1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

desktop taken over after visiting wowhead

Discussion in 'Virus & Other Malware Removal' started by Karzy, Dec 5, 2008.

Thread Status:
Not open for further replies.
  1. Karzy

    Karzy Thread Starter

    Joined:
    Dec 5, 2008
    Messages:
    1
    after visiting the site wowhead suddenly found that my cpu had multiple viruses, i removed them with zone alarm but it did not fix the problem with the desktop screen which now has a "warning" about viruses and trojans and that i should go get them fixed. there is also a bubble that appears which says something like "your computer has been infected click this bubble to sort problem". and it tries to open an anti virus web page real-av.org even if i don't click the bubble. here is my hyjack this log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:57:30 PM, on 6/12/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Norton Utilities\NPROTECT.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Speed Disk\nopdb.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\frmwrk32.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148712794017 O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 3918 bytes apon reading some other posts i also decided to run combo fix here is the report: ComboFix 08-12-05.02 - justin 2008-12-06 12:39:34.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2508 [GMT 9:00] Running from: c:\documents and settings\justin.JRB-4700\Desktop\ComboFix.exe * Created a new restore point * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\LocalService\Application Data\twain_32 c:\documents and settings\LocalService\Application Data\twain_32\user.ds c:\documents and settings\NetworkService\Application Data\twain_32 c:\documents and settings\NetworkService\Application Data\twain_32\user.ds c:\windows\system32\twain_32 c:\windows\system32\twain_32\local.ds c:\windows\system32\twain_32\user.ds c:\windows\system32\twain_32\user.ds.cla c:\windows\system32\userinit.exe . . . is infected!! . ((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 ))))))))))))))))))))))))))))))) . 2008-12-04 18:22 . 2008-12-04 18:22 d-------- c:\program files\Trend Micro 2008-12-04 14:56 . 2008-12-06 12:50 3,104 --a------ c:\windows\system32\ntdll64.exe 2008-12-04 13:53 . 2008-12-06 12:50 4,785 --a------ c:\windows\system32\warning.gif 2008-12-04 13:53 . 2008-12-06 12:50 1,349 --a------ c:\windows\system32\ahtn.htm 2008-12-04 13:53 . 2008-12-06 09:05 461 --a------ c:\windows\system32\win32hlp.cnf 2008-12-04 13:48 . 2008-12-04 13:48 32,256 --a------ c:\windows\system32\frmwrk32.exe 2008-12-04 13:48 . 2008-12-04 13:48 1 --a------ c:\windows\system32\uniq.tll 2008-12-04 13:48 . 2008-12-04 13:48 1 --a------ c:\windows\system32\test.ttt 2008-12-02 14:39 . 2008-12-02 15:54 d-------- c:\documents and settings\Mum\Application Data\U3 2008-11-26 14:47 . 2008-11-26 14:47 d-------- c:\windows\system32\scripting 2008-11-26 14:47 . 2008-11-26 14:47 d-------- c:\windows\system32\en 2008-11-26 14:47 . 2008-11-26 14:47 d-------- c:\windows\system32\bits 2008-11-26 14:47 . 2008-11-26 14:47 d-------- c:\windows\l2schemas 2008-11-26 14:44 . 2008-11-26 14:48 d-------- c:\windows\ServicePackFiles 2008-11-18 08:54 . 2004-08-03 23:29 701,440 --------- c:\windows\system32\drivers\ati2mtag.sys 2008-11-18 08:40 . 2008-09-15 21:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys 2008-11-18 08:40 . 2008-09-08 19:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys 2008-11-18 08:40 . 2008-06-13 20:05 272,128 --------- c:\windows\system32\drivers\bthport.sys 2008-11-18 08:40 . 2008-06-13 20:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys 2008-11-18 08:40 . 2008-08-14 19:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys 2008-11-18 08:39 . 2008-08-14 19:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe 2008-11-18 08:39 . 2008-08-14 19:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-11-18 08:39 . 2008-08-14 18:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-11-18 08:39 . 2008-08-14 18:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe 2008-11-18 08:39 . 2008-04-12 04:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll 2008-11-18 08:39 . 2008-10-24 20:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-18 08:39 . 2008-05-08 23:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys 2008-11-18 08:38 . 2008-10-16 01:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll 2008-11-18 08:34 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll 2008-11-18 08:34 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll 2008-11-18 08:34 . 