Pending: Got attacked yesterday!

manders01 · 09-20-2009

Police virus pro and one other "Anti-Virus" claiming to be a windows product overran my computer yesterday! I'm running XP-Pro with maleware bytes and Avira, but neither program, when I could run them stopped the attack.

As of right now, I cannot open any desktop icons with the exception of firefox. I cannot do a system restore, run maleware bytes or avira, nothing works. When I click on the icon, any icon, it askes me what I want to open the program with. It all seems to revolve around the files ending in .EXE.

Now, I don't speak computerese, so please be gentle..lol. I've tried following the guidelines for the "prework" but again I can't open any of the files or unzip anything to get the needed logs. I can't even get to the last maleware bytes log that I ran after the attack.

So angry right now that I'm about this close ---> <--- to running the boot-n-nuke disk I have sitting here.

Where do I start?

vger · 09-20-2009

Hello manders01,our security staff will be with you as soon as possible.....thanks for your patience

manders01 · 09-20-2009

Thanks vger, no problem at all. I'll be away from the PC most of the afternoon anyway.

Wolfeymole · 09-20-2009

What operating system disk do you have Manders?

Is the XP disk a Recovery disk made from a Recovery partition on the hard drive?

manders01 · 09-20-2009

Whoa..... I finally found a backdoor way to get Combofix to run. Not too sure how I did it. Frustration is the mother of invention I guess. It took out a "Rootkit" called gasfky. I'll post a copy of the log below. Everything seems to be working fine now. When I get home this afternoon, I'll run whatever else you need me to, but for now, I think I stomped on it.

ComboFix 09-09-18.02 - Sean 09/20/2009 10:18.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1690 [GMT -7:00]
Running from: c:\documents and settings\Sean\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: NVIDIA Firewall *enabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Microsoft Private Data
c:\windows\certificates.exe
c:\windows\microsoftreg.dll
c:\windows\regeditsys.exe
c:\windows\system32\drivers\gasfkyxbehxnsi.sys
c:\windows\system32\gasfkyevssweme.dat
c:\windows\system32\gasfkyfvdpucrd.dll
c:\windows\system32\gasfkyfxhxvdkt.dll
c:\windows\system32\gasfkypwqbnmyc.dat
c:\windows\system32\gasfkyqqpxrmfv.dll
c:\windows\systemexplorer.exe
c:\windows\systemsecurity.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gasfkyppxrvqil
-------\Legacy_gasfkyppxrvqil

((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 )))))))))))))))))))))))))))))))
.

2009-09-20 17:04 . 2009-09-20 17:04 -------- d-----w- c:\program files\Panda Security
2009-09-20 16:23 . 2009-09-20 16:22 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-09-20 16:21 . 2009-09-20 16:27 -------- d-----w- c:\documents and settings\Sean\.housecall6.6
2009-09-20 02:32 . 2009-09-20 02:32 -------- d-----w- c:\documents and settings\Denise\Local Settings\Application Data\AIM Toolbar
2009-09-09 19:28 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-08-31 18:25 . 2009-08-31 18:25 -------- d-----w- c:\documents and settings\Denise\Application Data\AdobeUM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-09-20 17:05 . 2009-01-01 12:20 -------- d-----w- c:\program files\trend micro
2009-09-19 17:39 . 2009-03-22 16:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-19 17:38 . 2009-08-02 20:13 -------- d-----w- c:\documents and settings\Sean\Application Data\IMVU
2009-09-10 21:54 . 2009-03-22 16:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-03-22 16:42 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-01 00:25 . 2009-02-04 05:47 13104 ----a-w- c:\documents and settings\Kelli\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-18 01:45 . 2009-08-14 22:33 139072 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-18 01:45 . 2009-08-14 22:33 189672 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-08-15 02:57 . 2009-08-15 02:57 -------- d-----w- c:\program files\Ventrilo
2009-08-15 02:57 . 2009-08-15 02:57 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-14 22:32 . 2008-12-24 01:55 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-08-14 22:00 . 2008-12-24 23:42 139152 ----a-w- c:\documents and settings\Sean\Application Data\PnkBstrK.sys
2009-08-09 14:46 . 2008-12-23 22:52 13104 ----a-w- c:\documents and settings\Sean\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-09 03:05 . 2009-08-09 03:05 -------- d-----w- c:\program files\MSBuild
2009-08-09 03:04 . 2009-08-09 03:04 -------- d-----w- c:\program files\Reference Assemblies
2009-08-06 04:24 . 2009-03-22 17:12 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2004-08-03 23:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-02 20:13 . 2009-08-02 20:13 -------- d-----w- c:\documents and settings\Sean\Application Data\IMVUClient
2009-07-27 06:43 . 2009-05-26 03:34 -------- d-----w- c:\program files\RealArcade
2009-07-25 18:51 . 2009-07-25 18:51 -------- d-----w- c:\program files\Need4 Video Converter 6
2009-07-25 18:51 . 2009-07-25 18:51 -------- d-----w- c:\program files\Need4 Software Launcher
2009-07-17 19:01 . 2004-08-03 23:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2007-06-24 07:41 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-02 17:37 . 2009-07-02 17:37 13104 ----a-w- c:\documents and settings\Denise\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-25 08:25 . 2007-06-24 07:40 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2007-06-24 07:39 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2007-06-24 07:38 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2007-06-24 07:38 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-03 23:56 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-03 23:56 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-03 21:59 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-10-08 131072]
"nTrayFw"="c:\nvidia\NetworkAccessManager\bin\nTra yFw.exe" [2004-10-06 266240]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2005-12-10 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-13 148888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-12-10 1519616]
"Easy Dock"="" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

