Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Has Virus - Very Slow Can't Run Explorer


  • This topic is locked This topic is locked
3 replies to this topic

#1 lukecs

lukecs

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 17 January 2008 - 11:40 PM

Downloaded and started something I shouldn't and it wasn't caught on my antivirus software before the computer got infected.

The virus is creating several files in system32 directory that I am unable to terminate with ctrl-alt-delete. When it boots into safe mode the start bar doesn't show and windows explorer when loaded from ctrl-alt-delete is very slow. The easiest way to start a program is using ctrl-alt-delete then clicking file run and opening the file in command prompt.

When attempting to use ad-aware 2007 get message saying the system administrator has set policies to prevent this installation.

Heres the log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:18:04 PM, on 17/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20696)
Boot mode: Safe mode

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Spyware Doctor\svcntaux.exe
F:\Program Files\Spyware Doctor\swdsvc.exe
F:\WINDOWS\system32\drivers\spool.exe
F:\WINDOWS\system32\taskmgr.exe
F:\WINDOWS\system32\drivers\spool .exe
F:\WINDOWS\system32\ctfmon.exe
F:\WINDOWS\system32\ctfmon .exe
F:\WINDOWS\system32\drivers\spool .exe
F:\WINDOWS\system32\ntvdm.exe
F:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=F:\WINDOWS\system32\ddabb.exe
F2 - REG:system.ini: UserInit=F:\WINDOWS\system32\drivers\spool.exe F:\WINDOWS\system32\userinit.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SDTray] "F:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [autoload] F:\Documents and Settings\Luke\Local Settings\Application Data\cftmon.exe
O4 - HKLM\..\Run: [ntuser] F:\WINDOWS\system32\drivers\spool.exe
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "F:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\Wcescomm .exe"
O4 - HKCU\..\Run: [CompanionLink] "f:\program files\companionlink for google calendar\companionlink.exe" -Icon
O4 - HKCU\..\Run: [autoload] F:\Documents and Settings\Luke\Local Settings\Application Data\cftmon.exe
O4 - HKCU\..\Run: [ntuser] F:\WINDOWS\system32\drivers\spool.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: Google Updater.lnk = F:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://F:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: F:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - F:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: GoogleDesktopManager - Google - F:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - F:\WINDOWS\system32\drivers\spool.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 5636 bytes


Edited by lukecs, 18 January 2008 - 12:02 AM.


BC AdBot (Login to Remove)

 


m

#2 lukecs

lukecs
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 18 January 2008 - 12:45 AM

Update 1: Was able to get Spybot S&D to run and it detected the Win32.BHO.je

Was able to get Spyware Doctor working and got 493 infections
Trogan.Virtumonde
Backdoor.CIADoor.13
Trojan.MailSpectre
Roctkit.Agent.EY
Trojan-Downloader.NUS
Rootkit.Agent.DP
Trojan-Downloader.Small.CML
Trojan-Downloader.Agent.BE
Trojan.Popuper

Update 2: Have tried spydoctor, adaware and spybot to no success
it keeps on loading spool.exe, cftmon.exe, and iexplorer.exe. When I tried going on the internet to use one of the free scanners the computer was shut down.

Here an updated log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:24 AM, on 18/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20696)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\system32\drivers\spool .exe
F:\WINDOWS\system32\drivers\spool .exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\drivers\spool .exe
F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
F:\Program Files\Spyware Doctor\svcntaux.exe
F:\Program Files\Spyware Doctor\swdsvc.exe
F:\Program Files\Spyware Doctor\SDTrayApp.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Spyware Doctor\SDTrayApp .exe
F:\WINDOWS\system32\drivers\spool .exe
F:\Program Files\Canon\CAL\CALMAIN.exe
F:\WINDOWS\System32\alg.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\system32\taskmgr.exe
F:\Documents and Settings\Luke\Local Settings\Application Data\cftmon.exe
F:\Documents and Settings\Luke\Local Settings\Application Data\cftmon.exe
F:\WINDOWS\system32\drivers\spool.exe
F:\Documents and Settings\Luke\Local Settings\Application Data\cftmon .exe
F:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
F:\WINDOWS\system32\drivers\spool .exe
F:\Documents and Settings\Luke\Local Settings\Application Data\cftmon .exe
F:\Program Files\Google\Google Updater\GoogleUpdater.exe
F:\WINDOWS\system32\drivers\spool .exe
F:\WINDOWS\explorer.exe
F:\Program Files\Spyware Doctor\swdoctor.exe
F:\HijackThis\HijackThis.exe
F:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O4 - Global Startup: Google Updater.lnk = F:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://F:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: F:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - F:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: GoogleDesktopManager - Google - F:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - F:\WINDOWS\system32\drivers\spool.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 5502 bytes


Update 3: Tried using Vundo Fix. Now when I login it autologs out. There is no way to get the computer going!!!

