WiredWX Christian Hobby Weather Tools
Would you like to react to this message? Create an account in a few clicks or log in to continue.

WiredWX Christian Hobby Weather ToolsLog in

 


XP Internet Security 2010

2 posters

descriptionXP Internet Security 2010 EmptyXP Internet Security 20106th March 2010, 2:49 am

more_horiz
One of my kids picked up this virus on their computer. The computer will not access the internet anymore as the virus has highjacked the browser. I downloaded Malwarebytes' Antimalware onto a USB drive on another computer and was able to install it on the infected computer, but the program will not start. Help!!

descriptionXP Internet Security 2010 EmptyRe: XP Internet Security 20106th March 2010, 8:26 am

more_horiz
Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

descriptionXP Internet Security 2010 EmptyRe: XP Internet Security 20106th March 2010, 9:21 pm

more_horiz
hijackthis
Logfile of Trend Micro HijackThis v2.0.3 (BETA) Scan saved at 4:42:01 PM, on 3/6/2010
Platform: windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\wINDOwS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Pure Networks shared\Platform\nmsrvc.exe C:\WINDOWS\system32\RunD1132.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe C:\WINDOWS\system32\rund1132.exe C:\Program Files\iTunes\iTunesHelper.exe c:\Program Files\AIM6\aim6.exe
c:\wiNclows\system32\ctfmon.exe
C:\WINDOWS\system32\rund1132.exe C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe C:\WINDOWS\system32\svchost.exe C:\wINDOwS\System32\svchost.exe
C:\Documents and Settings\Owner\Local settings\Application Data\ay.exe C:\WINDOWS\system32\wuauclt.exe
C:\wINDOWS\system32\msiexec.exe
C:\Program Files\SuPERAntiSpyware\SuPERAntispyware.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 RO - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,Proxy0verride = *.local
F2 - REG:system.ini: Shell=Explorer.exe rund1132.exe nynw.wmo mynleeq
02 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.d11
02 - BHO: SSVHelper Class - 1761497BB-D6F0-462C-B6EB-D4DAF1D92D431- - C:\Program Files\Java\jre1.6.0_05\bin\ssv.d11
04 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
04 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
04 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
04 - HKLM\..\Run: [D-Link. AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe 04 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

hijackthis
04 - HKLM\..\Run: [CmPClaudio] RunD1132 CMICNFG3.CPL,CMICtrlWnd
04 - Hm_m\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
04 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
04 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe"
-atboottime
04 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
04 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe"
-hide
04 - HKLM\..\Run: [opqrqodrv] rund1132.exe "ljkjji.d11",s
04 - HKLM\..\Run: [qopnonsys] rund1132.exe "pmlmkj.d11",D11RegisterServer
04 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
04 - HKCU\..\Run: [ctfmon.exe] C:\WINDOwS\system32\ctfmon.exe
04 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
04 - HKCU\..\Run: [wvwusrdrv] rund1132.exe "ljkjji.d11",s
04 - HKCu\..\Run: [SuPERAntiSpyware] C:\Program Files\SuPERAntiSpyware\SUPERAntiSpyware.exe
04 - HKUS\S-1-5-18\..\Run: [fcbxxvdrv] rund1132.exe "ljkjji.d11",s (User 'SYSTEM') 04 - HKuS\S-1-5-18\..\Run: [awtspnsys] rund1132.exe "pmlmkj.d11",D11RegisterServer (User 'SYSTEM')
04 - HKUS\S-1-5-18\..\Run: [DwQueuedReporting] "C:\PROGRA-1\COMMON-1\mICROS-1\Dw\dwtrig20.exe" -t (User 'SYSTEM')
04 - HKUS\.DEFAULT\..\Run: [fcbxxvdrv] rund1132.exe "ljkjji.d11",s (User 'Default user')
08 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA-1\MICROS-2\OFFICEll\EXCEL.EXE/3000
08 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google
Toolbar\Component\GoogleToolbarDynamic_mui en_96D6FFOC6D236BF8.d11/cmsidewiki.html
09 - Extra button: (no name) - 108B0E5C0-4FCB-11CF-AAAS-0040106085011 - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
09 - Extra 'Tools' menuitem: Sun Java Console - {08BOESCO-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0 05\bin\ssv.d11
09 - Extra button: Research - 192780B25-18CC-41C8-B9BE-3C9C571A82631 - C:\PROGRA-1\MICROS-2\OFFICEll\REFIEBAR.DLL
09 - Extra button: Real.com - ICD67F990-D8E9-11d2-98FE-00C0F0318AFE1 - C:\WINDOWS\system32\Shdocvw.d11
09 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - c:\wINDows\Network Diagnostic\xpnetdiag.exe
09 - Extra 'Tools' menuitem: ftpsp3res.d11,-20001 - {e2e2dd38-d088-4134-82b742ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe 09 - Extra button: Messenger - 1FB5F1910-F110-11d2-BB9E-00C04F7956831 - C:\Program Files\Messenger\msmsgs.exe
09 - Extra 'Tools' menuitem: windows Messenger - 1FB5F1910-F110-11d2-BB9E-00C04F7956831 - C:\Program Files\Messenger\msmsgs.exe 016 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab 020 - AppInit_DLLs: C:\PROGRA41\Google\GOOGLE-2\GOEC62-1.DLL
020 - Winlogon Notify: ISASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.d11
022 - SharedTaskScheduler: Browseui preloader - 1438755C2-A8BA-11D1-B96B-00A0C90312E11 - c:\wINDows\system32\browseui.d11
022 - SharedTaskScheduler: Component Categories cache daemon - 18C7461EF-2B13-11d2-BE35-3078302C20301 - C:\WINDOWS\system32\browseui.d11
023 - Service: ANIWZCSd Service (ANIwzCsdservice) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
023 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device support\bin\ApplemobileDeviceservice.exe
023 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

hijackthis
023 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
023 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe 023 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network magic\webServer\bin\nmraapache.exe 023 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - c:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe 023 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
023 - Service: Viewpoint Manager Service - viewpoint Corporation - C:\Program Files\viewpoint\Common\ViewpointService.exe
End of file - 7346 bytes

Last edited by Gary_James on 6th March 2010, 10:08 pm; edited 1 time in total (Reason for editing : I figured out how to get a Hijack This scan)

descriptionXP Internet Security 2010 EmptyRe: XP Internet Security 20107th March 2010, 2:42 am

more_horiz
Ok. Now, please do ComboFix.

descriptionXP Internet Security 2010 EmptyRe: XP Internet Security 20107th March 2010, 5:11 pm

more_horiz
I managed to get Spybot onto the infected computer and run a full scan. It identified and fixed a number of infected files, and, at least for now, the XP Internet Security 2010 pop-ups have stopped. According to Task Manager, the processes that seemed to be active when the pop-ups appeared are no longer in the process list. Is it reasonable to assume that I've killed it, or would you recommend that I still do a scan with ComboFix?

descriptionXP Internet Security 2010 EmptyRe: XP Internet Security 20108th March 2010, 4:19 am

more_horiz
combofix

descriptionXP Internet Security 2010 EmptyRe: XP Internet Security 2010

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum