Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with iexplore.exe and svchost.exe


  • This topic is locked This topic is locked
7 replies to this topic

#1 ViTran

ViTran

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 18 March 2009 - 10:40 PM

:crazy:Help! I have tried downloading malwarebytes to scan my computer, but it won't install. I've tried downloading other programs (ex. Ad-aware), online scanning (trend micro housecall), and hijackthis, and CCleaner. Sometimes when I click on a link, my browser takes me to yellowpages or some other advertising site. I have tried using AUTORUN.exe to disable startup programs but my computer still runs slow. At times it will close my browser or won't let me access any potentially helpful sites (microsoft updates, etc.). Then at odd times of the day or night, I'll hear advertisements playing on the computer but I don't have any applications running. I don't know what to do next. :thumbup2:


DDS (Ver_09-03-16.01) - NTFSx86
Run by hotran711 at 23:27:35.07 on Wed 03/18/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1056 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Registry Mechanic\RegMech.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Megaupload\Mega Manager\MegaManager.exe
C:\Documents and Settings\hotran711\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = iexplore
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\windows\system32\sdra64.exe
BHO: Megaupload Toolbar: {a057a204-bacc-4d26-c39e-35f1d2a32ec8} - c:\progra~1\megaup~2\MEGAUP~1.DLL
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Megaupload Toolbar: {a057a204-bacc-4d26-c39e-35f1d2a32ec8} - c:\progra~1\megaup~2\MEGAUP~1.DLL
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [HijackThis startup scan] c:\program files\trend micro\hijackthis\HijackThis.exe /startupscan
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
IE: Download Link Using Mega Manager... - c:\program files\megaupload\mega manager\mm_file.htm
Trusted Zone: nzbmatrix.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1237047868764
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: avgrsstarter - avgrsstx.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Notification Packages = scecli \

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hotran~1\applic~1\mozilla\firefox\profiles\7hmqwsh6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npkimi.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-9 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-9 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-9 107912]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-9 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-9 298264]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-5-27 24652]

=============== Created Last 30 ================

2009-03-18 21:17 244 a---h--- C:\sqmnoopt17.sqm
2009-03-18 21:17 232 a---h--- C:\sqmdata17.sqm
2009-03-18 20:56 221,184 a------- c:\windows\system32\wmpns.dll
2009-03-17 00:55 <DIR> --d----- c:\docume~1\hotran~1\applic~1\Uniblue
2009-03-17 00:24 647,552 a------- C:\autoruns.exe
2009-03-17 00:04 <DIR> --d----- c:\docume~1\hotran~1\applic~1\FFSJ
2009-03-17 00:04 794,906 a------- c:\windows\unins000.exe
2009-03-17 00:04 4,196 a------- c:\windows\unins000.dat
2009-03-17 00:04 <DIR> --d----- c:\windows\system32\FFSJ
2009-03-16 23:23 50 a------- c:\windows\MegaManager.INI
2009-03-16 23:08 <DIR> --d----- c:\docume~1\hotran~1\applic~1\Megaupload
2009-03-16 23:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Megaupload
2009-03-16 23:08 <DIR> --d----- c:\program files\MegauploadToolbar
2009-03-16 23:08 <DIR> --d----- c:\docume~1\hotran~1\applic~1\MegauploadToolbar
2009-03-16 23:08 <DIR> --d----- c:\docume~1\hotran~1\applic~1\EmailNotifier
2009-03-16 23:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\EmailNotifier
2009-03-16 23:08 <DIR> --d----- c:\program files\Megaupload
2009-03-15 15:04 <DIR> --d----- c:\program files\WinPcap
2009-03-14 13:20 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-03-13 09:31 <DIR> --d----- c:\documents and settings\hotran711\.housecall6.6
2009-03-13 09:23 <DIR> --d----- c:\docume~1\hotran~1\applic~1\HouseCall 6.6
2009-03-12 22:41 55,808 a------- c:\windows\system32\mcenspc.dll
2009-03-09 22:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-03-09 22:52 <DIR> --d----- c:\program files\common files\Scanner
2009-03-09 22:52 <DIR> --d----- c:\program files\CA Yahoo! Anti-Spy
2009-03-09 20:37 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-03-09 20:31 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-09 20:31 107,912 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-09 20:31 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-09 20:31 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-03-09 20:31 <DIR> --d----- c:\docume~1\hotran~1\applic~1\AVGTOOLBAR
2009-03-09 20:31 <DIR> --d----- c:\program files\AVG
2009-03-09 20:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-03-09 20:21 20,141 a------- c:\windows\system32\AAWService_2009_03_09_20_21_06.dmp
2009-02-26 00:48 <DIR> --d----- c:\docume~1\hotran~1\applic~1\Malwarebytes
2009-02-26 00:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-24 14:26 1,608,264 ---sh--- c:\windows\system32\ugoyusup.ini
2009-02-24 02:26 1,608,264 ---sh--- c:\windows\system32\ogijikuk.ini
2009-02-23 14:26 1,608,264 ---sh--- c:\windows\system32\uheyekuk.ini
2009-02-23 02:26 1,608,251 ---sh--- c:\windows\system32\usobobas.ini
2009-02-22 14:25 1,608,251 ---sh--- c:\windows\system32\arigijah.ini
2009-02-22 02:24 1,608,251 ---sh--- c:\windows\system32\esezivog.ini
2009-02-21 14:24 1,608,264 ---sh--- c:\windows\system32\egagafaf.ini
2009-02-21 02:24 1,608,264 ---sh--- c:\windows\system32\usodatap.ini
2009-02-21 01:31 <DIR> --d----- c:\program files\Lavasoft
2009-02-20 14:24 1,608,251 ---sh--- c:\windows\system32\ipotikat.ini
2009-02-20 02:24 1,608,264 ---sh--- c:\windows\system32\orajufiz.ini
2009-02-19 14:24 1,608,264 ---sh--- c:\windows\system32\efuwuviy.ini
2009-02-19 02:24 1,602,200 ---sh--- c:\windows\system32\iwohimes.ini

==================== Find3M ====================

2009-03-13 09:28 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-10 22:46 14,012 ac--h--- c:\windows\system32\mlfcache.dat
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-12-20 19:15 826,368 a------- c:\windows\system32\wininet.dll
2008-10-10 23:16 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101020081011\index.dat

============= FINISH: 23:29:21.31 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:05 AM

Posted 28 March 2009 - 02:41 PM

Hello.

Please do the following.

Download and Run Combofix

Important: Before we start please disabe any anti-virus programs or any real-time protection that is enabled.

Please refer to this page if your unsure how.
  • Please follow the instructions for running Combofix from here
  • Please read the guide carefully and follow every instructions percisly and remeber to install the Recovery Console first.
Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Download the appropriate Windows XP setup boot disk and drag it on Combofix like the image below:
    Posted Image
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • After you succusfully install the recovery console, will see this window.
    Posted Image
    Please select Yes.
  • Combofix will then run, when combofix it finished, it will create a log for you. Please copy and paste that log in your next reply.
  • Please post that log on your next reply. (the log is located in C:\ComboFix.txt.)
Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:05 AM

Posted 31 March 2009 - 03:28 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 ViTran

ViTran
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 31 March 2009 - 10:51 PM

Hi extremeboy!

Sorry for not responding sooner. I didn't know that I had received a response! :thumbup2:

I can't use the infected system now because after having posted my problem, I downloaded ZoneAlarm and installed it. Well now, when I start up my desktop, I log in and it seems like the computer is processing but then it just freezes. I've tried rebooting several times and it ends up with the same results. Any way for me to undo this? It's driving me :)

Arrrgghh....

Thanks for the help.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:05 AM

Posted 01 April 2009 - 12:14 PM

Hello.

Can you boot into Safe Mode?

How to Boot into Safe Mode

I suggest you read over the instructions on how to boot into Safe Mode and then print these instructions out or save them in Notepad because you won't have access to this page while in Safe Mode.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use your arrow keys to navigate and highlight Safe Mode.
  • Hit Enter.
  • You will now be asked to choose your operating system. Again, use the arrow keys to select Microsoft Windows XP.
  • Hit Enter.
Your computer will proceed to booting into Safe Mode. During the boot process, you may see random code go past your screen. Simply wait for it to pass. Your computer should boot like usually, except with Safe Mode written in the corners of your screen. Your screen may also appear to be a different size because the video drivers are not loaded properly in Safe Mode.

After the boot, you will be asked whether you wish to use system restore, or to continue to Safe Mode. Select OK to choose Safe mode.


Additional instructions on booting into Safe Mode can be found here

Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 ViTran

ViTran
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 01 April 2009 - 11:46 PM

Nope, it won't let me boot into safe mode. I have tried pushing the F8 button many times after every reboot to try. Is there another way?

I'll be out of town for the next couple of days so I won't be able to respond, but please don't close this topic. I will respond as soon as I return. Thanks for continuing to help. :thumbup2:

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:05 AM

Posted 02 April 2009 - 12:08 PM

Hello.

Nope, it won't let me boot into safe mode. I have tried pushing the F8 button many times after every reboot to try. Is there another way?

Are you saying you can't get the boot menu?

See if LKGC works: http://support.microsoft.com/kb/307852

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:05 AM

Posted 04 April 2009 - 11:38 AM

Hello.

Without a log I cannot help you. Without able to boot into any mode I can't help you either on removing the malware.

I suggest you start a topic in the Windows XP forum until you can get your machine bootable and boot into any mode so I can continue to help you. You can also do a reinstall or format as your computer is heavily infected. Shoot me a PM when you need it re-opened.

This topic is now closed.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users