c:\documents and settings\Sean\Start Menu\Programs\Startup\
IMVU.lnk - c:\documents and settings\Sean\Application Data\IMVUClient\IMVUClient.exe [2009-7-27 49920]
RCA Detective.lnk - c:\documents and settings\Sean\My Documents\RCA Detective\RCADetective.exe [2008-12-29 1069056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
VideoCam Suite 2.0.lnk - c:\program files\Panasonic\VideoCam Suite 2\VideoCamSuiteAutoStart.exe [2009-7-7 181592]

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\NVIDIA\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/22/2009 10:12 AM 108289]
R2 app_filter;app_filter;c:\nvidia\NetworkAccessManag er\bin\nSvcAppFlt.exe [10/5/2004 6:05 PM 126976]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/7/2009 10:27 PM 24652]
S2 AntipPolice_;AntiPol;c:\windows\svchast.exe --> c:\windows\svchast.exe [?]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [3/5/2009 11:17 AM 33752]
.
Contents of the 'Scheduled Tasks' folder

2009-09-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-09-20 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-06-21 05:18]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Sean\Start Menu\Programs\IMVU\Run IMVU.lnk
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
FF - ProfilePath - c:\documents and settings\Sean\Application Data\Mozilla\Firefox\Profiles\9l1pz967.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&quer y=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query =
FF - plugin: c:\documents and settings\All Users\Application Data\RealArcade\npraclient.dll
FF - plugin: c:\program files\Mozilla Firefox\extensions\npmozax@real.com\plugins\npmoza x.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npraclient.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: browser.sessionstore.resume_from_crash - false
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-09-20 10:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(796)
c:\windows\system32\nvappfilter.dll
.
Completion time: 2009-09-20 10:24
ComboFix-quarantined-files.txt 2009-09-20 17:23
ComboFix2.txt 2009-01-07 16:42

Pre-Run: 179,355,504,640 bytes free
Post-Run: 181,992,136,704 bytes free

168 --- E O F --- 2009-09-20 12:50

Crush · 09-20-2009

Hi there Manders,

While ComboFix may prove to be useful, it was a VERY risky thing to run the tool unsupervised, and before a trained helper requested it.

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used could relegate your machine to being used as a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. HJT, and the other tools we use, are preliminary scans we use to map out the plan of attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix.

With that in mind, please review the Prewok link in my signature, as well as all the threads linked from it. Then, post back with the requested logs and we'll go from there. Together with the ComboFix log we will then analyze them and remove anything that needs removing.

Crush · 10-09-2009

Hello,

I'm just following up. Do you still require assistance in removing your malware? Or can we put this one to bed?

If you are still in need of assistance please let us know.

