really bad worm problem

[Spec]

i have a good recommendation, download http://download.bleepingcomputer.com/sUBs/ComboFix.exe

combofix, probably removes ANY virus..boot into windows not safe mode or anything of the such..go to that website and download it..save it as like 123.exe but not combofix because most trojans/viruses disable it. after you save it, run it and let it finish, may take ten minutes to two hours, do NOT open any other programs while running, your screen will flicker and the computer will act like its goign al funky, this is normal, after its done running it will clsoe and a log will pop up. This should fix your problem.

 

[burn1337]

Spec - Combofix does not scan encrypted files... So that rends it nearly useless... Nor is it designed for 64bit OS's so if overeem is on a 64bit processor it will be rendered useless... To my understanding, it is only able to pic up on viri that is 32bit, and not on 64bit or backwards compatible either... (though I could be wrong about that one).

 

[Atomic Rooster]

(though I could be wrong about that one).

Smartest thing you've posted to date. . .

A guide and tutorial on using ComboFix

Pay special attention to the Windows Vista instructions. . .

 

[overeem]

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Hp\HP Software Update\HPWUCli.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://today.ask.com/dvdvideosoft?gcht=SD&o=13162&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WindowsSystem2] C:\Users\Jonathan\AppData\Roaming\efgt2.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: McAfee Application Installer Cleanup (0028111241742958) (0028111241742958mcinstcleanup) - McAfee, Inc. - C:\Windows\TEMP\002811~1.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10136 bytes

 

[overeem]

mk sorry but thats the logfile from the hijack this program.

i had to shorten it up but thats it


thanks again to everyone for helping, seriously it's been a nightmare, i hate the paranoia

ok so i found out i have trojan generic.dx
so how can i remove it, it recreates itself every 5 seconds....

 

[burn1337]

Atomic - I used to be on BleepingComputer... I read that "guide" 3 times before even downloading it... Plus I just re-read it just for the hell of it... I see no where, that it mentions Windows Vista (or even XP64bit)... I suggest you get a 64bit OS and try their little guide and lets see how far you get...(please don't mistake the 32bit Vista, for the 64bit Vista).

By the way, I have a post on their about how BleepingComputer does not put much support on 64bit OS's; Malwarebytes, Combofix, and HiJackThis (among others), were all mentioned, no one even the admins tried saying Combofix, or Malwarebytes would run on a 64bit system, until now.. You. So unless you are saying that the same website you referenced is wrong, then I guess you might just want to bite the bullet here.

Also next time you want to try to prove me wrong, please do me a favor. Use a site that does not promote methods and techniques that are from the late 1900's; it is the 21st century not the 20th...

Overeem - From what you showed, and what you said... It does seem that it is within the Polymorphic field (not saying it is polymorphic). Without loosing your data doing a system restore (this is of course assuming that it has not been effected by the virus). I would suggest trying to do a boot scan (this is of course assuming the virus hasn't messed with the MBR (Master Boot Record)). You could also try a live cd that will scan your system (TRK(Trinity Rescue Kiit) is a good source for this.). If neither of those work, then (at the moment I have nothing else to think of) you may have to re-format your entire drive and start fresh..

 

[Atomic Rooster]

Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue. If you are using Windows Vista, and receive UAC prompt asking if you would like to continue running the program, you should press the Continue button.

Windows Vista users can use their Windows DVD to boot up into the Vista Recovery Environment.

Created: January 4, 2008 3:55 PM

 

[Spec]

Atomic - I used to be on BleepingComputer... I read that "guide" 3 times before even downloading it... Plus I just re-read it just for the hell of it... I see no where, that it mentions Windows Vista (or even XP64bit)... I suggest you get a 64bit OS and try their little guide and lets see how far you get...(please don't mistake the 32bit Vista, for the 64bit Vista).

By the way, I have a post on their about how BleepingComputer does not put much support on 64bit OS's; Malwarebytes, Combofix, and HiJackThis (among others), were all mentioned, no one even the admins tried saying Combofix, or Malwarebytes would run on a 64bit system, until now.. You. So unless you are saying that the same website you referenced is wrong, then I guess you might just want to bite the bullet here.

Also next time you want to try to prove me wrong, please do me a favor. Use a site that does not promote methods and techniques that are from the late 1900's; it is the 21st century not the 20th...

and system restore will NOT work because the majority of very badly coded rootkits/trojans infect your system restore files.

Overeem - From what you showed, and what you said... It does seem that it is within the Polymorphic field (not saying it is polymorphic). Without loosing your data doing a system restore (this is of course assuming that it has not been effected by the virus). I would suggest trying to do a boot scan (this is of course assuming the virus hasn't messed with the MBR (Master Boot Record)). You could also try a live cd that will scan your system (TRK(Trinity Rescue Kiit) is a good source for this.). If neither of those work, then (at the moment I have nothing else to think of) you may have to re-format your entire drive and start fresh..

Uhm, you are not correct there sir. Ive used ComboFix on multiple computers, including 64bit operating systems and including vista. get your facts straight.

 

[burn1337]

Atomic - Wow I am surprised, I re-looked right where you said, and there it was... My bad, sorry...
Though personally, I find it hilarious that it wants you use Vista Recovery.... Just so you can use Command...

Spec - I too have put combo fix on a vista 64bit... Though it crashed, so I ripped it apart to see the code, and well unless you understand code better then I do... Then you would have realized that the code was designed for (not only 32bit and doesn't seem to have much support for 64bit designs period) old (meaning late 1900's, though I did find a couple from the early 2000's (around like 2002 or 2003)) techniques.. It does not even support half of the good (by good I mean hard to find or detect) exploits... Nor does it seem to have much support for the design period of windows Vista... WINE does not operate the same as old school Windows platform... (Yes Vista uses WINE, though if I remember correctly (as I know a couple of the programmers of Vista and Windows 7) the WINE used for Vista is not the WINE used for Linux).
I would love to see ComboFix even try to find even one of my old virus's I made when I was like 14 or so... Granted yes it still can be useful for some good exploits, but still it is not what it is cracked up to be...

But to get back to this person's problem, I am sorry but not even ComboFix can scan encrypted files... So it does still render it useless...

 

[Atomic Rooster]

Here's some reading for you overeem:

What is rundll32.exe And Why Is It Running?

What is dwm.exe And Why Is It Running?

Symantec Search - csrss.exe

Now, the crss.exe is another story. Did you type that right? Is it crss.exe or Csrss.exe? Csrss.exe is a legit program if it's running in the System32 directory. Otherwise, it could be a trojan. Most any scanners such as Ad Aware, Spybot, and Malwarebytes can pick it up and kill it.