Options
Random System Files Opening
I've just reformatted, and I'm having a terrible problem.
At first I thought it was just a bug I got from IE (had to use it to get firefox)
So I reformat again and got Firefox from a friend. But, the problem still exist.
I'd be gracious if anyone can help.
Here's my hijack this :
Logfile of HijackThis v1.98.2
Scan saved at 4:00:29 PM, on 12/24/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Naxhil\Desktop\Applications\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\EFFICI~1\TANGOM~1\app\TangoManager.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\Run: [Start aThx Roll] f0mered.exe
O4 - HKLM\..\Run: [nternet Explorer] iexplore.exe
O4 - HKLM\..\Run: [taskmgr.exe] C:\WINDOWS\logs.exe
O4 - HKLM\..\Run: [winlogin.exe] C:\WINDOWS\paint.exe
O4 - HKLM\..\Run: [Win32 SSL Driver] winssv.exe
O4 - HKLM\..\Run: [Winamp media player] winapa.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] svmhost.exe
O4 - HKLM\..\RunServices: [Win32 SSL Driver] winssv.exe
O4 - HKLM\..\RunServices: [Winamp media player] winapa.exe
O4 - HKLM\..\RunServices: [Start aThx Roll] f0mered.exe
O4 - HKLM\..\RunServices: [No service] tskmger.exe
O4 - HKLM\..\RunServices: [Windows service] slserv32.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] svmhost.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\RunServices: [nternet Explorer] iexplore.exe
O4 - HKLM\..\RunOnce: [Win32 SSL Driver] winssv.exe
O4 - HKLM\..\RunOnce: [Winamp media player] winapa.exe
O4 - HKLM\..\RunOnce: [Microsoft Windows Update] svmhost.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\RunOnce: [nternet Explorer] iexplore.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Win32 SSL Driver] winssv.exe
O4 - HKCU\..\RunOnce: [Winamp media player] winapa.exe
O4 - HKCU\..\RunOnce: [Microsoft Windows Update] svmhost.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
At first I thought it was just a bug I got from IE (had to use it to get firefox)
So I reformat again and got Firefox from a friend. But, the problem still exist.
I'd be gracious if anyone can help.
Here's my hijack this :
Logfile of HijackThis v1.98.2
Scan saved at 4:00:29 PM, on 12/24/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Naxhil\Desktop\Applications\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\EFFICI~1\TANGOM~1\app\TangoManager.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\Run: [Start aThx Roll] f0mered.exe
O4 - HKLM\..\Run: [nternet Explorer] iexplore.exe
O4 - HKLM\..\Run: [taskmgr.exe] C:\WINDOWS\logs.exe
O4 - HKLM\..\Run: [winlogin.exe] C:\WINDOWS\paint.exe
O4 - HKLM\..\Run: [Win32 SSL Driver] winssv.exe
O4 - HKLM\..\Run: [Winamp media player] winapa.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] svmhost.exe
O4 - HKLM\..\RunServices: [Win32 SSL Driver] winssv.exe
O4 - HKLM\..\RunServices: [Winamp media player] winapa.exe
O4 - HKLM\..\RunServices: [Start aThx Roll] f0mered.exe
O4 - HKLM\..\RunServices: [No service] tskmger.exe
O4 - HKLM\..\RunServices: [Windows service] slserv32.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] svmhost.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\RunServices: [nternet Explorer] iexplore.exe
O4 - HKLM\..\RunOnce: [Win32 SSL Driver] winssv.exe
O4 - HKLM\..\RunOnce: [Winamp media player] winapa.exe
O4 - HKLM\..\RunOnce: [Microsoft Windows Update] svmhost.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\RunOnce: [nternet Explorer] iexplore.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Win32 SSL Driver] winssv.exe
O4 - HKCU\..\RunOnce: [Winamp media player] winapa.exe
O4 - HKCU\..\RunOnce: [Microsoft Windows Update] svmhost.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
0
Comments
O4 - HKLM\..\Run: [Start aThx Roll] f0mered.exe
O4 - HKLM\..\Run: [nternet Explorer] iexplore.exe
O4 - HKLM\..\Run: [taskmgr.exe] C:\WINDOWS\logs.exe
O4 - HKLM\..\Run: [winlogin.exe] C:\WINDOWS\paint.exe
O4 - HKLM\..\Run: [Win32 SSL Driver] winssv.exe
O4 - HKLM\..\Run: [Winamp media player] winapa.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] svmhost.exe
O4 - HKLM\..\RunServices: [Win32 SSL Driver] winssv.exe
O4 - HKLM\..\RunServices: [Winamp media player] winapa.exe
O4 - HKLM\..\RunServices: [Start aThx Roll] f0mered.exe
O4 - HKLM\..\RunServices: [No service] tskmger.exe
O4 - HKLM\..\RunServices: [Windows service] slserv32.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] svmhost.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\RunServices: [nternet Explorer] iexplore.exe
O4 - HKLM\..\RunOnce: [Win32 SSL Driver] winssv.exe
O4 - HKLM\..\RunOnce: [Winamp media player] winapa.exe
O4 - HKLM\..\RunOnce: [Microsoft Windows Update] svmhost.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\RunOnce: [nternet Explorer] iexplore.exe
O4 - HKCU\..\RunOnce: [Win32 SSL Driver] winssv.exe
O4 - HKCU\..\RunOnce: [Winamp media player] winapa.exe
O4 - HKCU\..\RunOnce: [Microsoft Windows Update] svmhost.exe
Fix those entries then find and delete the files listed above. I'm not sure which folder the malicious iexplore.exe is in, but check each result to make sure it's not the Microsoft one.
Once you've done that, reboot and post a new log.
Scan saved at 10:11:15 PM, on 11/29/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\Documents and Settings\Naxhil\Desktop\Applications\HijackThis.exe
C:\WINDOWS\System32\taskmgr.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [*windows update] wuacrlt.exe
O4 - HKLM\..\RunServices: [*windows update] wuacrlt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [*windows update] wuacrlt.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
Here's my new log
O4 - HKLM\..\RunServices: [*windows update] wuacrlt.exe
O4 - HKCU\..\Run: [*windows update] wuacrlt.exe
Fix those entries then find and delete wuacrlt.exe, reboot and post a new log.
Scan saved at 9:08:15 PM, on 11/30/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\PROGRA~1\EFFICI~1\TANGOM~1\app\TangoManager.exe
C:\Documents and Settings\Naxhil\Desktop\Applications\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [*windows update] wuacrlt.exe
O4 - HKLM\..\RunServices: [*windows update] wuacrlt.exe
O4 - HKCU\..\Run: [*windows update] wuacrlt.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E40DFCB-BA3A-436E-A1E9-53F179D33A11}: NameServer = 166.102.165.11 166.102.165.13
Only wuacrlt.exe files I found were in prefetch files, and deleted them.
http://housecall.trendmicro.com/
To me, it looks like it opens cmd and ftp, downloads trojans then destroys the computer... I reformatted (again