Regards,
Crush
PCHF Security Team Leader

09-20-2009	#1
manders01 Bronze Member Join Date: Sep 2006 Posts: 77 PC Experience: PC Illiterate	Got attacked yesterday! Police virus pro and one other "Anti-Virus" claiming to be a windows product overran my computer yesterday! I'm running XP-Pro with maleware bytes and Avira, but neither program, when I could run them stopped the attack. As of right now, I cannot open any desktop icons with the exception of firefox. I cannot do a system restore, run maleware bytes or avira, nothing works. When I click on the icon, any icon, it askes me what I want to open the program with. It all seems to revolve around the files ending in .EXE. Now, I don't speak computerese, so please be gentle..lol. I've tried following the guidelines for the "prework" but again I can't open any of the files or unzip anything to get the needed logs. I can't even get to the last maleware bytes log that I ran after the attack. So angry right now that I'm about this close ---> <--- to running the boot-n-nuke disk I have sitting here. Where do I start? Last edited by vger; 09-20-2009 at 04:34 PM.

09-20-2009	#2
vger Mod/Tech Support Staff Join Date: Oct 2007 Location: second star to right,and straight on till morning Posts: 3,727 PC Experience: I will learn this stuff if it kills me	Re: Got attacked yesterday! Hello manders01,our security staff will be with you as soon as possible.....thanks for your patience __________________ esse quam videri/ PCHF WCG Team... Voodoostarz / *PCHFRules* /*Prework* Found an answer elsewhere; please share! If you need help;just ask!

09-20-2009	#3
manders01 Bronze Member Join Date: Sep 2006 Posts: 77 PC Experience: PC Illiterate	Re: Got attacked yesterday! Thanks vger, no problem at all. I'll be away from the PC most of the afternoon anyway.

09-20-2009	#4
Wolfeymole Tech Support Team Join Date: Nov 2006 Location: In the Slaughtered Lamb having a pint. Posts: 6,814 PC Experience: Smarter than the average Bear	Re: Got attacked yesterday! What operating system disk do you have Manders? Is the XP disk a Recovery disk made from a Recovery partition on the hard drive? __________________ If PCHF has helped you please consider a donation by clicking this link Donate Last edited by Wolfeymole; 09-20-2009 at 04:50 PM.