Update 4: Well that only took 4 hours. I was able to fix the login problem by going through the instructions on this site. http://windowsxp.mvps.org/peboot.htm
I replaced
HKEY_USERS \ MyXPHive \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon which was set to F:\Windows\System32\spool.exe to F:\Windows\System32\Userinit.exe,

Looks like most of my problems are over but I still need to do some system scans and would appreciate some help reviewing the log to make sure nothing else is left.

Update 5: Its still there. Notable things to mention are that Firefox and internet explorer crash when attempting to use. iexplorer.exe runs in the background along with a few other questionable files several of which end with " .exe".

Heres the last log. I've given up trying to solve this myself. Maybe you guys can help me. Looking forward to a response.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:55:11 PM, on 18/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20696)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
F:\Program Files\Spyware Doctor\svcntaux.exe
F:\Program Files\Spyware Doctor\swdsvc.exe
F:\Program Files\Spyware Doctor\SDTrayApp.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Spyware Doctor\SDTrayApp .exe
F:\Program Files\Canon\CAL\CALMAIN.exe
F:\Program Files\Google\Google Updater\GoogleUpdater.exe
F:\HijackThis\secretfile.exe
F:\WINDOWS\system32\taskmgr.exe
F:\WINDOWS\System32\alg.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=F:\WINDOWS\system32\ddabb.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8377CCFD-DEDA-4163-9E7B-011E268A018C} - F:\WINDOWS\system32\ddabb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {CEEC8FB8-CA10-483B-919A-B1FFD9009A95} - (no file)
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684CC} - F:\Program Files\Helper\superfindout.dll
O2 - BHO: (no name) - {FA16FE06-B462-470E-9653-79C54B1871FF} - F:\WINDOWS\system32\qomnkii.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SDTray] "F:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - Global Startup: Google Updater.lnk = F:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://F:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: F:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O20 - Winlogon Notify: qomnkii - qomnkii.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - F:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: GoogleDesktopManager - Google - F:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - F:\WINDOWS\system32\drivers\spool.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 6299 bytes


Update 6: The fight continues... sorta
I ran VirtumunoBeGone in Safe mode as the instructions on that other page suggested. Here is the log file.

[01/18/2008, 16:11:44] - VirtumundoBeGone v1.5 ( VIRTUMUNDOBEGONE.exe)
[01/18/2008, 16:11:52] - Detected System Information:
[01/18/2008, 16:11:52] - Windows Version: 5.1.2600, Service Pack 2
[01/18/2008, 16:11:52] - Current Username: Luke (Admin)
[01/18/2008, 16:11:52] - Windows is in SAFE mode with Networking.
[01/18/2008, 16:11:52] - Searching for Browser Helper Objects:
[01/18/2008, 16:11:52] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[01/18/2008, 16:11:52] - BHO 2: {373B77A1-B728-4201-A53F-488D10EB586A} ()
[01/18/2008, 16:11:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/18/2008, 16:11:52] - Checking for HKLM\...\Winlogon\Notify\ddabb
[01/18/2008, 16:11:52] - Key not found: HKLM\...\Winlogon\Notify\ddabb, continuing.
[01/18/2008, 16:11:52] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[01/18/2008, 16:11:52] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[01/18/2008, 16:11:52] - BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[01/18/2008, 16:11:52] - BHO 6: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[01/18/2008, 16:11:52] - BHO 7: {CEEC8FB8-CA10-483B-919A-B1FFD9009A95} ()
[01/18/2008, 16:11:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/18/2008, 16:11:52] - No filename found. Continuing.
[01/18/2008, 16:11:52] - BHO 8: {F10587E9-0E47-4CBE-84AE-7DD20B8684CC} (e404mgr Class)
[01/18/2008, 16:11:52] - BHO 9: {FA16FE06-B462-470E-9653-79C54B1871FF} ()
[01/18/2008, 16:11:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/18/2008, 16:11:52] - Checking for HKLM\...\Winlogon\Notify\qomnkii
[01/18/2008, 16:11:52] - Found: HKLM\...\Winlogon\Notify\qomnkii - This is probably Virtumundo.
[01/18/2008, 16:11:52] - Assigning {FA16FE06-B462-470E-9653-79C54B1871FF} MSEvents Object
[01/18/2008, 16:11:52] - BHO list has been changed! Starting over...
[01/18/2008, 16:11:52] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[01/18/2008, 16:11:52] - BHO 2: {373B77A1-B728-4201-A53F-488D10EB586A} ()
[01/18/2008, 16:11:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/18/2008, 16:11:52] - Checking for HKLM\...\Winlogon\Notify\ddabb
[01/18/2008, 16:11:52] - Key not found: HKLM\...\Winlogon\Notify\ddabb, continuing.
[01/18/2008, 16:11:52] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[01/18/2008, 16:11:52] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[01/18/2008, 16:11:52] - BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[01/18/2008, 16:11:52] - BHO 6: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[01/18/2008, 16:11:52] - BHO 7: {CEEC8FB8-CA10-483B-919A-B1FFD9009A95} ()
[01/18/2008, 16:11:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/18/2008, 16:11:52] - No filename found. Continuing.
[01/18/2008, 16:11:52] - BHO 8: {F10587E9-0E47-4CBE-84AE-7DD20B8684CC} (e404mgr Class)
[01/18/2008, 16:11:52] - BHO 9: {FA16FE06-B462-470E-9653-79C54B1871FF} (MSEvents Object)
[01/18/2008, 16:11:52] - ALERT: Found MSEvents Object!
[01/18/2008, 16:11:52] - Finished Searching Browser Helper Objects
[01/18/2008, 16:11:52] - *** Detected MSEvents Object
[01/18/2008, 16:11:52] - Trying to remove MSEvents Object...
[01/18/2008, 16:11:53] - Terminating Process: IEXPLORE.EXE
[01/18/2008, 16:11:53] - Terminating Process: RUNDLL32.EXE
[01/18/2008, 16:11:53] - Disabling Automatic Shell Restart
[01/18/2008, 16:11:53] - Terminating Process: EXPLORER.EXE
[01/18/2008, 16:11:53] - Suspending the NT Session Manager System Service
[01/18/2008, 16:11:53] - Terminating Windows NT Logon/Logoff Manager
[01/18/2008, 16:11:54] - Re-enabling Automatic Shell Restart
[01/18/2008, 16:11:54] - File to disable: F:\WINDOWS\system32\qomnkii.dll
[01/18/2008, 16:11:54] - Removing HKLM\...\Browser Helper Objects\{FA16FE06-B462-470E-9653-79C54B1871FF}
[01/18/2008, 16:11:54] - Removing HKCR\CLSID\{FA16FE06-B462-470E-9653-79C54B1871FF}
[01/18/2008, 16:11:54] - Adding Kill Bit for ActiveX for GUID: {FA16FE06-B462-470E-9653-79C54B1871FF}
[01/18/2008, 16:11:54] - Deleting ATLEvents/MSEvents Registry entries
[01/18/2008, 16:11:54] - Removing HKLM\...\Winlogon\Notify\qomnkii
[01/18/2008, 16:11:54] - Searching for Browser Helper Objects:
[01/18/2008, 16:11:54] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[01/18/2008, 16:11:54] - BHO 2: {373B77A1-B728-4201-A53F-488D10EB586A} ()
[01/18/2008, 16:11:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/18/2008, 16:11:54] - Checking for HKLM\...\Winlogon\Notify\ddabb
[01/18/2008, 16:11:54] - Key not found: HKLM\...\Winlogon\Notify\ddabb, continuing.
[01/18/2008, 16:11:54] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[01/18/2008, 16:11:54] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[01/18/2008, 16:11:54] - BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[01/18/2008, 16:11:54] - BHO 6: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[01/18/2008, 16:11:54] - BHO 7: {CEEC8FB8-CA10-483B-919A-B1FFD9009A95} ()
[01/18/2008, 16:11:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/18/2008, 16:11:54] - No filename found. Continuing.
[01/18/2008, 16:11:54] - BHO 8: {F10587E9-0E47-4CBE-84AE-7DD20B8684CC} (e404mgr Class)
[01/18/2008, 16:11:54] - Finished Searching Browser Helper Objects
[01/18/2008, 16:11:54] - Finishing up...
[01/18/2008, 16:11:54] - A restart is needed.
[01/18/2008, 16:12:11] - Attempting to Restart via STOP error (Blue Screen!)

[01/18/2008, 16:17:50] - VirtumundoBeGone v1.5 ( "H:\VirtumundoBeGone.exe" )
[01/18/2008, 16:17:52] - Detected System Information:
[01/18/2008, 16:17:52] - Windows Version: 5.1.2600, Service Pack 2
[01/18/2008, 16:17:52] - Current Username: Luke (Admin)
[01/18/2008, 16:17:52] - Windows is in NORMAL mode.
[01/18/2008, 16:17:52] - Searching for Browser Helper Objects:
[01/18/2008, 16:17:52] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[01/18/2008, 16:17:52] - BHO 2: {4B461659-0EF3-49DD-8A65-4FA5A17CE88E} ()
[01/18/2008, 16:17:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/18/2008, 16:17:52] - Checking for HKLM\...\Winlogon\Notify\ddabb
[01/18/2008, 16:17:52] - Key not found: HKLM\...\Winlogon\Notify\ddabb, continuing.
[01/18/2008, 16:17:52] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[01/18/2008, 16:17:52] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[01/18/2008, 16:17:52] - BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[01/18/2008, 16:17:53] - BHO 6: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[01/18/2008, 16:17:53] - BHO 7: {CEEC8FB8-CA10-483B-919A-B1FFD9009A95} ()
[01/18/2008, 16:17:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/18/2008, 16:17:53] - No filename found. Continuing.
[01/18/2008, 16:17:53] - BHO 8: {F10587E9-0E47-4CBE-84AE-7DD20B8684CC} (e404mgr Class)
[01/18/2008, 16:17:53] - Finished Searching Browser Helper Objects
[01/18/2008, 16:17:53] - Finishing up...
[01/18/2008, 16:17:53] - Nothing found! Exiting...


I ran it a second time and it said it was ok but I don't think so. I opened firefox and tried to do a scan with Housecall Anti Virus and it came up positive for more viruses but before I could fix them firefox crashed.

Heres the current hijack this log. Vy the way I renamed hijackthis like someone suggested in a previous post.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:35:14 PM, on 18/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20696)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
F:\Program Files\Spyware Doctor\svcntaux.exe
F:\Program Files\Spyware Doctor\swdsvc.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Canon\CAL\CALMAIN.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\System32\alg.exe
F:\Program Files\Spyware Doctor\SDTrayApp.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\Spyware Doctor\SDTrayApp .exe
F:\Program Files\Google\Google Updater\GoogleUpdater.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\HijackThis\secretfile.exe
F:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=F:\WINDOWS\system32\ddabb.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4B461659-0EF3-49DD-8A65-4FA5A17CE88E} - F:\WINDOWS\system32\ddabb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {CEEC8FB8-CA10-483B-919A-B1FFD9009A95} - (no file)
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684CC} - F:\Program Files\Helper\superfindout.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SDTray] "F:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - Global Startup: Google Updater.lnk = F:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://F:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: F:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - F:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: GoogleDesktopManager - Google - F:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - F:\WINDOWS\system32\drivers\spool.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 6035 bytes

I'm a little lost of what to do next but might do a few scans while I await a response. I know you guys are busy. oh one more thing to add is that I do have a second computer next to the computer that is infected so I can switch hard drives and download things on the working computer then transfer them over via a flash drive. All programs are working somewhat normal now except for fairly frequent crashed of ie and firefox.

Edited by lukecs, 18 January 2008 - 07:38 PM.


#3 lukecs

lukecs
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 21 January 2008 - 12:26 AM

decided to take the reformat option.

To avoid this happening again I'm going to keep all files off my windows partition and a image of the hard drive using Nortons Ghost Image. So when even I have performance issues... which with windows eventually happens I can just re image.

#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:20 AM

Posted 02 February 2008 - 03:24 PM

decided to take the reformat option.

To avoid this happening again I'm going to keep all files off my windows partition and a image of the hard drive using Nortons Ghost Image. So when even I have performance issues... which with windows eventually happens I can just re image.

Thanks for letting us know, and sorry we couldn't be of help, as you can see we handle more than our fair share of logs.

As the problem here seems to be resolved this topic is now closed.
To get it reopened PM a staff member with the address of this thread.
This applies to the topic starter only, everyone else with similar problems start a new topic.

Regards,
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users