Help, Multiple Infections

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Important Announcement: The winners of the BC Million Post contest have been announced. You can read who the winners are at this post.

- BleepingComputer Management

BleepingComputer.com > Security > HijackThis Logs and Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Help, Multiple Infections

Options

cflguy View Member Profile	Aug 18 2008, 08:48 AM Post #1
New Member Group: Members Posts: 2 Joined: 9-June 08 Member No.: 215,300	Hi Jack This: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:47:39 AM, on 8/18/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\carpserv.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\RF Wireless Mouse\cm20.exe C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\MagicDisc\MagicDisc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\system32\DllHost.exe C:\Documents and Settings\Gil\Local Settings\Temp\jkos-Gil\binaries\ScanningProcess.exe C:\Program Files\Common Files\Symantec Shared\NMain.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\System32\wbem\wmiprvse.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe, N2 - Netscape 6: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\GIL\Application Data\Mozilla\Profiles\default\v4ppvjid.slt\prefs.js) N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\GIL\Application Data\Mozilla\Profiles\default\v4ppvjid.slt\prefs.js) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: BhoApp Class - {BA22646F-4258-97FA-F62B-DC4959C115FE} - C:\Program Files\altcmd\altcmd32.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [AS00_WPN511] C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe -hide O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/2...can_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://coupons.smartsource.com/download/cscmv5X.cab O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://diy.view22.com/view22/diyapp/View22RTE.cab O16 - DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} (iolo.ProductDetector) - http://www.iolo.com/app/ocx/UpgradeVerify.ocx O20 - Winlogon Notify: powerxt - C:\WINDOWS\SYSTEM32\powerxt.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Microsoft ASPI Manager (aspimgr) - Unknown owner - C:\WINDOWS\system32\aspimgr.exe (file missing) O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Netgear Wireless Domain Login Service (NWDLS) - Unknown owner - C:\WINDOWS\system32\NWDLS.exe (file missing) O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 9829 bytes Kaspersky: C:\WINDOWS\system32\USER32.dll/C:\WINDOWS\system32\USER32.dll Infected: Trojan.Win32.Patched.bb 31 C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{85E5E2AC-ECB6-4D7E-8EC9-FB60CB8F0031}\{02655700-7E51-4B76-9109-84F3753F3053}.tmp Infected: Trojan.Java.ClassLoader.ak 1 C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{85E5E2AC-ECB6-4D7E-8EC9-FB60CB8F0031}\{180F3C09-7421-46CA-9063-4F99CAE57339}.tmp Infected: Trojan.Java.ClassLoader.ak 1 C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{85E5E2AC-ECB6-4D7E-8EC9-FB60CB8F0031}\{232A81AB-7DBE-4023-9A0E-3049FF4BE736}.tmp Infected: Trojan.Java.ClassLoader.z 1 C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{85E5E2AC-ECB6-4D7E-8EC9-FB60CB8F0031}\{2E36035A-987C-4620-A3A8-C67E2C62EC74}.tmp Infected: Virus.Win32.Bube.k 1 C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{85E5E2AC-ECB6-4D7E-8EC9-FB60CB8F0031}\{2E36035A-987C-4620-A3A8-C67E2C62EC74}.tmp Infected: Trojan.Java.Femad 4 C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{85E5E2AC-ECB6-4D7E-8EC9-FB60CB8F0031}\{48BC2E96-1EEF-4E4D-8AF6-FFCE42E62B6B}.tmp Infected: Trojan.Java.Binny.a 1 C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{85E5E2AC-ECB6-4D7E-8EC9-FB60CB8F0031}\{5237E01A-F35D-4546-B6A2-7D6F1AF602A4}.tmp Infected: Trojan.Java.ClassLoader.ak 1 C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{85E5E2AC-ECB6-4D7E-8EC9-FB60CB8F0031}\{64ACF567-976D-4D0B-B9D8-1463E92B37E6}.tmp Infected: Trojan.Java.ClassLoader.ak 1 C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{85E5E2AC-ECB6-4D7E-8EC9-FB60CB8F0031}\{847477DB-A35C-4CFC-A8DD-42126CB21737}.tmp Infected: Trojan-Downloader.Java.OpenConnection.v 1 C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{85E5E2AC-ECB6-4D7E-8EC9-FB60CB8F0031}\{99ACA4F0-1265-40FB-9F64-2A2594386F19}.tmp Infected: Trojan.Java.ClassLoader.z 1 C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{85E5E2AC-ECB6-4D7E-8EC9-FB60CB8F0031}\{AC63F89B-EF78-4B70-B0A5-46372AF79CED}.tmp Infected: Trojan.Java.Binny.a 1 C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{85E5E2AC-ECB6-4D7E-8EC9-FB60CB8F0031}\{B1E9D868-1792-4753-8D27-4968CA4E0632}.tmp Infected: Trojan-Downloader.Java.OpenConnection.v 1 C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{85E5E2AC-ECB6-4D7E-8EC9-FB60CB8F0031}\{CB247338-2741-4D68-9D10-CC43C695AC81}.tmp Infected: Trojan.Java.ClassLoader.ak 1 C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{85E5E2AC-ECB6-4D7E-8EC9-FB60CB8F0031}\{CE2C1D5A-12DA-4871-9B23-3B43DEF3A5E3}.tmp Infected: Trojan-Downloader.Java.OpenConnection.v 1 C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{85E5E2AC-ECB6-4D7E-8EC9-FB60CB8F0031}\{D02732A9-412A-450D-B5C1-4E807B3F9CB7}.tmp Infected: Trojan-Downloader.Java.OpenConnection.v 1 C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{85E5E2AC-ECB6-4D7E-8EC9-FB60CB8F0031}\{D7F2E4B9-5134-4030-AE03-04978F6D93E2}.tmp Infected: Trojan-Downloader.Java.OpenConnection.v 1 C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{85E5E2AC-ECB6-4D7E-8EC9-FB60CB8F0031}\{D875BFDD-47F5-4FFB-B543-F49F8D0B5B07}.tmp Infected: Trojan.Java.ClassLoader.z 1 C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{85E5E2AC-ECB6-4D7E-8EC9-FB60CB8F0031}\{E312B425-B68F-4CBD-B2DE-B7FA19DD53CD}.tmp Infected: Trojan.Java.ClassLoader.z 1 C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{85E5E2AC-ECB6-4D7E-8EC9-FB60CB8F0031}\{E6FDC7C7-5DA0-44E9-B49D-0B1CE169FF4A}.tmp Infected: Trojan.Java.Binny.a 1 C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{85E5E2AC-ECB6-4D7E-8EC9-FB60CB8F0031}\{FE9BEF33-8161-4641-B7CC-E0F2D91F7B01}.tmp Infected: Trojan.Java.ClassLoader.z 1 C:\Program Files\Norton AntiVirus\Quarantine\2986241D.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm 1 C:\Program Files\XPSecurityCenter\install.exe Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.c 1 C:\Program Files\XPSecurityCenter\XPSecurityCenter.dll Infected: not-a-virus:FraudTool.Win32.Reanimator.d 1 C:\Program Files\XPSecurityCenter\XPSecurityCenter.exe Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.h 1 C:\WINDOWS\system32\spndt.sys Infected: Backdoor.Win32.Small.fni 1 C:\WINDOWS\system32\winivstr.exe Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.c 1 The selected area was scanned.

Shaba View Member Profile	Aug 30 2008, 04:31 AM Post #2
Koutsi Group: HJT Team Coach Posts: 3,862 Joined: 8-July 06 From: Finland Member No.: 75,186	Hello and welcome to BC We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware. Thanks and again sorry for the delay. Please see here for instructions how to install HijackThis and make a logfile. Save it into convenient location and include it to your next reply, please. Next Please do a scan with Kaspersky Online Scanner Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan. Click on the Accept button and install any components it needs. The program will install and then begin downloading the latest definition files. After the files have been downloaded on the left side of the page in the Scan section select My Computer This will start the program and scan your system. The scan will take a while, so be patient and let it run. Once the scan is complete, click on View scan report Now, click on the Save Report as button. Save the file to your desktop. Copy and paste that information in your next post. Please post back with HijackThis log and Kaspersky report. Regards -------------------- Microsoft MVP Consumer Security

Shaba View Member Profile	Sep 4 2008, 03:09 AM Post #3
Koutsi Group: HJT Team Coach Posts: 3,862 Joined: 8-July 06 From: Finland Member No.: 75,186	Due to the lack of feedback this Topic is closed. If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic. -------------------- Microsoft MVP Consumer Security

« Next Oldest · HijackThis Logs and Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 22nd November 2008 - 01:23 PM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides