| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 71988 | 2006-08-24 20:40:00 | New computer is infected | anderson3250 (11038) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 480582 | 2006-08-26 02:59:00 | Since it is a new computer why not just cut all the hassle and use the restore discs or reformat to wipe the hard drive clean and start again?A good suggestion. | Greg (193) | ||
| 480583 | 2006-08-27 21:46:00 | Sorry, I was unable to reply since Friday. I finally got Rootkit Revealer to download (it was quitting halfway through). Here is what it found: C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Scans\History\Results\Quick\{85163351-FF94-41C2-9056-C638C91C1D42} 8/27/2006 3:30 PM 4.69 KB Hidden from Windows API. C:\Documents and Settings\NetworkService\Local Settings\Temp\MpCmdRun-AF-421CFC91-A93E-42AB-A35C-F06F127FCC44.lock 8/27/2006 3:24 PM 0 bytes Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp .edb 8/27/2006 3:24 PM 64.00 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\Temp\TMP000000437D62216FD6CB34CE 8/27/2006 3:24 PM 512.00 KB Visible in Windows API, but not in MFT or directory index. D: 0 bytes Error mounting volume |
anderson3250 (11038) | ||
| 480584 | 2006-08-28 00:57:00 | All those entries appear to be files created during the scan, nothing unusual except for the size of the last one, but if you are continually cleaning your temp folder due to these problems then it should be dealt with anyway. I hope the startup list has something! |
silvero (11011) | ||
| 480585 | 2006-08-28 01:19:00 | Here is the start up list from hijackthis, I think: StartupList report, 8/27/2006, 7:15:02 PM StartupList version: 1.52.2 Started from : C:\Documents and Settings\Josh\Desktop\HijackThis.EXE Detected: Windows XP SP2 (WinNT 5.01.2600) Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180) * Using default options * Showing rarely important sections ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\WTablet\TabUserW.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Josh\Desktop\HijackThis.exe -------------------------------------------------- Listing of startup folders: Shell folders Startup: [C:\Documents and Settings\Josh\Start Menu\Programs\Startup] SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ATIPTA = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe QPService = "C:\Program Files\HP\QuickPlay\QPService.exe" eabconfg.cpl = C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe RecGuard = C:\Windows\SMINST\RecGuard.exe hpWirelessAssistant = C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe HP Software Update = C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe -------------------------------------------------- Enumerating Active Setup stub paths: HKLM\Software\Microsoft\Active Setup\Installed Components (* = disabled by HKCU twin) [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP [>{26923b43-4d38-484f-9b9e-de460746276c}] StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] * StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install [{7790769C-0471-11d2-AF11-00C04FA35D02}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install [{89820200-ECBD-11cf-8B85-00AA005B4340}] * StubPath = regsvr32.exe /s /n /i:U shell32.dll [{89820200-ECBD-11cf-8B85-00AA005B4383}] * StubPath = %SystemRoot%\system32\ie4uinit.exe [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] * StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=explorer.exe SCRNSAVE.EXE=C:\WINDOWS\system32\nature.scr drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry key not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Checking for EXPLORER.EXE instances: C:\WINDOWS\Explorer.exe: PRESENT! C:\Explorer.exe: not present C:\WINDOWS\Explorer\Explorer.exe: not present C:\WINDOWS\System\Explorer.exe: not present C:\WINDOWS\System32\Explorer.exe: not present C:\WINDOWS\Command\Explorer.exe: not present C:\WINDOWS\Fonts\Explorer.exe: not present -------------------------------------------------- Checking for superhidden extensions: .lnk: HIDDEN! (arrow overlay: yes) .pif: HIDDEN! (arrow overlay: yes) .exe: not hidden .com: not hidden .bat: not hidden .hta: not hidden .scr: not hidden .shs: HIDDEN! .shb: HIDDEN! .vbs: not hidden .vbe: not hidden .wsh: not hidden .scf: HIDDEN! (arrow overlay: NO!) .url: HIDDEN! (arrow overlay: yes) .js: not hidden .jse: not hidden -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} SpywareGuard Download Protection - C:\Program Files\SpywareGuard\dlprotect.dll - {4A368E80-174F-4872-96B5-0B27DDD11DB2} (no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F} (no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -------------------------------------------------- Enumerating Task Scheduler jobs: MP Scheduled Scan.job -------------------------------------------------- Enumerating Download Program Files: [MUWebControl Class] InProcServer32 = C:\WINDOWS\system32\muweb.dll CODEBASE = update.microsoft.com -------------------------------------------------- Enumerating Windows NT/2000/XP services Adobe Active File Monitor: C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe (autostart) Ati HotKey Poller: %SystemRoot%\system32\Ati2evxx.exe (autostart) Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Automatic LiveUpdate Scheduler: "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" (autostart) AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart) Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart) DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart) Media Center Receiver Service: C:\WINDOWS\eHome\ehRecvr.exe (autostart) Media Center Scheduler Service: C:\WINDOWS\eHome\ehSched.exe (autostart) Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Event Log: %SystemRoot%\system32\services.exe (autostart) Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) hpqwmiex: C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe (autostart) Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) LightScribeService Direct Disc Labeling Service: "C:\Program Files\Common Files\LightScribe\LSSrvc.exe" (autostart) TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart) Media Center Extender Service: C:\WINDOWS\ehome\mcrdsvc.exe (autostart) mdmxsdk: system32\DRIVERS\mdmxsdk.sys (autostart) Plug and Play: %SystemRoot%\system32\services.exe (autostart) IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart) Protected Storage: %SystemRoot%\system32\lsass.exe (autostart) Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart) Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart) Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart) Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Secdrv: system32\DRIVERS\secdrv.sys (autostart) Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart) System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (autostart) TabletService: C:\WINDOWS\system32\Tablet.exe (autostart) Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart) Windows Defender Service: "C:\Program Files\Windows Defender\MsMpEng.exe" (autostart) Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart) Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart) Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) -------------------------------------------------- Enumerating Windows NT logon/logoff scripts: *No scripts set to run* Windows NT checkdisk command: BootExecute = autocheck autochk * Windows NT 'Wininit.ini': PendingFileRenameOperations: C:\WINDOWS\system32\suf34.tmp => C:\WINDOWS\system32\RICHTX32.OCX|C:\WINDOWS\system 32\suf35.tmp => C:\WINDOWS\system32\MSCOMCTL.OCX|C:\WINDOWS\system 32\suf36.tmp => C:\WINDOWS\system32\MSVBVM60.dll|C:\WINDOWS\system 32\suf37.tmp => C:\WINDOWS\system32\OleAut32.dll|C:\WINDOWS\system 32\suf38.tmp => C:\WINDOWS\system32\OlePro32.dll|C:\WINDOWS\system 32\suf39.tmp => C:\WINDOWS\system32\AsycFilt.dll|C:\WINDOWS\system 32\suf3A.tmp => C:\WINDOWS\system32\StdOle2.tlb|C:\WINDOWS\system3 2\suf3C.tmp => C:\WINDOWS\system32\RichEd32.dll|C:\DOCUME~1\Josh\ LOCALS~1\Temp\irsetup.exe||C:\DOCUME~1\Josh\LOCALS ~1\Temp\irsetup.exe -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: %system%\webcheck.dll SysTray: C:\WINDOWS\system32\stobject.dll -------------------------------------------------- End of report, 12,663 bytes Report generated in 0.297 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only |
anderson3250 (11038) | ||
| 480586 | 2006-08-28 03:04:00 | There is only one area that looks suspicious, which is the WININIT.INI file. If you haven't rebooted since the scan, go to virusscan.jotti.org press browse and select: C:\Documents and Settings\Josh\Local Settings\Temp\irsetup.exe The press Submit If if finds anything then post the result Also do the same for at least two of the .tmp files listed in the WININIT.INI section of the startuplist, such as: C:\WINDOWS\system32\suf3C.tmp C:\WINDOWS\system32\suf36.tmp irsetup.exe can be a legitimate file, but it also can be a trojan. I assume the "\system 32\" (with a space between system & 32) directory shown below is just a posting oddity, not a real directory, as that would be very suspicious. |
silvero (11011) | ||
| 1 2 3 | |||||