Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Restarts- Used Hijackthis- Ant Install Avg


  • This topic is locked This topic is locked
3 replies to this topic

#1 antifmradio

antifmradio

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ NYC
  • Local time:05:57 AM

Posted 15 June 2008 - 10:04 AM

I have no idea what happened here. THis computer has been running like WATER for almost a year.
i NEVER goto porn sites or any malicious deals like that
THis machine is used in an OFFICE environment only. Creating music, burning discs and doing some graphics + Web design for clients
so lets get into whats happening

1) lastnight my printer started shooting out paper with a single line of code on it (gibberish)
so i shut down hte network card on this machine to keep it off the network

2) i started reacting slowly so i tried to install SmitfraudFIX
i ran it, it did what it was supposed to do but with what seemed ONE step missing ** I cant remember it now cause it was lastnight **

3) i started a defrag whilei went to bed hours ago and got up this morning. It told me several files count NOT be defreged

4 )I restared after defrag and a box said "services and controller app has encountered a problem and needs to shut down"
i Click SEND REPORT

5) When that finished another one came up. I think it says SERVICES could not repsond and the machine needs to shut down.
This then gives you a count down clock which at the end restarts your PC. It has done this twice.
On the second restart, a new box poped up "Look for Porn Setup" with the install or cancel button at the bottom.

I canceled it but hte machine wanted to restart anyway.

It took me a while to install Hi Jack This & AVG 8.0 Free version.

I ran HJT which is posted below however AVG wont install and it says this error of what

"Local Machine installation failed
Initialization:
Error: Connecting to item file avgwdsvc.exe failed
Error 0x800705b4


Here is hte log file
to deal with this i need to save files to an external drive, drag then to this machine and then post them.

HJT LOG





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:41, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\System32\svchost.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\DOCUME~1\eric\LOCALS~1\Temp\2A51.tmp
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Maxtor\Utils\MaxSync.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Ae3Desigs
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: HP00163557475E HP00163557475E
O3 - Toolbar: rtsplgob - {4DE15B3F-84EE-4F6F-BA12-B0AB8229C2F1} - (no file)
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\eric\cftmon.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [00897de8] rundll32.exe "C:\WINDOWS\system32\empgbank.dll",b
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\eric\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\eric\cftmon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - Global Startup: Acer Empowering Technology.lnk = C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Download with TrueDownloader! - C:\Program Files\TrueDownloader\TrueDownloader.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.emdat.com (HKLM)
O15 - Trusted Zone: *.mytranscriptions.com (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D84E926-E6B0-4642-B1BF-950B6CCB2118}: NameServer = 85.255.116.174,85.255.112.76
O17 - HKLM\System\CCS\Services\Tcpip\..\{91586041-635D-4562-89B3-F36AC8482E74}: NameServer = 85.255.116.174,85.255.112.76
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1B0F2A7-C721-44A2-A943-1408D8E0A19C}: NameServer = 85.255.116.174,85.255.112.76
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3412F5E-68DD-43A9-AFB5-51D460F96CF5}: NameServer = 85.255.116.174,85.255.112.76
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.174 85.255.112.76
O17 - HKLM\System\CS1\Services\Tcpip\..\{5D84E926-E6B0-4642-B1BF-950B6CCB2118}: NameServer = 85.255.116.174,85.255.112.76
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.174 85.255.112.76
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe

--
End of file - 8440 bytes

BC AdBot (Login to Remove)

 


#2 Sp0nge

Sp0nge

  • Members
  • 643 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sydney, Australia
  • Local time:04:57 AM

Posted 15 June 2008 - 07:02 PM

Hi antifmradio,

My name is Pat and i'll be taking your log :thumbsup:

I am currently looking over it and will get back to you with some instructions ASAP! :)

Thanks for your patience.

#3 Sp0nge

Sp0nge

  • Members
  • 643 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sydney, Australia
  • Local time:04:57 AM

Posted 16 June 2008 - 01:23 AM

Hi Antifmradio,

One or more of the items you need to remove is a backdoor application can allow attackers to access your computer,
stealing passwords, credit card info, and personal data. From a clean computer, change ALL your on-line passwords for
email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.
If you do any on-line banking, or store any financial information on this system, you should immediately call
your financial institution and advise them of the situation so you can secure your accounts. Do NOT change passwords
or do any transactions while using the infected computer because the attacker will get the new passwords and
transaction information.

The best course of action to take is to reformat your PC as there are a lot of nasty infections on it that we may not even
be able to fully get rid of for sure. The backdoor application has probably changed many settings and infected a lot of files.

Please read these topics before you make your decision

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall?

However if you want to go ahead and try clean up your PC, let me know and we will get started!

Edited by Sp0nge, 16 June 2008 - 01:24 AM.


#4 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:04:57 AM

Posted 21 June 2008 - 06:32 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users