Solved Hijackthis log + Virus info.

Sorry Geri I've just tried it again and its working. Will post log shortly.

 

ComboFix 08-08-30.03 - owner 2008-09-01 16:47:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1569 [GMT 10:00]
Running from: C:\Documents and Settings\owner\Desktop\killit.exe
Command switches used :: C:\Documents and Settings\owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\DUMP68db.tmp
C:\WINDOWS\DUMP6fe0.tmp
C:\WINDOWS\DUMP7280.tmp

.
((((((((((((((((((((((((( Files Created from 2008-08-01 to 2008-09-01 )))))))))))))))))))))))))))))))
.

2008-09-01 15:18 . 2008-09-01 15:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-01 15:18 . 2008-09-01 15:18 <DIR> d-------- C:\Documents and Settings\owner\Application Data\Malwarebytes
2008-09-01 15:18 . 2008-09-01 15:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-01 15:18 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-01 15:18 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-01 01:38 . 2008-09-01 01:38 <DIR> d-------- C:\rsit
2008-08-29 23:50 . 2008-09-01 01:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-29 01:03 . 2008-08-29 01:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-08-28 02:11 . 2008-08-28 02:11 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-08-28 02:11 . 2008-08-28 03:02 <DIR> d-------- C:\Program Files\Hitman Pro
2008-08-27 19:33 . 2008-08-27 19:33 <DIR> d-------- C:\Program Files\CCleaner
2008-08-27 17:19 . 2008-08-29 22:54 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-26 22:01 . 2008-08-26 22:01 <DIR> d-------- C:\WINDOWS\Virtual Villagers - The Secret City
2008-08-16 18:04 . 2008-08-16 18:07 <DIR> d-------- C:\Program Files\ManyCam 2.3
2008-08-09 12:54 . 2008-08-27 19:35 <DIR> d-------- C:\Program Files\Windows Live Safety Center

