laptop has Windows XP SP2.The virus disabled task manager, regedit and likes to shut down .exe extensions.I've got a HijackThis log :Logfile of HijackThis v1.99.1Scan saved at 11:00:42 PM, on 8/28/2010Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exec:\program files\idt\gatewayxpv_12\wdm\STacSV.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Prevx\prevx.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Prevx\prevx.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\system32\igfxsrvc.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\wpabaln.exeC:\DOCUME~1\DARKKN~1\USTAWI~1\Temp\winwhtuxk.exeC:\DOCUME~1\DARKKN~1\USTAWI~1\Temp\Katalog tymczasowy 1 dla RootkitRevealer.zip\RootkitRevealer.exeC:\DOCUME~1\DARKKN~1\USTAWI~1\Temp\DO.exeC:\WINDOWS\system32\cmd.exeC:\WINDOWS\system32\chcp.comC:\Documents and Settings\Dark Knight\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exeC:\Documents and Settings\Dark Knight\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exeC:\Documents and Settings\Dark Knight\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exeC:\Documents and Settings\Dark Knight\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exeC:\Program Files\HijackThis\HijackThis.exeO2 - BHO: SafeOnline BHO - {69D72956-317C-44bd-B369-8E44D4EF9801} - C:\WINDOWS\system32\PxSecure.dllO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [unHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exeO7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dllO23 - Service: CSIScanner - Unknown owner - C:\Program Files\Prevx\prevx.exe" /service (file missing)O23 - Service: DO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\DARKKN~1\USTAWI~1\Temp\DO.exeO23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\gatewayxpv_12\wdm\STacSV.exe Link to post Share on other sites More sharing options...
Jakubas Posted August 29, 2010 Author ID:306524 Share Posted August 29, 2010 I've done 3 malwarebyte's Anti-Malware scans and each time I do a scan I always get the same 5 viruses which i just Quarantined and deleted. It's like they reproduce or something.Here's my malware log:Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4495Windows 5.1.2600 Dodatek Service Pack 2Internet Explorer 6.0.2900.21808/28/2010 11:31:59 PMmbam-log-2010-08-28 (23-31-59).txtScan type: Quick scanObjects scanned: 118867Time elapsed: 4 minute(s), 16 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 5Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System \DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System \DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Jakubas Posted August 29, 2010 Author ID:306525 Share Posted August 29, 2010 Here's and OTS scan log. Link to post Share on other sites More sharing options...
Jakubas Posted August 29, 2010 Author ID:306526 Share Posted August 29, 2010 Here's and OTS scan log.OTS2.Txt Link to post Share on other sites More sharing options...
Jakubas Posted August 29, 2010 Author ID:306527 Share Posted August 29, 2010 GMER LOG:GMER 1.0.15.15281 - http://www.gmer.netRootkit scan 2010-08-29 11:13:43Windows 5.1.2600 Dodatek Service Pack 2Running: 1v98x46e.exe; Driver: C:\DOCUME~1\DARKKN~1\USTAWI~1\Temp\fwkcifob.sys---- Kernel code sections - GMER 1.0.15 ----? C:\WINDOWS\system32\drivers\nhmjfn.sys Nie mo?na odnale?? okre?lonego pliku. !---- User code sections - GMER 1.0.15 ----.text C:\Program Files\Pando Networks\Media Booster\PMB.exe[1520] kernel32.dll!SetUnhandledExceptionFilter 7C810386 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}---- EOF - GMER 1.0.15 ---- Link to post Share on other sites More sharing options...
noknojon Posted August 29, 2010 ID:306528 Share Posted August 29, 2010 Hi Jakubas and Welcome -You have posted all the right logs , (well done) , but they are in the wrong area - I have highlighted the correct area direct link in RED for you - Just copy and post them there -As we do not work on Malware removal or diagnostics in the general forums please follow these directions -Please print out, read and follow What do I do now? , skipping any steps you are unable to complete. The next step is post a New Topic Here. Malware Removal Forum AreaOne of the expert helpers there will give you one-on-one assistance when one becomes available.After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someone has replied to your post - Please allow at least 48 hours for a reply as the experts can get busy at times -Also add a brief note to the experts as to your problems -Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org or via This LinkAlways use the ADD REPLY Tab at the bottom of the page when you reply -Thank You - Link to post Share on other sites More sharing options...
all4me123 Posted August 29, 2010 ID:306630 Share Posted August 29, 2010 My laptop has Windows XP SP2.The virus disabled task manager, regedit and likes to shut down .exe extensions.Hello Jakubas and I think I have a soultion for enabling task manager.If the virus doesn't go active in safe mode, go to Safe Mode with Networking.Then go SUPERAntiSpyware and download and install it,After SUPERAntiSpyware launches right click the the picture of a bug (SUPERAntiSpyware system tray icon) and then click View Control Center (Preferences/Options)...Go to Repair and click Enable Task Manager click Perform Repair... and your task manager should be re-enabled. Link to post Share on other sites More sharing options...
all4me123 Posted August 29, 2010 ID:306633 Share Posted August 29, 2010 Then go SUPERAntiSpyware and download and install itSorry add 'to' after 'Then go'. Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 29, 2010 ID:306635 Share Posted August 29, 2010 @JakubasPlease stay with the topic in Malware Removal sub-forum. http://forums.malwarebytes.org/index.php?showtopic=61504This topic here is closed. Link to post Share on other sites More sharing options...
Recommended Posts