Jump to content

help with virus removal


Nek

Recommended Posts

Hello,

I have found taskmanger and regedit hijacks and security center disable infections with mbytes, I try to remove them and it asks to restart and I do but the infections do not go away. I cannot do it in safe mode as when I try to enter, as it is loading the pc restarts every time.

Please help me.

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 6.0.2900.5512

Run by god at 19:10:49 on 2011-09-01

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.679 [GMT 8:00]

.

.

============== Running Processes ===============

.

F:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

F:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

F:\WINDOWS\system32\spoolsv.exe

F:\WINDOWS\Explorer.EXE

F:\WINDOWS\system32\RUNDLL32.EXE

F:\WINDOWS\system32\ctfmon.exe

svchost.exe

F:\WINDOWS\system32\nvsvc32.exe

F:\WINDOWS\system32\svchost.exe -k imgsvc

F:\Program Files\Mozilla Firefox\firefox.exe

F:\WINDOWS\system32\wuauclt.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

mWinlogon: SfcDisable=-99 (0xffffff9d)

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - f:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - f:\program files\java\jre1.6.0_07\bin\ssv.dll

uRun: [CTFMON.EXE] f:\windows\system32\ctfmon.exe

mRun: [NvCplDaemon] RUNDLL32.EXE f:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE f:\windows\system32\NvMcTray.dll,NvTaskbarInit

dRun: [CTFMON.EXE] f:\windows\system32\CTFMON.EXE

dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

uPolicies-explorer: NoResolveTrack = 1 (0x1)

uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

uPolicies-system: DisableTaskMgr = 1 (0x1)

uPolicies-system: DisableRegistryTools = 1 (0x1)

mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

mPolicies-system: EnableLUA = 0 (0x0)

dPolicies-explorer: NoSMHelp = 1 (0x1)

dPolicies-explorer: NoResolveTrack = 1 (0x1)

dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

IE: E&xport to Microsoft Excel - f:\progra~1\micros~1\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - f:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~1\office12\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{A7CD3525-4001-4950-B392-B11941B6AE1C} : DhcpNameServer = 192.168.1.254

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - f:\documents and settings\god\application data\mozilla\firefox\profiles\dap0j08p.default\

FF - prefs.js: browser.startup.homepage - google.com.au

.

============= SERVICES / DRIVERS ===============

.

R3 COMMONFX.SYS;COMMONFX.SYS;f:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]

R3 CTAUDFX.SYS;CTAUDFX.SYS;f:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]

R3 CTSBLFX.SYS;CTSBLFX.SYS;f:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]

R3 dac970nt;dac970nt;\??\f:\windows\system32\drivers\fhplho.sys --> f:\windows\system32\drivers\fhplho.sys [?]

S3 COMMONFX;COMMONFX;f:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]

S3 CTAUDFX;CTAUDFX;f:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]

S3 CTERFXFX.SYS;CTERFXFX.SYS;f:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]

S3 CTERFXFX;CTERFXFX;f:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]

S3 CTSBLFX;CTSBLFX;f:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]

S3 FXDRV;FXDRV;\??\e:\fxdrv.sys --> e:\Fxdrv.sys [?]

S3 MBAMSwissArmy;MBAMSwissArmy;f:\windows\system32\drivers\mbamswissarmy.sys [2011-7-4 41272]

.

=============== Created Last 30 ================

.

2011-09-01 08:16:01 -------- d-----w- f:\documents and settings\god\local settings\application data\PCHealth

2011-08-31 03:04:11 -------- d-----w- f:\windows\Crystal

2011-08-31 03:03:43 323584 ------w- f:\windows\Setup1.exe

2011-08-31 03:03:41 73216 ----a-w- f:\windows\ST6UNST.EXE

2011-08-20 15:07:12 -------- d-----w- f:\documents and settings\god\local settings\application data\Ahead

2011-08-19 08:16:54 -------- d-----w- f:\documents and settings\god\local settings\application data\Help

2011-08-17 06:08:06 298496 ----a-w- f:\windows\uninst.exe

2011-08-17 06:08:01 -------- d-----w- f:\documents and settings\god\WINDOWS

2011-08-09 05:42:44 26176 ---ha-w- f:\windows\system32\hamachi.sys

2011-08-04 02:08:55 -------- d-----w- f:\documents and settings\god\local settings\application data\Opera

.

==================== Find3M ====================

.

2011-07-21 06:10:06 107888 ----a-w- f:\windows\system32\CmdLineExt.dll

2011-07-06 11:52:42 41272 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 11:52:42 22712 ----a-w- f:\windows\system32\drivers\mbam.sys

2011-07-05 00:43:12 404640 ----a-w- f:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-04 13:03:25 444952 ----a-w- f:\windows\system32\wrap_oal.dll

2011-07-04 13:03:25 109080 ----a-w- f:\windows\system32\OpenAL32.dll

2011-07-04 13:00:44 691696 ----a-w- f:\windows\system32\drivers\sptd.sys

.

============= FINISH: 19:11:13.98 ===============

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7628

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

1/09/2011 6:23:30 PM

mbam-log-2011-09-01 (18-23-30).txt

Scan type: Quick scan

Objects scanned: 149177

Time elapsed: 1 minute(s), 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 5

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Link to post
Share on other sites

  • 4 weeks later...
  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.