09-20-2009	#5
manders01 Bronze Member Join Date: Sep 2006 Posts: 77 PC Experience: PC Illiterate	Re: Got attacked yesterday! Whoa..... I finally found a backdoor way to get Combofix to run. Not too sure how I did it. Frustration is the mother of invention I guess. It took out a "Rootkit" called gasfky. I'll post a copy of the log below. Everything seems to be working fine now. When I get home this afternoon, I'll run whatever else you need me to, but for now, I think I stomped on it. ComboFix 09-09-18.02 - Sean 09/20/2009 10:18.2.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1690 [GMT -7:00] Running from: c:\documents and settings\Sean\Desktop\ComboFix.exe AV: AntiVir Desktop On-access scanning enabled (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} FW: NVIDIA Firewall enabled {EDC10449-64D1-46c7-A59A-EC20D662F26D} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Microsoft Private Data c:\windows\certificates.exe c:\windows\microsoftreg.dll c:\windows\regeditsys.exe c:\windows\system32\drivers\gasfkyxbehxnsi.sys c:\windows\system32\gasfkyevssweme.dat c:\windows\system32\gasfkyfvdpucrd.dll c:\windows\system32\gasfkyfxhxvdkt.dll c:\windows\system32\gasfkypwqbnmyc.dat c:\windows\system32\gasfkyqqpxrmfv.dll c:\windows\systemexplorer.exe c:\windows\systemsecurity.com . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_gasfkyppxrvqil -------\Legacy_gasfkyppxrvqil ((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 ))))))))))))))))))))))))))))))) . 2009-09-20 17:04 . 2009-09-20 17:04 -------- d-----w- c:\program files\Panda Security 2009-09-20 16:23 . 2009-09-20 16:22 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2009-09-20 16:21 . 2009-09-20 16:27 -------- d-----w- c:\documents and settings\Sean\.housecall6.6 2009-09-20 02:32 . 2009-09-20 02:32 -------- d-----w- c:\documents and settings\Denise\Local Settings\Application Data\AIM Toolbar 2009-09-09 19:28 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll 2009-08-31 18:25 . 2009-08-31 18:25 -------- d-----w- c:\documents and settings\Denise\Application Data\AdobeUM . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2009-09-20 17:05 . 2009-01-01 12:20 -------- d-----w- c:\program files\trend micro 2009-09-19 17:39 . 2009-03-22 16:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-19 17:38 . 2009-08-02 20:13 -------- d-----w- c:\documents and settings\Sean\Application Data\IMVU 2009-09-10 21:54 . 2009-03-22 16:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 21:53 . 2009-03-22 16:42 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-01 00:25 . 2009-02-04 05:47 13104 ----a-w- c:\documents and settings\Kelli\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-18 01:45 . 2009-08-14 22:33 139072 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys 2009-08-18 01:45 . 2009-08-14 22:33 189672 ----a-w- c:\windows\system32\PnkBstrB.exe 2009-08-15 02:57 . 2009-08-15 02:57 -------- d-----w- c:\program files\Ventrilo 2009-08-15 02:57 . 2009-08-15 02:57 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-08-14 22:32 . 2008-12-24 01:55 75064 ----a-w- c:\windows\system32\PnkBstrA.exe 2009-08-14 22:00 . 2008-12-24 23:42 139152 ----a-w- c:\documents and settings\Sean\Application Data\PnkBstrK.sys 2009-08-09 14:46 . 2008-12-23 22:52 13104 ----a-w- c:\documents and settings\Sean\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-09 03:05 . 2009-08-09 03:05 -------- d-----w- c:\program files\MSBuild 2009-08-09 03:04 . 2009-08-09 03:04 -------- d-----w- c:\program files\Reference Assemblies 2009-08-06 04:24 . 2009-03-22 17:12 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-08-05 09:01 . 2004-08-03 23:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-02 20:13 . 2009-08-02 20:13 -------- d-----w- c:\documents and settings\Sean\Application Data\IMVUClient 2009-07-27 06:43 . 2009-05-26 03:34 -------- d-----w- c:\program files\RealArcade 2009-07-25 18:51 . 2009-07-25 18:51 -------- d-----w- c:\program files\Need4 Video Converter 6 2009-07-25 18:51 . 2009-07-25 18:51 -------- d-----w- c:\program files\Need4 Software Launcher 2009-07-17 19:01 . 2004-08-03 23:56 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-14 06:43 . 2007-06-24 07:41 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-02 17:37 . 2009-07-02 17:37 13104 ----a-w- c:\documents and settings\Denise\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-06-25 08:25 . 2007-06-24 07:40 54272 ----a-w- c:\windows\system32\wdigest.dll 2009-06-25 08:25 . 2007-06-24 07:39 147456 ----a-w- c:\windows\system32\schannel.dll 2009-06-25 08:25 . 2007-06-24 07:38 730112 ----a-w- c:\windows\system32\lsasrv.dll 2009-06-25 08:25 . 2007-06-24 07:38 301568 ----a-w- c:\windows\system32\kerberos.dll 2009-06-25 08:25 . 2004-08-03 23:56 56832 ----a-w- c:\windows\system32\secur32.dll 2009-06-25 08:25 . 2004-08-03 23:56 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-06-24 11:18 . 2004-08-03 21:59 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968] "Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-10-08 131072] "nTrayFw"="c:\nvidia\NetworkAccessManager\bin\nTra yFw.exe" [2004-10-06 266240] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360] "NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2005-12-10 86016] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-13 148888] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-12-10 1519616] "Easy Dock"="" [BU] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce] "ShowDeskFix"="shell32" [X] c:\documents and settings\Sean\Start Menu\Programs\Startup\ IMVU.lnk - c:\documents and settings\Sean\Application Data\IMVUClient\IMVUClient.exe [2009-7-27 49920] RCA Detective.lnk - c:\documents and settings\Sean\My Documents\RCA Detective\RCADetective.exe [2008-12-29 1069056] c:\documents and settings\All Users\Start Menu\Programs\Startup\ VideoCam Suite 2.0.lnk - c:\program files\Panasonic\VideoCam Suite 2\VideoCamSuiteAutoStart.exe [2009-7-7 181592] [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\NVIDIA\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"= "c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"= R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/22/2009 10:12 AM 108289] R2 app_filter;app_filter;c:\nvidia\NetworkAccessManag er\bin\nSvcAppFlt.exe [10/5/2004 6:05 PM 126976] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/7/2009 10:27 PM 24652] S2 AntipPolice_;AntiPol;c:\windows\svchast.exe --> c:\windows\svchast.exe [?] S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?] S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [3/5/2009 11:17 AM 33752] . Contents of the 'Scheduled Tasks' folder 2009-09-16 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34] 2009-09-20 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-06-21 05:18] . . ------- Supplementary Scan ------- . uInternet Connection Wizard,ShellNext = iexplore IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Sean\Start Menu\Programs\IMVU\Run IMVU.lnk LSP: %SYSTEMROOT%\system32\nvappfilter.dll FF - ProfilePath - c:\documents and settings\Sean\Application Data\Mozilla\Firefox\Profiles\9l1pz967.default\ FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&quer y= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/ FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query = FF - plugin: c:\documents and settings\All Users\Application Data\RealArcade\npraclient.dll FF - plugin: c:\program files\Mozilla Firefox\extensions\npmozax@real.com\plugins\npmoza x.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npraclient.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true FF - user.js: browser.sessionstore.resume_from_crash - false . - - - - ORPHANS REMOVED - - - - HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe ************************************************ ******************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover Rootkit scan 2009-09-20 10:23 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************** ********************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(796) c:\windows\system32\nvappfilter.dll . Completion time: 2009-09-20 10:24 ComboFix-quarantined-files.txt 2009-09-20 17:23 ComboFix2.txt 2009-01-07 16:42 Pre-Run: 179,355,504,640 bytes free Post-Run: 181,992,136,704 bytes free 168 --- E O F --- 2009-09-20 12:50 Last edited by manders01; 09-20-2009 at 05:34 PM.

