Author Topic: "Your System is Infected!" (Read 1117 times)

chrislosch · « **on:** July 28, 2005, 12:25:01 PM »

I am having a hell of a time with these pop-ups and spyware. I had the "Your System is Infected!" desktop for a while but got rid of that. Below I have posted my Hijack this scan and the results of a Panda Active scan. Any help would be greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 1:21:28 PM, on 7/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\schmxs.exe
C:\Program Files\Cas\Client\casclient.exe
C:\WINDOWS\System32\savshare.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\closch\Desktop\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mx.cctrenton.org/exchange/CLosch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://GLOBAL.ACER.COM/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R3 - URLSearchHook: (no name) - {DC6516B6-3C2C-C0F4-0211-FD842AA8F341} - gabber.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [exp] C:\WINDOWS\System32\exp
O4 - HKLM\..\Run: [forces_elite] ms-its.exe
O4 - HKLM\..\Run: [PrcIdle] DTOURS.exe
O4 - HKLM\..\Run: [o48U36l] schmxs.exe
O4 - HKLM\..\Run: [dmnmp.exe] C:\WINDOWS\System32\dmnmp.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Z3r8RWJpP] savshare.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O4 - HKCU\..\Run: [prcmon] MSTCPDLL.exe
O4 - HKCU\..\Run: [MONITER] NopeZ.exe
O4 - HKCU\..\Run: [dialer423] newbreed.exe
O4 - HKCU\..\Run: [uuoo] C:\PROGRA~1\COMMON~1\uuoo\uuoom.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/acti...loadControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3E9F18F-1EDE-425C-9A75-03329B633AC7}: NameServer = 195.95.218.1,85.255.112.7
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: Adobe Acrobat 5.0 - {C92D9B33-729F-039B-5662-61F6F97E5654} - c:\program files\adobe\acrobat 5.0\reader\wpeptuf3.dll (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Panda Active:

Incident Status Location

Virus:Trj/Qhost.BP Disinfected Operating system
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\casmf.dll
Adware:Adware/SpySheriff No disinfected C:\WINDOWS\System32\vxh8jkdq2.exe
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\casclient.exe
Adware:adware/adsmart No disinfected C:\DOCUMENTS AND SETTINGS\CLOSCH\LOCAL SETTINGS\TEMP\1.qtdfmp
Adware:adware/consumeralertsystemNo disinfected C:\DOCUMENTS AND SETTINGS\CLOSCH\LOCAL SETTINGS\TEMP\cassetup.exe
Spyware:spyware/wareout No disinfected C:\WINDOWS\SYSTEM32\loadctr32.exe
Adware:adware/topspyware No disinfected C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\wmplayer.exe.tmp
Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\FAVORITES\AdultGambling.url
Adware:adware/spysheriff No disinfected C:\winstall.exe
Adware:adware/sidesearch No disinfected C:\PROGRAM FILES\Lycos
Adware:adware/apropos No disinfected C:\PROGRAM FILES\Aprps
Adware:adware/twain-tech No disinfected C:\DOCUMENTS AND SETTINGS\CLOSCH\LOCAL SETTINGS\TEMP\THI6885.tmp
Adware:adware/bookedspace No disinfected C:\DOCUMENTS AND SETTINGS\CLOSCH\LOCAL SETTINGS\TEMP\bs54D3.tmpbsx32
Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/elitebar No disinfected C:\DOCUMENTS AND SETTINGS\CLOSCH\FAVORITES\Casino & Carrers
Adware:adware/pacimedia No disinfected HKEY_CURRENT_USER\SOFTWARE\PSOF1
Spyware:spyware/surfsidekick No disinfected HKEY_CURRENT_USER\SOFTWARE\SURFSIDEKICK3
Adware:adware/wintools No disinfected HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_TBPSSVC
Spyware:spyware/safesurf No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\RICHED
Spyware:spyware/bargainbuddy No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\BARGAINBUDDY
Adware:adware/cws.aboutblank No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\PROTOCOLS\FILTER\TEXT/HTML\CLSID
Adware:adware/searchexe No disinfected HKEY_CLASSES_ROOT\Interface\{72423E8F-8011-11D2-BE79-00A0C9A83DA3}
Spyware:Spyware/SafeSurf No disinfected C:\WINDOWS\system32\InstallerV3.exe
Adware:Adware/ClkOptimizer No disinfected C:\WINDOWS\system32\kwwdhgg.dll
Adware:Adware/SpySheriff No disinfected C:\WINDOWS\system32\vxh8jkdq2.exe
Virus:Trj/DelCache.A Disinfected C:\WINDOWS\system32\csspr.exe
Virus:Trj/Clicker.FV Disinfected C:\Documents and Settings\closch\Local Settings\Temp\9D.tmp
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\closch\Local Settings\Temp\i4.tmp
Virus:Trj/Qoologic.G Disinfected C:\Documents and Settings\closch\Local Settings\Temp\9E.tmp
Spyware:Spyware/SafeSurf No disinfected C:\Documents and Settings\closch\Local Settings\Temp\thin_installer.exe
Spyware:Spyware/SafeSurf No disinfected C:\Documents and Settings\closch\Local Settings\Temp\asfjkk32.tmp
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\closch\Local Settings\Temp\nsh_104.exe
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\closch\Local Settings\Temp\i75.tmp
Virus:Trj/Downloader.DOC Disinfected C:\Documents and Settings\closch\Local Settings\Temp\1.qtdfmp
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Documents and Settings\closch\Local Settings\Temp\cassetup.exe
Adware:Adware/SpySheriff No disinfected C:\Documents and Settings\closch\Local Settings\Temp\2.qtdfmp
Virus:Trj/Downloader.DHI Disinfected C:\Documents and Settings\closch\Local Settings\Temp\5.qtdfmp
Virus:Trj/Downloader.DJV Disinfected C:\Documents and Settings\closch\Local Settings\Temp\EF.tmp
Virus:Trj/Qoologic.G Disinfected C:\Documents and Settings\closch\Local Settings\Temp\3CF.tmp
Adware:Adware/Pacimedia No disinfected C:\Program Files\Windows Media Player\wmplayer.exe.tmp
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\casmf.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\casclient.exe
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\Uninstall.exe
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/SpySheriff No disinfected C:\winstall.exe

chrislosch · « **Reply #1 on:** August 02, 2005, 07:58:02 AM »

bump please

TheTechGuide Forum

News:

Author Topic: "Your System is Infected!" (Read 1117 times)

chrislosch

"Your System is Infected!"

chrislosch

"Your System is Infected!"