Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Laptop Infected By Htepo.com


  • Please log in to reply
5 replies to this topic

#1 pm6163

pm6163

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 06 November 2007 - 08:30 PM

My Toshiba Windows XP Home is infected by htepo.com, an error message will pop up when an application was started, the error message reads like: "The application or DLL C:\WINDOWS\system32\fexojb.dll is not a valid Windows image, please check this against your installation diskette".

A web site suggested that VundoFix will be able to remove the htepo.com virus, I tried, it won't work. I also tried CA antivirus, anti-spyware, Ad-Aware, and Spybot, none is able to remove the virus or spyware or malware or whatever it is.

I then follwowed the instructions on this web site, ran through cleanmgr, Ad-aware, SPybot, McAfee Stinger, finally come down to HijackThis, still, the error message pops up, the following is the result of HijackThis, please help, thanks a lot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:17:21, on 2007-11-5
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\odfwbc28.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\WINDOWS\System32\winnatkc.exe
C:\Program Files\Common Files\?dobe\m?config.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Program Files\Windows Media Player\svchost.exe,
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mnsa] C:\DOCUME~1\Hhuhua\LOCALS~1\Temp\mnso.exe
O4 - HKLM\..\Run: [cnndiag] C:\WINDOWS\sysc10trg.exe
O4 - HKLM\..\Run: [SoundMnEx32] C:\WINDOWS\system32\sesms32.exe
O4 - HKLM\..\Run: [ksddi] C:\WINDOWS\system32\kconf.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [netdex] C:\WINDOWS\system32\netdex.exe
O4 - HKLM\..\Run: [Sund32] C:\WINDOWS\system32\dentwin.exe
O4 - HKLM\..\Run: [regstd] C:\WINDOWS\system32\regstd.exe
O4 - HKLM\..\Run: [stwin32] C:\WINDOWS\system32\stwin32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [odfwbc28] C:\WINDOWS\System32\odfwbc28.exe
O4 - HKLM\..\Run: [stwndex] C:\WINDOWS\system32\stwndex.exe
O4 - HKLM\..\Run: [sdktool] C:\WINDOWS\system32\mssdk.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C88332017491394661A64DB7C8F0287E55E246220D9E728F9FC17D446BC57D5375FB0FB68AD6
O4 - HKLM\..\Run: [344087e0] rundll32.exe "C:\WINDOWS\system32\svhetone.dll",b
O4 - HKLM\..\Run: [sygwin.exe] C:\WINDOWS\sygmp3.exe -s
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pndupukf] "C:\Documents and Settings\Hhuhua\Application Data\??mbols\r?gedit.exe"
O4 - HKCU\..\Run: [Osus] "C:\DOCUME~1\Hhuhua\APPLIC~1\CURITY~1\rundll.exe" -vt yazb
O4 - HKCU\..\Run: [Ukpc] C:\WINDOWS\?dobe\n?tdde.exe
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O4 - HKCU\..\Run: [Pxu] "C:\Program Files\Common Files\?dobe\m?config.exe"
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\od5media.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin7USA.cab
O16 - DPF: {BC5E698E-77CF-45EF-80A3-090A4B6AAF83} (HGPlugin8USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin8USA.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab
O20 - AppInit_DLLs: offfrtut.dll confcnn.dll onfksd.dll ksstat.dll odfwbcmz28.dll con321.dll pmspwups.dll fexojb.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN Gaming Zone\dibo.html

--
End of file - 9226 bytes

Edited by pm6163, 06 November 2007 - 08:32 PM.


BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 07 November 2007 - 11:40 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum pm6163
My name is Richie and i'll be helping you to fix your problems.

You have a Backdoor Trojan present on your pc
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to be used by the attacker for malicious purposes unknown to the user.

They are typically installed without user interaction through security exploits, and may allow an attacker to remotely control the infected machine. Such risks may allow the attacker to install additional malware and use the compromised machine to participate in denial of service attacks, spamming, and bot nets, or to transmit sensitive data to a remote server. The malware may be cloaked and not visible to the user. These risks severely compromise the system by lowering security settings, installing 'backdoors,' infecting system files, or spreading to other networked machines.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one,if not an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech.

Since your computer was compromised read:
How to report ID theft, fraud, drive-by installs, hijacking and malware:
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall:
http://www.dslreports.com/faq/10063

If you want us to go ahead and clean up your system then fair enough,but there’s no way I can guarantee your pc will be 100% safe once we’ve finished.
Let me know how you wish to proceed.
Posted Image
Posted Image

#3 pm6163

pm6163
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 07 November 2007 - 12:17 PM

Thanks, Richie, for the reply. A few more questions:
1. if I re-install the Windows, everything on the hard drive shall be wiped out, I then shall be OK, virus-free, to continue using this Laptop?
2. Will the virus spread to the computers connected to the router without me knowing? Are the other computers OK to use if I don't see any pop-ups like my Tosghiba laptop?
Thanks again.

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 07 November 2007 - 06:23 PM

1. if I re-install the Windows, everything on the hard drive shall be wiped out, I then shall be OK, virus-free, to continue using this Laptop?

Yes,if you reformat the drive before reinstalling XP,don't try reinstalling over the top of the current install.

2. Will the virus spread to the computers connected to the router without me knowing? Are the other computers OK to use if I don't see any pop-ups like my Tosghiba laptop?

Should'nt do,you should disconnect the infected machine from the network as soon as possible,just in case.
Posted Image
Posted Image

#5 pm6163

pm6163
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 08 November 2007 - 07:44 AM

Thanks, Richie. I will re-install the Windows from backup CD which shall reformat the whole hard drive.

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 08 November 2007 - 07:49 AM

You're most welcome,hope all goes well :thumbsup:
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users