2008-10-16 15:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui 2008-11-18 08:34 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui 2008-11-18 08:34 . 2008-10-16 15:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui 2008-11-18 08:34 . 2008-10-16 15:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui 2008-11-18 08:34 . 2008-10-16 15:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui 2008-11-08 21:08 . 2008-11-08 21:08 d--h----- c:\windows\PIF 2008-11-06 22:26 . 2008-11-06 22:26 d-------- c:\program files\Microsoft Works 2008-11-06 22:26 . 2006-10-26 20:56 32,592 --a------ c:\windows\system32\msonpmon.dll 2008-11-06 22:24 . 2008-11-06 22:24 d-------- c:\windows\SHELLNEW 2008-11-06 22:23 . 2008-11-06 22:23 dr-h----- C:\MSOCache 2008-11-06 22:23 . 2008-11-18 09:53 d-------- c:\documents and settings\All Users\Application Data\Microsoft Help 2008-11-06 22:13 . 2008-11-06 22:22 d-------- c:\documents and settings\justin.JRB-4700\Application Data\GetRightToGo . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-06 03:54 22,659,872 --sha-w c:\windows\system32\drivers\fidbox.dat 2008-12-06 03:46 307,892 --sha-w c:\windows\system32\drivers\fidbox.idx 2008-11-29 08:37 2,853,719 ----a-w c:\windows\Internet Logs\tvDebug.Zip 2008-11-20 04:24 --------- d-----w c:\program files\Norton Utilities 2008-11-15 01:41 --------- d-----w c:\program files\World of Warcraft 2008-10-24 12:11 --------- d-----w c:\documents and settings\justin.JRB-4700\Application Data\MailFrontier 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-16 06:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 06:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 06:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 06:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 06:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 06:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 06:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 06:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-11 11:03 699,392 ----a-w c:\windows\Internet Logs\xDB4D.tmp 2008-10-10 03:06 --------- d-----w c:\program files\World of Warcraft Public Test 2008-10-10 02:41 --------- d-----w c:\program files\Common Files\Blizzard Entertainment 2008-10-10 02:17 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard 2008-10-10 02:13 --------- d-----w c:\program files\3.0.2.8916 PTR Installer US-MX 2008-10-09 06:25 73,104 ----a-w c:\windows\zllsputility.exe 2008-10-09 06:25 1,221,008 ----a-w c:\windows\system32\zpeng25.dll 2008-10-06 13:21 --------- d-----w c:\documents and settings\All Users\Application Data\NVIDIA 2008-10-06 09:28 --------- d-----w c:\documents and settings\Michael\Application Data\Ventrilo 2008-09-16 13:27 453,152 ----a-w c:\windows\system32\NVUNINST.EXE 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-10-09 981904] "nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe] "Framework Windows"="frmwrk32.exe" [2008-12-04 c:\windows\system32\frmwrk32.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableCAD"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= R2 NProtectService;Norton Unerase Protection;c:\program files\Norton Utilities\NPROTECT.EXE [2006-05-27 135168] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc . . ------- Supplementary Scan ------- . IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FireFox -: Profile - c:\documents and settings\justin.JRB-4700\Application Data\Mozilla\Firefox\Profiles\us1kfug9.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - wotlkwiki.info . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-06 12:49:48 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2912) c:\progra~1\ZONELA~1\ZONEAL~1\MAILFR~1\mlfhook.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ZoneLabs\vsmon.exe c:\windows\system32\ZoneLabs\avsys\ScanningProcess.exe c:\windows\system32\ZoneLabs\avsys\ScanningProcess.exe c:\windows\system32\nvsvc32.exe c:\program files\Speed Disk\NOPDB.EXE c:\windows\system32\wdfmgr.exe c:\windows\system32\rundll32.exe c:\progra~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe . ************************************************************************** . Completion time: 2008-12-06 12:56:30 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-06 03:56:14 Pre-Run: 64,726,376,448 bytes free Post-Run: 65,156,050,944 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 186 --- E O F --- 2008-11-27 14:39:00 i hope to hear from you soon, thanks.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/776572

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice