Go Back   Computer Forums > General Computing > Cyber Safety and Computer Security
Click Here to Login
Join Computer forums Today


Reply
 
Thread Tools Search this Thread Display Modes
 
Old 05-05-2009, 12:30 PM   #11
Fully Optimized
 
Spec's Avatar
 
Join Date: Aug 2005
Posts: 1,641
Default Re: really bad worm problem

i have a good recommendation, download http://download.bleepingcomputer.com/sUBs/ComboFix.exe

combofix, probably removes ANY virus..boot into windows not safe mode or anything of the such..go to that website and download it..save it as like 123.exe but not combofix because most trojans/viruses disable it. after you save it, run it and let it finish, may take ten minutes to two hours, do NOT open any other programs while running, your screen will flicker and the computer will act like its goign al funky, this is normal, after its done running it will clsoe and a log will pop up. This should fix your problem.
__________________

__________________
Thermaltake ARMOR/ mATX intelG33 Motherboard/4gb G.SKILL High Gaming Performance ddr2-1200/Radeon 3870 1gb edition/850w Thermaltake superduty psu

PokerDegenerate: Don't listen to these guys, I like the IDE makes it look vintage like a 68 Camaro SS...
Spec is offline   Reply With Quote
Old 05-06-2009, 11:25 PM   #12
In Runtime
 
Join Date: Mar 2009
Posts: 171
Send a message via AIM to burn420 Send a message via Yahoo to burn420
Default Re: really bad worm problem

Spec - Combofix does not scan encrypted files... So that rends it nearly useless... Nor is it designed for 64bit OS's so if overeem is on a 64bit processor it will be rendered useless... To my understanding, it is only able to pic up on viri that is 32bit, and not on 64bit or backwards compatible either... (though I could be wrong about that one).
__________________

__________________
http://tetralogica.com
burn420 is offline   Reply With Quote
Old 05-07-2009, 01:38 AM   #13
Omnipotent One
 
Atomic Rooster's Avatar
 
Join Date: Apr 2006
Location: USA
Posts: 11,161
Send a message via AIM to Atomic Rooster Send a message via Yahoo to Atomic Rooster
Default Re: really bad worm problem

Quote:
Originally Posted by burn420 View Post
(though I could be wrong about that one).
Smartest thing you've posted to date. . .

A guide and tutorial on using ComboFix

Pay special attention to the Windows Vista instructions. . .

Atomic Rooster is offline   Reply With Quote
Old 05-07-2009, 08:38 PM   #14
Beta Member
 
Join Date: May 2009
Posts: 5
Default Re: really bad worm problem

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Hp\HP Software Update\HPWUCli.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...esario&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://today.ask.com/dvdvideosoft?gcht=SD&o=13162&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...esario&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...esario&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.ex e" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WindowsSystem2] C:\Users\Jonathan\AppData\Roaming\efgt2.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: McAfee Application Installer Cleanup (0028111241742958) (0028111241742958mcinstcleanup) - McAfee, Inc. - C:\Windows\TEMP\002811~1.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10136 bytes
overeem is offline   Reply With Quote
Old 05-07-2009, 08:39 PM   #15
Beta Member
 
Join Date: May 2009
Posts: 5
Default Re: really bad worm problem

mk sorry but thats the logfile from the hijack this program.

i had to shorten it up but thats it


thanks again to everyone for helping, seriously it's been a nightmare, i hate the paranoia

ok so i found out i have trojan generic.dx
so how can i remove it, it recreates itself every 5 seconds....
overeem is offline   Reply With Quote
Old 05-08-2009, 01:41 AM   #16
In Runtime
 
Join Date: Mar 2009
Posts: 171
Send a message via AIM to burn420 Send a message via Yahoo to burn420
Default Re: really bad worm problem

Atomic - I used to be on BleepingComputer... I read that "guide" 3 times before even downloading it... Plus I just re-read it just for the hell of it... I see no where, that it mentions Windows Vista (or even XP64bit)... I suggest you get a 64bit OS and try their little guide and lets see how far you get...(please don't mistake the 32bit Vista, for the 64bit Vista).

By the way, I have a post on their about how BleepingComputer does not put much support on 64bit OS's; Malwarebytes, Combofix, and HiJackThis (among others), were all mentioned, no one even the admins tried saying Combofix, or Malwarebytes would run on a 64bit system, until now.. You. So unless you are saying that the same website you referenced is wrong, then I guess you might just want to bite the bullet here.

Also next time you want to try to prove me wrong, please do me a favor. Use a site that does not promote methods and techniques that are from the late 1900's; it is the 21st century not the 20th...

Overeem - From what you showed, and what you said... It does seem that it is within the Polymorphic field (not saying it is polymorphic). Without loosing your data doing a system restore (this is of course assuming that it has not been effected by the virus). I would suggest trying to do a boot scan (this is of course assuming the virus hasn't messed with the MBR (Master Boot Record)). You could also try a live cd that will scan your system (TRK(Trinity Rescue Kiit) is a good source for this.). If neither of those work, then (at the moment I have nothing else to think of) you may have to re-format your entire drive and start fresh..
__________________
http://tetralogica.com
burn420 is offline   Reply With Quote
Old 05-08-2009, 06:45 AM   #17
Omnipotent One
 
Atomic Rooster's Avatar
 
Join Date: Apr 2006
Location: USA
Posts: 11,161
Send a message via AIM to Atomic Rooster Send a message via Yahoo to Atomic Rooster
Default Re: really bad worm problem

Quote:
Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue. If you are using Windows Vista, and receive UAC prompt asking if you would like to continue running the program, you should press the Continue button.
Quote:
Windows Vista users can use their Windows DVD to boot up into the Vista Recovery Environment.
Quote:
Created: January 4, 2008 3:55 PM
Atomic Rooster is offline   Reply With Quote
Old 05-08-2009, 12:06 PM   #18
Fully Optimized
 
Spec's Avatar
 
Join Date: Aug 2005
Posts: 1,641
Default Re: really bad worm problem

Quote:
Originally Posted by burn420 View Post
Atomic - I used to be on BleepingComputer... I read that "guide" 3 times before even downloading it... Plus I just re-read it just for the hell of it... I see no where, that it mentions Windows Vista (or even XP64bit)... I suggest you get a 64bit OS and try their little guide and lets see how far you get...(please don't mistake the 32bit Vista, for the 64bit Vista).

By the way, I have a post on their about how BleepingComputer does not put much support on 64bit OS's; Malwarebytes, Combofix, and HiJackThis (among others), were all mentioned, no one even the admins tried saying Combofix, or Malwarebytes would run on a 64bit system, until now.. You. So unless you are saying that the same website you referenced is wrong, then I guess you might just want to bite the bullet here.

Also next time you want to try to prove me wrong, please do me a favor. Use a site that does not promote methods and techniques that are from the late 1900's; it is the 21st century not the 20th...

and system restore will NOT work because the majority of very badly coded rootkits/trojans infect your system restore files.

Overeem - From what you showed, and what you said... It does seem that it is within the Polymorphic field (not saying it is polymorphic). Without loosing your data doing a system restore (this is of course assuming that it has not been effected by the virus). I would suggest trying to do a boot scan (this is of course assuming the virus hasn't messed with the MBR (Master Boot Record)). You could also try a live cd that will scan your system (TRK(Trinity Rescue Kiit) is a good source for this.). If neither of those work, then (at the moment I have nothing else to think of) you may have to re-format your entire drive and start fresh..

Uhm, you are not correct there sir. Ive used ComboFix on multiple computers, including 64bit operating systems and including vista. get your facts straight.
__________________
Thermaltake ARMOR/ mATX intelG33 Motherboard/4gb G.SKILL High Gaming Performance ddr2-1200/Radeon 3870 1gb edition/850w Thermaltake superduty psu

PokerDegenerate: Don't listen to these guys, I like the IDE makes it look vintage like a 68 Camaro SS...
Spec is offline   Reply With Quote
Old 05-08-2009, 09:46 PM   #19
In Runtime
 
Join Date: Mar 2009
Posts: 171
Send a message via AIM to burn420 Send a message via Yahoo to burn420
Default Re: really bad worm problem

Atomic - Wow I am surprised, I re-looked right where you said, and there it was... My bad, sorry...
Though personally, I find it hilarious that it wants you use Vista Recovery.... Just so you can use Command...

Spec - I too have put combo fix on a vista 64bit... Though it crashed, so I ripped it apart to see the code, and well unless you understand code better then I do... Then you would have realized that the code was designed for (not only 32bit and doesn't seem to have much support for 64bit designs period) old (meaning late 1900's, though I did find a couple from the early 2000's (around like 2002 or 2003)) techniques.. It does not even support half of the good (by good I mean hard to find or detect) exploits... Nor does it seem to have much support for the design period of windows Vista... WINE does not operate the same as old school Windows platform... (Yes Vista uses WINE, though if I remember correctly (as I know a couple of the programmers of Vista and Windows 7) the WINE used for Vista is not the WINE used for Linux).
I would love to see ComboFix even try to find even one of my old virus's I made when I was like 14 or so... Granted yes it still can be useful for some good exploits, but still it is not what it is cracked up to be...

But to get back to this person's problem, I am sorry but not even ComboFix can scan encrypted files... So it does still render it useless...
__________________
http://tetralogica.com
burn420 is offline   Reply With Quote
Old 05-08-2009, 10:11 PM   #20
Omnipotent One
 
Atomic Rooster's Avatar
 
Join Date: Apr 2006
Location: USA
Posts: 11,161
Send a message via AIM to Atomic Rooster Send a message via Yahoo to Atomic Rooster
Default Re: really bad worm problem

Here's some reading for you overeem:

What is rundll32.exe And Why Is It Running?

What is dwm.exe And Why Is It Running?

Symantec Search - csrss.exe

Now, the crss.exe is another story. Did you type that right? Is it crss.exe or Csrss.exe? Csrss.exe is a legit program if it's running in the System32 directory. Otherwise, it could be a trojan. Most any scanners such as Ad Aware, Spybot, and Malwarebytes can pick it up and kill it.
__________________

Atomic Rooster is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -5. The time now is 10:10 AM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0