Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With System-defender. Now Adaware 2007 Causes Reboot


  • This topic is locked This topic is locked
3 replies to this topic

#1 littlegiant

littlegiant

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 18 February 2008 - 11:51 PM

Greetings,

I'm at the end of my rope. Last night my computer got infected with the system-defender trojan (and various others, sysclean, etc). This was causing rampant popping up of browser windows imploring me to install some fake System Defender anti-virus tool. I didn't bite and after doing a lot of reading finally managed to get rid of all that using SuperAntiSpyware (free edition). However, I'm certain my system is still compromised because whenever I try to run Adaware 2007, it only runs for about 20 seconds and then my computer reboots (and takes a long time to load afterwards). Also, I'm seeing a lot of unwarranted activity on my network icon (local area connection status) in the system tray even when I'm not browsing the net.

So far I've run Trend Micro House Call, AVG Free and SpyBot. But I can't run Adaware. I desperately need help fixing this. I'm exhausted from reading online all day long trying to come up with a solution. I'm also getting really paranoid.

Not sure if I should be doing this yet but here's my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:53 PM, on 2/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\khooker.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\FreeRamXP\FreeRAM XP Pro 1.40.exe
C:\Program Files\AutoSizer\AutoSizer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
G:\web\Apache2\bin\ApacheMonitor.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
H:\DOWNLOAD APPS XP\HIJACKTHIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/homepag2/homepage_remote.htm
N4 - Mozilla: user_pref("browser.startup.homepage", "file:///C:/homepag2/homepag2.htm"); (C:\Documents and Settings\BOSSMAN\Application Data\Mozilla\Profiles\default\2ujlbiaq.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [FreeRAM XP] "C:\FreeRamXP\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [AutoSizer] "C:\Program Files\AutoSizer\AutoSizer.exe"
O4 - HKCU\..\Run: [TClockEx] C:\PROGRA~1\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Taskbar Shuffle] C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Monitor Apache Servers.lnk = G:\web\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: Download using Download &Express - file://C:\WINDOWS\system32\MetaProducts\Add_Url.htm
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: wincjf32 - wincjf32.dll (file missing)
O20 - Winlogon Notify: WLCtrl32 - WLCtrl32.dll (file missing)
O21 - SSODL: ComponentKbd - {a02c4880-ea01-4b60-aba8-1fcaabf0938a} - C:\WINDOWS\Installer\{a02c4880-ea01-4b60-aba8-1fcaabf0938a}\ComponentKbd.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apache2 - Apache Software Foundation - G:\web\Apache2\bin\Apache.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5820 bytes

BC AdBot (Login to Remove)

 


m

#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 PM

Posted 02 March 2008 - 05:47 PM

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please post a brand new HijackThis log, along with a description of any problems you are experiencing. If we do not hear back from you within a couple of days we will need to close your topic.

When posting your logs please post them directly into the reply. Do not attach them.

Thank you for your patience.

#3 littlegiant

littlegiant
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 03 March 2008 - 07:10 AM

Yeah thanks anyway but I couldn't wait any longer as the infected machine was an important backup computer. I was obliged to format the hard drive and reinstall Windows.

About the closest I could get to identifying the problem was narrowing it down to certain strangely named files (usually just a series of random numbers) which would repeatedly get created in my Windows/Temp folder about every five to ten minutes. The minute the files got created, the network icon in my system tray started showing a lot of activity. When I deleted the file, the activity would stop. So using a combination of SpyBot and Process Explorer I was able to keep tabs on the rogue files being created in my Temp directory and immediately delete them but I was never able to track down which file/registry entry/whatever that was actually creating those files. And of course I couldn't live with all that or not being able to run Ad-Aware so I decided to wipe out everything just to be sure.

I know I could probably Google this but if you know of any quick links that lead to some documentation on how to read HiJackThis logs, I'd be very interested in that in case this ever happens again.

(edit)

Oh yeah and I just assumed the worst and considered all the passwords on the infected machine as compromised so I changed them all after formatting and reinstalling Windows.

Edited by littlegiant, 03 March 2008 - 07:12 AM.


#4 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 PM

Posted 03 March 2008 - 02:09 PM

These is the best publicly available documentation for HijackThis:

http://www.bleepingcomputer.com/tutorials/how-to-use-hijackthis/
http://www.spywareinfo.com/~merijn/htlogtutorial.php

Since this issue appears to be resolved, this topic is now closed




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users