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-01 05:53 --------- d-----w C:\Program Files\Steam
2008-09-01 05:51 19,039 ----a-w C:\WINDOWS\system32\drivers\GVTDrv.sys
2008-08-30 18:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-30 17:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-27 07:59 --------- d-----w C:\Documents and Settings\owner\Application Data\Skype
2008-08-26 12:57 --------- d-----w C:\Documents and Settings\owner\Application Data\uTorrent
2008-08-16 08:04 --------- d-----w C:\Program Files\ManyCam 2.2
2008-08-11 10:49 --------- d-----w C:\Program Files\EPSON Print CD
2008-08-11 10:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-08-11 10:29 --------- d-----w C:\Documents and Settings\owner\Application Data\dvdcss
2008-08-09 15:26 --------- d-----w C:\Documents and Settings\owner\Application Data\Vso
2008-08-02 18:20 --------- d-----w C:\Documents and Settings\owner\Application Data\Nokia Multimedia Player
2008-07-18 12:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 12:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 12:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 12:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 12:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 12:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 12:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 12:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 12:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 12:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 17:00 --------- d-----w C:\Program Files\Bulent's Screen Recorder
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2007-01-20 13:38 81,920 ----a-w C:\Documents and Settings\owner\Application Data\ezpinst.exe
2007-01-20 13:38 47,360 ----a-w C:\Documents and Settings\owner\Application Data\pcouffin.sys
2006-06-23 06:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]
"MsnMsgr "= "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"Steam "= "c:\program files\steam\steam.exe" [2008-04-14 20:11 1271032]
"DAEMON Tools Lite "= "C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-03-21 18:30 486856]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-29 19:31 68856]
"InternodeUsage "= "C:\PROGRA~1\INTERN~2\mum.exe" [2008-06-04 22:58 1339392]
"ManyCam "= "C:\Program Files\ManyCam 2.3\ManyCam.exe" [2008-08-08 21:02 1725736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP "= "C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 20:07 843776]
"JMB36X Configure "= "C:\WINDOWS\system32\JMRaidTool.exe" [2006-06-02 18:45 385024]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 14:01 13529088]
"NeroFilterCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"VGAUtil "= "C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe" [2006-06-21 14:45 544768]
"BigDog305 "= "C:\WINDOWS\VM305_STI.EXE" [2005-08-05 14:15 61440]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 02:48 36975]
"EPSON Stylus Photo R350 Series "= "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJP.EXE" [2005-05-12 14:00 98304]
"PCSuiteTrayApplication "= "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-01-23 11:19 223232]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-11-21 13:44 286720]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 14:01 86016]
"nwiz "= "nwiz.exe" [2008-05-16 14:01 1630208 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 22:00 15360]
"PcSync "= "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15 1634304]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06 29696]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2007-03-30 13:34 25263144 C:\Program Files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Gigabyte\\VGA Utility Manager\\G-VGA.exe "=
"C:\\WINDOWS\\system32\\dpvsetup.exe "=
"C:\\Program Files\\Steam\\steamapps\\triple-a\\counter-strike\\hl.exe "=
"C:\\Documents and Settings\\owner\\Desktop\\utorrent.exe "=
"C:\\Program Files\\mIRC\\mirc.exe "=
"C:\\StubInstaller.exe "=
"C:\\Program Files\\LimeWire\\LimeWire.exe "=
"C:\\WINDOWS\\system32\\rtcshare.exe "=
"C:\\Program Files\\NetMeeting\\conf.exe "=
"C:\\Program Files\\Steam\\steamapps\\triple-a\\team fortress classic\\hl.exe "=
"C:\\Program Files\\Steam\\Steam.exe "=
"C:\\Program Files\\Steam\\steamapps\\triple-a\\day of defeat\\hl.exe "=
"C:\\Program Files\\Steam\\steamapps\\bravonyx\\counter-strike\\hl.exe "=
"C:\\Program Files\\Steam\\steamapps\\triple-a\\half-life\\hl.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
"C:\\Program Files\\UrbanTerror\\ioUrbanTerror.exe "=
"C:\\Program Files\\Skype\\Phone\\Skype.exe "=
"C:\\Program Files\\Steam\\steamapps\\bravonyx\\team fortress 2\\hl2.exe "=
"C:\\Program Files\\Steam\\steamapps\\bravonyx\\counter-strike source\\hl2.exe "=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-20 00:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-20 00:37]
R3 GVTDrv;GVTDrv;C:\WINDOWS\system32\Drivers\GVTDrv.sys [2008-09-01 15:51]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys [2008-01-14 20:06]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-08-17 15:01]
S3 ZSMC0305;VIMICRO USB PC Camera V;C:\WINDOWS\system32\Drivers\usbVM305.sys [2006-05-08 09:24]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-01 16:48:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-01 16:49:00
ComboFix-quarantined-files.txt 2008-09-01 06:48:56
ComboFix2.txt 2008-09-01 05:54:37

Pre-Run: 79,988,580,352 bytes free
Post-Run: 79,975,104,512 bytes free

144 --- E O F --- 2008-08-31 17:25:50

 

Hi
Ok great.

Now lets get a on-line scan.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.


Now the scan.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
  Post the contents of the ActiveScan report

Thanks
Geri

 

I couldn't follow the steps you gave me but I think i got the job done anyways. Hope this is what we are looking for.

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-09-01 18:46:41
PROTECTIONS: 1
MALWARE: 3
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
avast! antivirus 4.8.1229 [VPS 080831-0] 4.8.1229 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{4FD63890-825B-428A-85F5-994786B9F896}\RP8\A0007075.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\WINDOWS\PSEXESVC.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{4FD63890-825B-428A-85F5-994786B9F896}\RP8\A0007063.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{4FD63890-825B-428A-85F5-994786B9F896}\RP7\A0007006.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{4FD63890-825B-428A-85F5-994786B9F896}\RP6\A0007004.sys
03538755 Generic Trojan Virus/Trojan No 0 Yes No C:\Program Files\Alwil Software\Avast4\DATA\moved\lphcropj0e769.exe.vir
;===================================================================================================================================================================================
SUSPECTS
Sent Location

;===================================================================================================================================================================================
No C:\Documents and Settings\owner\Desktop\killit.exe

;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description

;===================================================================================================================================================================================
;===================================================================================================================================================================================

Edit: Forgot to mention I ran the ATF Cleaner and all went well.

