Antivirus XP 2008 Attack

pacjit · #1 07-05-2008, 03:13 PM

Can anyone help, disabled Task Manager, help, regedit, system restore and more. Please help!!

Here is my hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:12: VIRUS ALERT!, on 7/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
F:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
F:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
F:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
F:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
F:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
f:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\WgaTray.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE
F:\WINDOWS\system32\lphce6pj0erac.exe
F:\Program Files\rhca6pj0erac\rhca6pj0erac.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\MapSource\gStart.exe
F:\WINDOWS\system32\pphce6pj0erac.exe
F:\Program Files\Panda Security\Panda Internet Security 2008\SRVLOAD.EXE
F:\Program Files\Windows Live\Messenger\usnsvc.exe
F:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe
F:\Program Files\Panda Security\Panda Internet Security 2008\PavBckPT.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Documents and Settings\Dude\Desktop\HiJackThis.exe
F:\Program Files\Windows Live\Mail\wlmail.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O3 - Toolbar: nqgpedlr - {EC4A1CF6-AE63-45C3-B7C7-E427DA6CBFD9} - F:\WINDOWS\nqgpedlr.dll
O4 - HKLM\..\Run: [APVXDWIN] "F:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "F:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lphce6pj0erac] F:\WINDOWS\system32\lphce6pj0erac.exe
O4 - HKLM\..\Run: [SMrhca6pj0erac] F:\Program Files\rhca6pj0erac\rhca6pj0erac.exe
O4 - HKLM\..\Run: [d8ad30f9] rundll32.exe "F:\WINDOWS\system32\ahalkrox.dll",b
O4 - HKLM\..\Run: [MSConfig] F:\WINDOWS\system32\msconfig.exe /auto
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [gStart] C:\MapSource\gStart.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - F:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - F:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O21 - SSODL: SrvcKbd - {84928eb4-2b6f-44a5-b74e-26cbe4d91db0} - F:\WINDOWS\Resources\SrvcKbd.dll
O21 - SSODL: axrfgvek - {9D792C86-C839-4CE9-961C-2C5636344221} - F:\WINDOWS\axrfgvek.dll
O23 - Service: Panda Software Controller - Panda Software International - F:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - F:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - F:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - F:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - F:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - f:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
O24 - Desktop Component 0: Privacy Protection - file:///F:\WINDOWS\privacy_danger\index.htm

--
End of file - 7145 bytes

Thanks

Baudwalker · #2 07-05-2008, 07:16 PM

Hi

Search for a tool called RRT.EXE (Remove Restrictions Tools)

It will remove the restrictions that you have described and IF it works (I have not tried it) then you will be able to get control again.

I have it but have no where to post it for you

BE CAREFUL...it came as part of a package that included other tools that were INFECTED with 'root kit and w32 variants'

Then again if you are so far in another probably won't hurt too much once cleaned

Cheers

Baudy!!!

Disk_Contented · #3 07-05-2008, 09:08 PM

Quote:

Originally Posted by Baudwalker

Hi

Search for a tool called RRT.EXE (Remove Restrictions Tools)

It will remove the restrictions that you have described and IF it works (I have not tried it) then you will be able to get control again.

I have it but have no where to post it for you

BE CAREFUL...it came as part of a package that included other tools that were INFECTED with 'root kit and w32 variants'

Then again if you are so far in another probably won't hurt too much once cleaned

Cheers

Baudy!!!

You must be joking!

look at this thread, pacjit http://www.spywareinfoforum.com/lofi...p/t117812.html

This isn't something you will find an easy answer to here.

Baudwalker · #4 07-05-2008, 09:15 PM

Quote:

Originally Posted by Disk_Contented

You must be joking!

look at this thread, pacjit http://www.spywareinfoforum.com/lofi...p/t117812.html

This isn't something you will find an easy answer to here.

Hey...not a problem..whatever floats your boat!!!!!!!!

I had success so I am a happy bunny!

If you feel differently then feel free to do so....it's a free world

as they said in the 80's...Don't worry...Be happy

Baudy!

Disk_Contented · #5 07-05-2008, 09:48 PM

"If you feel differently then feel free to do so"
Correct!
In view of your very poor advice, I guess people will do.
The fact you recommend a rootkit infected fix is secondary, right.

Baudwalker · #6 07-06-2008, 01:01 AM

Quote:

Originally Posted by Disk_Contented

"If you feel differently then feel free to do so"
Correct!
In view of your very poor advice, I guess people will do.
The fact you recommend a rootkit infected fix is secondary, right.

Oh dearee me

You are going to HAVE to read things better and update your comprehension abilities....

I recommended a TOOL that is readily available BUT that in some gestations can have associated problems. I was **WARNING** to TEST the item before using and indicating that I had found these grubs amongst what I had obtained.

SO..if my WARNING others to be cautious is a problem then I suggest from now on YOU bypass my posts and get on with YOUR life.

When you are able to recognise a 'flippant' remark you may well not take life so literally nor take umbrage at what others engage in.

SO..if you want to continue this why not take it to PM's and reduce the bandwidth here and stop adding to the boredom and frustration of others.

I am happy to trade whatever it is you wish to trade but NOT IN A PUBLIC FORUM............this will be my last response to your infantile rantings!

Baudy

Disk_Contented · #7 07-06-2008, 01:57 PM

Quote:

Originally Posted by Baudwalker

this will be my last response to your infantile rantings

Cool!

Pacjit, this looks like it could work for you : http://www.pcadvisor.co.uk/forums/in...02&forumi d=1

PDoyle · #8 08-05-2008, 11:39 AM

Just got hit by this antivirus 2008 bug. Wow! What a PITA.

The emailer was (h-finned1955@smsarch.com) if that helps. I opened an email thought was from CNN.
I think my symantec antivirus took care of it. Seems like everything is ok now, but how do I make perfectly sure???

Monty007 · #9 08-05-2008, 04:02 PM

Hi follow the steps on this link http://www.bleepingcomputer.com/malw...irus-2008-2009

PDoyle · #10 08-05-2008, 05:00 PM

Thanks for answering my post. This is a great tool but...Before I installed anything else I checked to see if I have xpa.exe. and do not have it after a search of my C: drive. I have Symantec antivirus and did the full scan a couple times today and seems like it is removed. Is it?

Monty007 · #11 08-06-2008, 06:15 PM

Hi, well you can also down load Super-Antispyware, update it and run a full scan http://www.superantispyware.com/
To make sure everything is ok boot your PC in safe mode (no networking) and run another full scan with Symantec.

PDoyle · #12 08-07-2008, 12:07 PM

Monty, please take a bow!
Symantec and spybot -search & destroy didn't even touch it! Super
antispyware took it all away. Many thanks.