09-20-2009	#6
Crush Tech Support Team Join Date: Sep 2008 Location: Caldwell, New Jersey Posts: 10,665 PC Experience: Always Learning New Things	Re: Got attacked yesterday! Hi there Manders, While ComboFix may prove to be useful, it was a VERY risky thing to run the tool unsupervised, and before a trained helper requested it. As stated by the author of ComboFix: ComboFix is a very powerful tool which when improperly used could relegate your machine to being used as a doorstop. We first need to verify if there's any rootkits present and how they could affect our tools. HJT, and the other tools we use, are preliminary scans we use to map out the plan of attack. With these logs we can determine the infections present & decide whether to deploy ComboFix. With that in mind, please review the Prewok link in my signature, as well as all the threads linked from it. Then, post back with the requested logs and we'll go from there. Together with the ComboFix log we will then analyze them and remove anything that needs removing. __________________ Crush aka Chris [Prework][Afterwork][PCHF Rules][BSOD's][SFC][Screenshots][PC Specs][Donate] I am in fact, quite cool. My graphing calculator confirms this

10-09-2009	#7
Crush Tech Support Team Join Date: Sep 2008 Location: Caldwell, New Jersey Posts: 10,665 PC Experience: Always Learning New Things	Re: Got attacked yesterday! Hello, I'm just following up. Do you still require assistance in removing your malware? Or can we put this one to bed? If you are still in need of assistance please let us know. Regards, Crush PCHF Security Team Leader __________________ Crush aka Chris [Prework][Afterwork][PCHF Rules][BSOD's][SFC][Screenshots][PC Specs][Donate] I am in fact, quite cool. My graphing calculator confirms this

Similar discussions...
Thread	Thread Starter	Forum	Replies	Last Post
Pending: New build worked yesterday but not today	dusty2u	Motherboards	3	06-22-2009 08:48 PM
Computer is Slower... than it was yesterday	XPforever	PC Games	2	03-03-2009 07:33 PM
spoke to hengis yesterday	stan laurel	[Fixed] Hijackthis! Logs	1	07-27-2008 11:03 PM
Got a trojan notification yesterday	crazyman	[Fixed] Hijackthis! Logs	14	02-01-2008 03:51 AM
Can't see home network printer -- was there yesterday.	dmag	Printing	1	12-26-2005 03:40 PM

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode