Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Explorer Restart Loop ( Winlogon With Starts With "infected" Dll)


  • Please log in to reply
2 replies to this topic

#1 bimbo000

bimbo000

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 18 May 2008 - 01:11 PM

Hi all. At first sorry for my english, I don't speak this language well.

I have windows xp with sp2. Yesterday I downloaded one driver pack, unfortunately with malware (I think).

My windows explorer.exe restarts at every 5-10 seconds. Spybot found virtumonde (or something like this), which I was able to delete from safe mode. Then I run Combofix, and Hijackthis. These reports I will paste here. In log files I found this lines:


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B3F0828-45EF-4734-AE84-780E2A0DA9AC}]
2008-05-17 13:34 371712 --a------ I:\WINDOWS\system32\xxyYPFur.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C23AB0C-0244-4B01-8253-BEE724D0D2EC}]
2008-05-16 00:18 57344 --a------ I:\WINDOWS\system32\jkkHBTMd.dll

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6C23AB0C-0244-4B01-8253-BEE724D0D2EC}"= I:\WINDOWS\system32\jkkHBTMd.dll [2008-05-16 00:18 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkHBTMd]
jkkHBTMd.dll 2008-05-16 00:18 57344 I:\WINDOWS\system32\jkkHBTMd.dll

so I tryed to delete this hotkey-s with regedit, but from shellexecutehooks I delete it needlessly, becouse these definitons "comes back" within 3-5 seconds.

The file jkkHBTMd.dll could not be deleted, becouse it uses winlogon.exe (I can't kill this process with task manager). I tryed to delete this file with dellater.exe , but this was unsuccessfull too.

If somebody knows how to solve this problem, please let me know. Thanks for all.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:09, on 2008-05-18
Platform: Windows XP Szervizcsomag 2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
I:\Program Files\Alwil Software\Avast4\ashServ.exe
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\SOUNDMAN.EXE
I:\Program Files\PowerISO\PWRISOVM.EXE
I:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
I:\WINDOWS\system32\ctfmon.exe
C:\GP2000Srv\Server\GP2000Srv.exe
I:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
I:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
I:\WINDOWS\system32\PnkBstrA.exe
I:\WINDOWS\system32\PnkBstrB.exe
I:\WINDOWS\System32\PAStiSvc.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
I:\Program Files\Alwil Software\Avast4\ashWebSv.exe
I:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
I:\totalcmd\TOTALCMD.EXE
I:\Program Files\Mozilla Firefox\firefox.exe
I:\PROGRA~1\FREEDO~1\fdm.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe
I:\WINDOWS\explorer.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hivatkozások
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] I:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "I:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'HELYI SZOLGÁLTATÁS')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'HÁLÓZATI SZOLGÁLTATÁS')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Stáhnout &vše FlashGetem - I:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Stáhnout FlashGetem - I:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Az összes letöltése Free Download Managerrel - file://I:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: E&xportálás Microsoft Excel formátumba - res://I:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Kijelölés letöltése Free Download Managerrel - file://I:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Letöltés Free Download Managerrel - file://I:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Video letöltése a Free Download Manager-rel - file://I:\Program Files\Free Download Manager\dlfvideo.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Kutatás - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - I:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - I:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - "I:\Program Files\BinarySense\HDDlife 3\hlAPP.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - I:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - I:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - I:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - I:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - I:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - I:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - I:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Gépírás 2000 server (GP2KSERVER) - Unknown owner - C:\GP2000Srv\Server\GP2000Srv.exe
O23 - Service: HDDlife HDD Access service - BinarySense, Ltd. - I:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - I:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - I:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - I:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: STI Simulator - Unknown owner - I:\WINDOWS\System32\PAStiSvc.exe

--
End of file - 6234 bytes

BC AdBot (Login to Remove)

 


#2 bimbo000

bimbo000
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 25 May 2008 - 07:50 AM

thanks for help :) :thumbsup: by

#3 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:23 AM

Posted 13 June 2008 - 07:52 PM

Hello bimbo000

Welcome to BleepingComputer :thumbsup:
========================
If you are still in need of assistance please post a new Hijackthis log.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users