 

all it says is no action taken you might want to try and delete these file and key ur self

 

Ill wait to see what Geri says.

 

Hi
OK things look great.

OK please delete this file.

C:\WINDOWS\PSEXESVC.EXE

Go to your Avast quarantine folder and delete what's in there.

Let me know that you were able to delete that file.

The "No action taken" was the first time you ran MBAM, on your second run you deleted those, so you're OK there.

I see you have P2P software ( Limewire, BitTorrent uTorrent etc… ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at Windowsbbs Malware and Virus removal.

Geri

 

Hi,

I deleted what was in the "Moved" folder in avast (1 file) but could not delete the 3 files that are in the "Chest" folder. Are they virus files?

 

Hi
OK not sure, Panda did not pick them up, but they are no threat there, so don't worry about them, did you delete this file?

C:\WINDOWS\PSEXESVC.EXE

 

I sure did!

 

OK please do this.

Now do this and let me know if it removes combofix.

Click Start>Run in the run box copy and paste or type killit /u then hit Enter to uninstall ComboFix and remove the files/folders it created. This action will also reset the System Restore points, removing any infected files there as well.

Geri

 

It's saying "Windows cannot find 'killit'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button and then click Search. "

 

Hi
OK I was wondering about that, it has been renamed so many times.

OK well do it manually.

Delete Killit.exe (combofix) on your desktop. Then look for these folders and delete what ever ones that are there or any of the names you have used for combofix.

C:\Fombocix
C:\Killit

Now do this.

We need to turn off and on system restore. There are infections in it and by using system restore you would reinfect yourself.

You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed.
Turning off System Restore will clear out all previous restore points.

To turn off Windows XP System Restore:
NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:
1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives. "
5. Click Apply, and then click OK
6. Make a new restore point.
7. Click Start, All Programs, Accessories, System Tools, System Restore.
Choose Create a restore point and clicked Next, Under “Type a description for your restore point…”put a name in the box,. Click Create. In the next window click Close.

Let me know how that went.

 

ComboFix and all its folders have been removed from the system. I have created a fresh system restore point also.

 

Hi
OK good.

How are things running?

Please look at this link for some preventive recommendations, It could keep you from ending up back here to the Malware and Virus Removal Forums.
http://www.windowsbbs.com/showthread.php?t=67958

If everything is OK I'll mark this one resolved.

Geri

 

Hi
You can also delete RSIT.exe and this folder C:\rsit

 

Yes!!! Everything is running fine Thanks so much for the help, I can't tell you how much I appreciate the time you've taken to help me out. Is there anything at all you can tell me about the actual Virus/trojan/worm/malware I had? Does it have a name? How I got infected so badly? Or was I just bombarded with all that stuff?

 

Hi GFitz
Your welcome.

If you look at your post # 16 (MBAM log) you will see the infection, it is a trojan being bundled with the fake alert virus.
The files tds...dll's are the ones that were stopping you from accessing the virus removal sites, this is a fairly nasty trojan.

It is a wide spread infection, my best guess...Your P2P file sharing. This is not a good idea. I would suggest you read the links provided in that post I gave you on P2P, and remove all P2P file sharing apps.

I'll mark this one resolved.

Surf Safely
Geri

 

Thanks again Geri. Have a Good one.

 

Hi GFitz

There seems to be one more thing we need to do.


Open "Notepad†Copy the contents of the code box below to the blank Notepad.
Click "File" > "Save as "
In the "Save In" box at the top click the down arrow and select DeskTop

In the "File name" type in: fix.reg
In the "Save As Type" select: All Files
Once saved, Go to your desktop double click "fix.reg file" and let it merge with the registry.

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
 "SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" 

Let me know that it worked.

Geri