Ok, I tried following the instructions in the New User sticky and found out that the site it was pointing to was blocked on my machine.
So I opened up the link on another machine. I was able to download CCleaner, but when I try to "Run Cleaner" it just spontaneously quits.
Then I tried step 2a and found that AntiVir will not run. I can download it, but when I start installing, it just quits. I then moved to 2b and, not surprisingly, I could not get to any online scanning sites (my other computer can just fine so its not the network)
Other symptoms:
Virus Scanner has been corrupted
I can't use the Task Manager
I can't open Regedit
Tried all the methods to try and re-enable the Regedit and nothing works. This thing has dug in deep.
I did, however, manage to get HiJackThis to run and have pasted the logfile below.
I'm pretty close to doing a full HDD format, but hoping maybe you can help?
------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:38 PM, on 9/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\notes\ntmulti.exe
C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINNT\System32\wbem\wmiprvse.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\DWRCST.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINNT\stsystra.exe
C:\WINNT\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINNT\system32\igfxsrvc.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINNT\System32\wbem\unsecapp.exe
C:\WINNT\System32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\cr002re\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\enstart.exe
C:\DOCUME~1\cr002re\LOCALS~1\Temp\jedf.exe
C:\DOCUME~1\cr002re\LOCALS~1\Temp\winlmok.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\System32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://pbwebb.ct.pb....b/ep/usaHome.do
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Cleanup] c:\winnt\PBUtility\cleanup.cmd
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATTUserConfig] C:\WINNT\PBCache\ATTGlobal680\ATTGlobal.exe /UserConfig /s
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
O4 - HKLM\..\Run: [SpeedBoot] C:\winnt\PBUtility\speedboot.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [RRT-Auto] C:\DOCUME~1\cr002re\LOCALS~1\Temp\Temporary Directory 1 for RRT[1].zip\RRT.exe auto
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Global Network Client\NetSP.exe" -show
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\cr002re\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.pbi.global.pvt
O15 - Trusted Zone: *.pb.com
O15 - Trusted Zone: *.pitneybowes.ca
O15 - Trusted IP range: 161.228.211.79
O16 - DPF: {519B48ED-2242-4F0F-A1F6-65B3A505972D} (Pslocalr Class) - https://gpr.pb.com/p...cs/pslocalr.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1215475321565
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attwm.webex.com/client/T25L10NSP41E...bex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://dbyec-ras1.ct.pb.com/dana-cached/se...perSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pbi.global.pvt
O17 - HKLM\Software\..\Telephony: DomainName = pbi.global.pvt
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pbi.global.pvt
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = pbi.global.pvt,ct.pb.com,nw.pb.com,pitneybowes.ca,g1.com,pb.com,mapinfo.net,mapi
nfo.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = pbi.global.pvt,ct.pb.com,nw.pb.com,pitneybowes.ca,g1.com,pb.com,mapinfo.net,mapi
nfo.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: enstart - Unknown owner - C:\WINNT\system32\enstart.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Lotus Notes Single Logon - Unknown owner - C:\WINNT\system32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\Program Files\notes\ntmulti.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Radia Notify Daemon (radexecd) - Hewlett-Packard - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Hewlett-Packard - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
--
End of file - 9405 bytes
1
This is a doozy
Started by strange_brew, Sep 30 2008 03:50 AM
3 replies to this topic
#2 OFFLINE
-
- Members
-
- 476 posts
Advanced Member
- Gender:Male
- Location:U.S.A
- Interests:Take a guess...
Posted 02 October 2008 - 11:07 AM
Hello strange_brew,
That HijackThis log is definitely heavily infected. We can attempt to clean the computer, but this will probably be a long process to finish.
You will need to transfer the needed files from the computer you used to post the HijackThis log to the infected one via usb, cd, etc..
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingc...to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
When the tool is finished, it will produce a report for you.
Please include the following report for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
That HijackThis log is definitely heavily infected. We can attempt to clean the computer, but this will probably be a long process to finish.
You will need to transfer the needed files from the computer you used to post the HijackThis log to the infected one via usb, cd, etc..
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingc...to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following report for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
#3 OFFLINE
-
- Members
-
- 2 posts
Newbie
Posted 02 October 2008 - 01:36 PM
Thanks for the reply. In the end I had to get my machine re-imaged. I would have been willing to give it a go, but its my work laptop and corp policy is to lock down network access until they've completely re-imaged it. So I didn't really have a choice. Sorry if I wasted your time.
By the way, just FYI, I did try to use ComboFix and it hung the machine when it was trying to produce the report - I waited 3 hours and it never responded. Not sure what virus it is, but its pretty severe...
By the way, just FYI, I did try to use ComboFix and it hung the machine when it was trying to produce the report - I waited 3 hours and it never responded. Not sure what virus it is, but its pretty severe...
#4 OFFLINE
-
- Members
-
- 476 posts
Advanced Member
- Gender:Male
- Location:U.S.A
- Interests:Take a guess...
Posted 02 October 2008 - 02:53 PM
Quote
Thanks for the reply. In the end I had to get my machine re-imaged. I would have been willing to give it a go, but its my work laptop and corp policy is to lock down network access until they've completely re-imaged it. So I didn't really have a choice. Sorry if I wasted your time.
Quote
By the way, just FYI, I did try to use ComboFix and it hung the machine when it was trying to produce the report - I waited 3 hours and it never responded. Not sure what virus it is, but its pretty severe...
