Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log


  • This topic is locked This topic is locked
38 replies to this topic

#1 Matthew.

Matthew.

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maple, Ontario
  • Local time:04:42 PM

Posted 24 March 2009 - 07:41 PM

Hello. I am infected. After the infection took place, my first instinct was to download and run super antispyware. That got rid of the annoying red circle display telling me to download a new anti spyware. However, now I cannot go into task manager or registry keys. It says that it has been disabled by the adminstrators. At the same time, when my speakers are on, there are random ad bits jsut constantly playing over and over even though I have no media players on. My desktop background cannot be changed as well. It has been fixed to some kind of colourful picture of rectangles. =\ Anyways, I have posted a HijackThis Log and would like to thank whoever in advance for helping me with this probem. =)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:31 PM, on 24/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\servicelayer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Dev-Cpp\DevCpp.exe
C:\WINDOWS\amoumain.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6efdc647-881a-4f72-95c3-ba27d3d8fed4} - C:\WINDOWS\system32\gumapoke.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [hedivuromi] Rundll32.exe "C:\WINDOWS\system32\bubeguto.dll",s
O4 - HKLM\..\Run: [CPM231e2139] Rundll32.exe "c:\windows\system32\sofofuhi.dll",a
O4 - HKLM\..\Run: [202d12a5] rundll32.exe "C:\WINDOWS\system32\begimepo.dll",b
O4 - HKLM\..\Run: [Epudecebezudana] rundll32.exe "C:\WINDOWS\Nyereriwedok.dll",e
O4 - HKLM\..\Run: [UpdateWin] C:\WINDOWS\system32\ac3filtert.exe
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\lsass.exe
O4 - HKLM\..\Run: [amoumain] C:\WINDOWS\amoumain.exe
O4 - HKLM\..\Run: [servicelayer] C:\WINDOWS\servicelayer.exe
O4 - HKLM\..\Run: [Qpizucize] rundll32.exe "C:\WINDOWS\uwemidaribiy.dll",e
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [UpdateWin] C:\WINDOWS\system32\ac3filtert.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [UpdateWin] C:\WINDOWS\system32\ac3filtert.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\RunServices: [UpdateWin] C:\WINDOWS\system32\ac3filtert.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [hedivuromi] Rundll32.exe "C:\WINDOWS\system32\bubeguto.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.kccsoft.com/authorware_web_files/awswaxd.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {5F519B46-96EF-499F-BF24-C9E1548FA56B} (Sony SNC-DF70 Control) - http://oasisservery.webcam.carleton.ca/pro...SncDf70View.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1194739310562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199394351354
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://kings.nefficient.co.kr/kings/kdfx/k...37/kdfense8.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\wewusigo.dll silvjp.dll c:\windows\system32\sofofuhi.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: IPC Configuration Utility - IPC Configuration Utility - (no file)
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\system32\ImapiRox.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 11156 bytes

BC AdBot (Login to Remove)

 


#2 Matthew.

Matthew.
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maple, Ontario
  • Local time:04:42 PM

Posted 29 March 2009 - 08:13 PM

How come I can't post the log created by DDS? It keeps saying, "There is an error with your BBCode. It is possible that you have incorrectly used a tag such as [TAG] when it is meant to be used as [TAG=] or vice-versa."
I'm clearly not using any BB Cose as I am just copying and pasting from the text file. =(

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,958 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:42 PM

Posted 03 April 2009 - 01:45 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

I'm clearly not using any BB Cose as I am just copying and pasting from the text file


Be sure that you are using Notepad as the text editor. Please let us know if you still cannot post the DDS log.

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 Matthew.

Matthew.
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maple, Ontario
  • Local time:04:42 PM

Posted 03 April 2009 - 11:30 PM

Thank you for the reply! I re-scanned with DDS but again, I still cannot copy and paste the text onto here. It's still the same problem with my BBCode. Anyways, I have attached the DDS log with this post jsut in case a staff decides to ask for it in the next post. Sorry for the inconvenience.

Attached Files

  • Attached File  DDS.txt   13.48KB   5 downloads


#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:42 AM

Posted 04 April 2009 - 07:32 AM

Hi Matthew.,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Please use the ADDREPLY botton and not the FASTREPLY botton. When using notepad make sure the wordwrap under File menu is not selected.
If you have still difficultly to copy and paste attach the logs.
  • Tell me if you have changed anything since your initial post. If you have run other tools post also the logs or attach them if available. Please tell me about the current condition of the computer and the problems you are having.

  • To get an idea about the current condition of you computer download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Set the list of files/folders created to 3 Months and click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized).

    Note 1: If you have difficulty finding the logs, the logs are in this folder: C:\rsit

    Note 2: The tool takes not more than one minute to scan the system.
You might want to save this page on your favorites, so you can find it again when you return.

#6 Matthew.

Matthew.
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maple, Ontario
  • Local time:04:42 PM

Posted 04 April 2009 - 10:36 AM

Hi farbar,

Thank you for assisting me with my problems.
1. Since the last scan was made, there were no changes made to my computer. So far, the current condition of my computer seems to be stable. There are the odd times when I click on a weblink and it re driects me to a completely different page. As well, I notice I have so many more processes running in the task manager and my desktop background cannot be changed; the wallpaper selection is greyed out.

2. Here are the logs scanned by RSIT:

EDIT: I tried copying and pasting the information. Again, an error with BBCode. I checked notepad, word wrap is also turned off. I have included both of the logs created by RSIT in the attachment.

Attached Files

  • Attached File  info.txt   23.49KB   7 downloads
  • Attached File  log.txt   30.76KB   4 downloads


#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:42 AM

Posted 04 April 2009 - 11:00 AM

Hi Matthew,

You are welcome. We will take care of all those issues.

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. We are not here to pass judgment on file-sharing as a concept. But file-sharing is used to infect users as tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  • You have the latest version of Java (Java™ 6 Update 13) and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components:
    Click "start" and then "Control Panel" icon.
    Doubleclick the "Add or Remove Programs" icon
    A list of programs installed will be "populated" this may take a bit of time.
    Uninstall the following by clicking on the following entries and selecting "remove":

    J2SE Runtime Environment 5.0 Update 8
    Java™ 6 Update 2
    Java™ SE Runtime Environment 6 Update 1


  • Please download Malwarebytes' Anti-Malware from MajorGeeks
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Please copy and paste a fresh Hijackthis log to your reply.


#8 Matthew.

Matthew.
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maple, Ontario
  • Local time:04:42 PM

Posted 04 April 2009 - 11:51 AM

Sorry for the wait. I didn't realize I my msn had a new mail. Anyways, I scanned my computer with MalwareBytes and found a crapload of infects. There were about 3 files that couldn't be removed and I was promted to restart the computer. I did as asked. This post will include the log created by MBAM and a fresh HijackThis log. Also, I also encountered a problem. After the scan finished and I restarted my computer. Out of the blue, I'm starting to get pornographic pop up's. I never got them before the scan but now it's popping up almost every 2 minutes.

Malwarebytes' Anti-Malware 1.35
Database version: 1939
Windows 5.1.2600 Service Pack 2

04/04/2009 12:34:44 PM
mbam-log-2009-04-04 (12-34-44).txt

Scan type: Quick Scan
Objects scanned: 68622
Time elapsed: 6 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 18
Registry Data Items Infected: 12
Folders Infected: 1
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6efdc647-881a-4f72-95c3-ba27d3d8fed4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6efdc647-881a-4f72-95c3-ba27d3d8fed4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{020487cc-fc04-4b1e-863f-d9801796230b} (Trojan.FakeAlert) -> Delete on reboot.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000005-0000-0000-0000-100011000004} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hedivuromi (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm231e2139 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\202d12a5 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\amoumain (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sms (Worm.P2P) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\epudecebezudana (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qpizucize (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\servicelayer (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass (Trojan.Alphabet) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\twain32 (Backdoor.Bot) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\amoumain.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain32\local.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain32\user.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\sms.exe (Worm.P2P) -> Quarantined and deleted successfully.
C:\WINDOWS\Nyereriwedok.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\uwemidaribiy.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\tmp0023951.log (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\tmp7176105.log (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\tmp8424971.log (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\tmp9695777.log (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\svc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matthew\Local Settings\Temp\60325cahp25ca0.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ac3filtert.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\servicelayer.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\svx.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\vlc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\svw.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matthew\Application Data\config.cfg (Malware.Trace) -> Quarantined and deleted successfully.










Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:41 PM, on 04/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\alg.exe
C:\WINDOWS\spool.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\vVJ.exe
C:\WINDOWS\System32\mshta.exe
c:\vVJ.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
c:\vVJ.exe
c:\vVJ.exe
c:\vVJ.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [alg] C:\WINDOWS\alg.exe
O4 - HKLM\..\Run: [spool] C:\WINDOWS\spool.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Policies\Explorer\Run: [Msn] c:\vVJ.exe
O4 - HKCU\..\Policies\Explorer\Run: [MsnHost] c:\vVJ.exe
O4 - HKCU\..\Policies\Explorer\Run: [MsnLoad] c:\vVJ.exe
O4 - HKCU\..\Policies\Explorer\Run: [Msn2] c:\vVJ.exe
O4 - HKCU\..\Policies\Explorer\Run: [MsnHost2] c:\vVJ.exe
O4 - HKCU\..\Policies\Explorer\Run: [MsnLoad2] c:\vVJ.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [hedivuromi] Rundll32.exe "C:\WINDOWS\system32\bubeguto.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.kccsoft.com/authorware_web_files/awswaxd.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {5F519B46-96EF-499F-BF24-C9E1548FA56B} (Sony SNC-DF70 Control) - http://oasisservery.webcam.carleton.ca/pro...SncDf70View.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1194739310562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199394351354
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://kings.nefficient.co.kr/kings/kdfx/k...37/kdfense8.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\wewusigo.dll silvjp.dll c:\windows\system32\sofofuhi.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: IPC Configuration Utility - IPC Configuration Utility - (no file)
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\system32\ImapiRox.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 10499 bytes

#9 Matthew.

Matthew.
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maple, Ontario
  • Local time:04:42 PM

Posted 04 April 2009 - 12:26 PM

Quick Update: I opened task manager and noticed that there were like 6 to 7 vVJ.exe files running and drwtsn.exe32.exe running. These are processes I have not seen before. I check my task manager everytime I turn on my computer.

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:42 AM

Posted 04 April 2009 - 05:24 PM

Hi Matthew.,

One or more of the identified infections is a backdoor trojan.

A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still try to clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to remove the infection please go on with the following steps.


Removal Instructions
  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

  • Please copy and paste a fresh Hijackthis log to your reply.


#11 Matthew.

Matthew.
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maple, Ontario
  • Local time:04:42 PM

Posted 04 April 2009 - 09:49 PM

Alright nice, I followed your instructions and here are the logs!

ComboFix 09-04-04.01 - Matthew 2009-04-04 22:26:42.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.206 [GMT -4:00]
Running from: c:\documents and settings\Matthew\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\alg.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\opemigeb.ini
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
G:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ILVMONEYDRIVER53
-------\Service_IlvMoneyDRIVER53


((((((((((((((((((((((((( Files Created from 2009-03-05 to 2009-04-05 )))))))))))))))))))))))))))))))
.

2009-04-04 22:11 . 2006-03-03 00:42 73,728 --a------ C:\pv.exe
2009-04-04 14:30 . 2009-04-04 14:30 245,248 --a------ C:\CwF.exe
2009-04-04 14:30 . 2009-04-04 14:30 8,150 --a------ C:\qKFRrMJr.bat
2009-04-04 14:30 . 2009-04-04 14:30 178 --a------ C:\usXDxfBj.bat
2009-04-04 12:42 . 2009-04-04 12:43 245,248 --a------ C:\vVJ.exe
2009-04-04 12:42 . 2009-04-04 12:42 8,150 --a------ C:\RC3.bat
2009-04-04 12:42 . 2009-04-04 12:42 1,536 --a------ C:\0xf9.exe
2009-04-04 12:42 . 2009-04-04 12:42 178 --a------ C:\tlEC53da.bat
2009-04-04 12:26 . 2009-04-04 12:26 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-04 12:26 . 2009-04-04 12:26 <DIR> d-------- c:\documents and settings\Matthew\Application Data\Malwarebytes
2009-04-04 12:26 . 2009-04-04 12:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-04 12:26 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-04 12:26 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-04 11:27 . 2009-04-04 11:27 <DIR> d-------- C:\rsit
2009-04-01 15:02 . 2009-04-01 15:01 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-26 19:02 . 2009-03-26 19:37 <DIR> d-------- c:\documents and settings\Matthew\DoctorWeb
2009-03-26 17:34 . 2009-03-26 17:34 311,808 --a------ c:\windows\spool.exe
2009-03-24 17:30 . 2009-03-24 17:30 <DIR> d-------- c:\documents and settings\Matthew\Application Data\Uniblue
2009-03-24 13:14 . 2009-03-26 17:34 162 --ahs---- c:\windows\system32\539824650.dat
2009-03-05 22:57 . 2009-03-05 22:57 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-05 22:57 . 2009-03-05 22:57 <DIR> d-------- c:\documents and settings\Matthew\Application Data\SUPERAntiSpyware.com
2009-03-05 22:57 . 2009-03-05 22:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-05 20:33 . 2009-03-05 20:33 35,743 --a------ c:\windows\system32\AAWService_2009_03_05_19_33_47.dmp
2009-03-05 16:45 . 2009-03-05 16:45 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-05 16:43 . 2009-03-06 11:14 <DIR> d-------- c:\program files\Lavasoft
2009-03-05 16:43 . 2009-03-06 11:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-05 16:15 . 2009-03-05 16:15 153 --a------ c:\windows\wininit.ini
2009-03-05 14:01 . 2009-03-06 00:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-05 02:31 --------- d-----w c:\program files\DC++
2009-04-05 02:31 --------- d-----w c:\documents and settings\Matthew\Application Data\Azureus
2009-04-04 20:09 --------- d-----w c:\program files\Warcraft III
2009-04-04 18:55 --------- d-----w c:\program files\Garena
2009-04-04 16:24 --------- d-----w c:\program files\Java
2009-03-06 02:57 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-04 22:28 --------- d-----w c:\program files\Steam
2009-03-02 06:26 61,248 ----a-w c:\documents and settings\Matthew\Application Data\GDIPFONTCACHEV1.DAT
2009-02-06 04:09 --------- d-----w c:\documents and settings\Matthew\Application Data\Dev-Cpp
2008-11-06 22:09 136 ---ha-w c:\documents and settings\Matthew\Application Data\lakerda1967.sys
.

------- Sigcheck -------

2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2001-08-18 08:00 327168 e7774698bb0d14b0710a9a31e209f9b6 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 02:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys
2004-08-04 02:14 359040 1745b00fc1141404b28f4b94f69a8871 c:\windows\ServicePackFiles\i386\tcpip.sys
2006-04-20 07:51 359808 021415ad071ef3944c27dc9597ed2214 c:\windows\system32\dllcache\tcpip.sys
2006-04-20 07:51 359808 021415ad071ef3944c27dc9597ed2214 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-02-22 217544]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-26 90112]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 132624]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-14 655360]
"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-01 712704]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-21 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-28 413696]
"spool"="c:\windows\spool.exe" [2009-03-26 311808]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-01 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Msn"="c:\vVJ.exe" [2009-04-04 245248]
"MsnHost"="c:\vVJ.exe" [2009-04-04 245248]
"MsnLoad"="c:\vVJ.exe" [2009-04-04 245248]
"Msn2"="c:\vVJ.exe" [2009-04-04 245248]
"MsnHost2"="c:\vVJ.exe" [2009-04-04 245248]
"MsnLoad2"="c:\vVJ.exe" [2009-04-04 245248]

[HKEY_USERS\.DEFAULT\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Msn"="c:\CwF.exe" [2009-04-04 245248]
"MsnHost"="c:\CwF.exe" [2009-04-04 245248]
"MsnLoad"="c:\CwF.exe" [2009-04-04 245248]
"Msn2"="c:\CwF.exe" [2009-04-04 245248]
"MsnHost2"="c:\CwF.exe" [2009-04-04 245248]
"MsnLoad2"="c:\CwF.exe" [2009-04-04 245248]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= "c:\progra~1\MarkAny\CONTEN~1\MACSMA~1.DLL" [2004-11-23 192512]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):6c,6f,67,6f,6e,75,69,42,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.wmv3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-06-27 19:03 152872 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MAAgent]
--a------ 2007-12-17 16:47 62176 c:\program files\MarkAny\ContentSafer\MaAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
--a------ 2005-10-17 16:24 81920 c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
"SharedAccess"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
S3 Kaspersky1;Kaspersky1;\??\c:\documents and settings\Matthew\My Documents\MS Hax\Kaspersky.sys --> c:\documents and settings\Matthew\My Documents\MS Hax\Kaspersky.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 sejt1;sejt1;\??\c:\documents and settings\Matthew\My Documents\akuma\akuma\sejt.sys --> c:\documents and settings\Matthew\My Documents\akuma\akuma\sejt.sys [?]
S3 spuce1;spuce1;\??\c:\documents and settings\Matthew\My Documents\MS Hacks\spuce.sys --> c:\documents and settings\Matthew\My Documents\MS Hacks\spuce.sys [?]
S3 uzeil1;uzeil1;\??\c:\documents and settings\Matthew\My Documents\Mini\uzeil.sys --> c:\documents and settings\Matthew\My Documents\Mini\uzeil.sys [?]
S4 cdawdm;CDAWDM;c:\windows\system32\DRIVERS\CDAWDM.sys --> c:\windows\system32\DRIVERS\CDAWDM.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
xmlauto

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{713a757a-a5ef-11dd-bac8-0040f45bd264}]
\Shell\AutoRun\command - RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
\Shell\open\command - RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
HKLM-Run-alg - c:\windows\alg.exe
SharedTaskScheduler-IPC Configuration Utility - (no file)
SafeBoot-Lavasoft Ad-Aware Service


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {5F519B46-96EF-499F-BF24-C9E1548FA56B} - hxxp://oasisservery.webcam.carleton.ca/program/SonySncDf70View.cab
DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - hxxp://kings.nefficient.co.kr/kings/kdfx/kdfx237/kdfense8.cab
.
.
------- File Associations -------
.
regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-04 22:35:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B}\InProcServer32]
@DACL=(02 0000)
@="c:\\DOCUME~1\\Matthew\\LOCALS~1\\Temp\\wndutl32.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\AstSrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
c:\program files\Maxtor\OneTouch\Utils\SyncServices.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\system32\taskmgr.exe
c:\windows\system32\ftp.exe
c:\windows\system32\at.exe
.
**************************************************************************
.
Completion time: 2009-04-04 22:45:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-05 02:45:46

Pre-Run: 17,537,945,600 bytes free
Post-Run: 18,114,158,592 bytes free

243 --- E O F --- 2008-01-04 13:36:32







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:25 PM, on 04/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [spool] C:\WINDOWS\spool.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Policies\Explorer\Run: [Msn] c:\vVJ.exe
O4 - HKCU\..\Policies\Explorer\Run: [MsnHost] c:\vVJ.exe
O4 - HKCU\..\Policies\Explorer\Run: [MsnLoad] c:\vVJ.exe
O4 - HKCU\..\Policies\Explorer\Run: [Msn2] c:\vVJ.exe
O4 - HKCU\..\Policies\Explorer\Run: [MsnHost2] c:\vVJ.exe
O4 - HKCU\..\Policies\Explorer\Run: [MsnLoad2] c:\vVJ.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [Msn] c:\orgEtF.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnLoad] c:\orgEtF.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [Msn2] c:\orgEtF.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnHost2] c:\orgEtF.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnLoad2] c:\orgEtF.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [Msn] c:\orgEtF.exe (User 'Default user')
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.kccsoft.com/authorware_web_files/awswaxd.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {5F519B46-96EF-499F-BF24-C9E1548FA56B} (Sony SNC-DF70 Control) - http://oasisservery.webcam.carleton.ca/pro...SncDf70View.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1194739310562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199394351354
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://kings.nefficient.co.kr/kings/kdfx/k...37/kdfense8.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 9927 bytes

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:42 AM

Posted 06 April 2009 - 09:33 AM

Hi Matthew,

Sorry for the delay. This is going to be a long session. But please follow the instructions and do the steps fully and in the order they are written. In case you have any question before doing a step feel free to ask.

One the infection on Your computer is a flash drive infection. This type of infection gets usually carried over through removable storage devices (flash drive/ USB drive/ thumb drive/ ipod/ memory stick/ memory card/ photo camera memory card/ external hard drive, etc) and networks. Please make sure you have your removable devices ready to disinfect. Don't connect them yet.
  • Go to start > Run copy/paste the following line in the run box and click OK.

    cmd /c assoc .reg=regfile

    A window flashes, this is normal.

  • Go to Microsoft's website => http://support.microsoft.com/kb/310994

    Select the download that's appropriate for your Operating System


    Posted Image


    Download the file & save it as it's originally named, next to ComboFix.exe.



    Posted Image


    Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Drag the setup package onto ComboFix.exe and drop it.
    • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
    • At the next prompt, click 'No' and close ComboFix as we don't want to run a scan yet.

      Posted Image
  • Please read this carefully: http://www.zyxware.com/articles/2007/08/14...virus-infection

    Note: It is important to have autoplay feature turned off and not to open the thump drives by double clicking. Instead rightclick the drive and select Explore

  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    • Turn of the auto-protect or resident-shield of your antivirus.
    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    • Wait until it has finished scanning which takes only a few seconds and then exit the program.
    • Reboot your computer when done.
    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

  • Open notepad and copy/paste the text in the code box below into it:

    http://www.bleepingcomputer.com/forums/index.php?showtopic=213696&hl
    
    Collect::[4]
    C:\pv.exe
    C:\CwF.exe
    C:\qKFRrMJr.bat
    C:\usXDxfBj.bat
    C:\vVJ.exe
    C:\RC3.bat
    C:\0xf9.exe
    C:\tlEC53da.bat
    c:\windows\spool.exe
    C:\WINDOWS\system32\bubeguto.dll
    C:\WINDOWS\system32\wewusigo.dll
    c:\windows\system32\sofofuhi.dll
    c:\windows\system32\silvjp.dll
    c:\windows\system32\539824650.dat
    c:\documents and settings\Matthew\My Documents\akuma\akuma\sejt.sys 
    c:\documents and settings\Matthew\My Documents\MS Hacks\spuce.sys
    c:\documents and settings\Matthew\My Documents\Mini\uzeil.sys
    c:\DOCUME~1\Matthew\LOCALS~1\Temp\wndutl32.dll 
    Driver::
    sejt1
    spuce1
    uzeil1
    DirLook::
    c:\documents and settings\Matthew\My Documents\akuma\akuma
    c:\documents and settings\Matthew\My Documents\MS Hacks
    c:\documents and settings\Matthew\My Documents\Mini
    RegLockDel::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B}\InProcServer32]
    Registry::
    [HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
    "Msn"=-
    "MsnHost"=-
    "MsnLoad"=-
    "Msn2"=-
    "MsnHost2"=-
    "MsnLoad2"=-
    [HKEY_USERS\.DEFAULT\software\microsoft\windows\Currentversion\policies\explorer\Run]
    "Msn"=-
    "MsnHost"=-
    "MsnLoad"=-
    "Msn2"=-
    "MsnHost2"=-
    "MsnLoad2"=-
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{713a757a-a5ef-11dd-bac8-0040f45bd264}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

    Save this as CFScript.txt


    Posted Image


    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Post that log in your next reply.

    **Important Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.
  • Please download ATF Cleaner by Atribune & save it to your desktop.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main "Select Files to Delete" choose: Select All.
    • Click the Empty Selected button.
    • If you use Firefox browser click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      If you would like to keep your saved passwords, please click No at the prompt.
    • If you use Opera browser click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      If you would like to keep your saved passwords, please click No at the prompt.
    • Click Exit on the Main menu to close the program.
  • You are missing one important program on that computer: An antivirus.
    This is somewhat suicidal in today's digital world.
    You need to install an antivirus program as soon as you can. Besides the paid antivirus programs there are also some free antivirus programs::Install and update. Run a full/complete scan, let removed/quarantined what it finds and copy and paste the report to your reply.

    If you decide to install AVG:
    • Visit http://free.avg.com/download?prd=afe to download AVG 8 setup file to your desktop.
    • Double click the downloaded setup file to Install AVG 8 then update it.
    • On the left side click Computer scanner and select Scan whole computer.
    • When the scan finished under Result Overview tap at the end of scan result click Export overview to file
    • Select File Type: All files Name:scan.txt and save it on your desktop.
    • Under Warnings tap press Remove all unhealed infections. Then close the application.
    • Copy/paste the content of scan.txt located on your desktop to your reply.
  • Please copy and paste a fresh Hijackthis log to your reply.
Please include in your next reply:
  • The Combofix log.
  • The antivirus scan.
  • A fresh Hijackthis log.
  • Any comment or feedback about how it went.


#13 Matthew.

Matthew.
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maple, Ontario
  • Local time:04:42 PM

Posted 07 April 2009 - 02:35 PM

Hello farbar!

I tried downloading the SP2 from the microsoft site yesterday but everytime I clicked download, it would be a dead link. I'm not sure if there's anything blocking the link from loading or something but I tried again today and still no luck. Sorry for the late reply, I went out the past two days.

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:42 AM

Posted 07 April 2009 - 04:08 PM

The link is not dead.

To remove temporary files, disable browser add-ons, and reset all the changed settings:
  • Close all the open windows.
  • Go to start > Control Panel.
  • Open Internet Options.
  • Click the Advanced tab, and then click Reset.
  • Click Reset again and OK.
Now try it again. The direct link to the download page is here

#15 Matthew.

Matthew.
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maple, Ontario
  • Local time:04:42 PM

Posted 07 April 2009 - 05:59 PM

I seem to get "Internet Explorer cannot display the webpage," all the time even after I did the following.

Edited by Matthew., 07 April 2009 - 06:00 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users