Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hit BAD with malware, HELP!


  • This topic is locked This topic is locked
2 replies to this topic

#1 frosti

frosti

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 19 April 2009 - 01:40 AM

Hi, I'm having TONS of problems dealing with this spyware. I've ran MBAM, SpyBot, HiJackThis, and it just keeps coming back. I'm at my wits END. If anyone can help me, anything will do.

Some things I can't do at all: Run IE (window wont appear, using FireFox to post this), Update MBAM (Says I'm not on the internet, but I can browse the internet just fine), in fact I cant access malwarebytes.org at all.

Here's my current HiJackThis log as of this post. I'm at my wits end dealing with this. Reboot after reboot doesn't do anything.

HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:39:49 AM, on 4/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\System32\reader_s.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\thomas\LOCALS~1\Temp\1942339752.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: C:\WINDOWS\system32\zfgh83jg3.dll - {d5bf49a0-94f3-42bd-f434-3604812c8955} - C:\WINDOWS\system32\zfgh83jg3.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\thomas\LOCALS~1\Temp\1942339752.exe
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\1092339752.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\thomas\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\1092339752.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Post Image to Blog - res://C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Transload Image to ImageShack - res://C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll/5004
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1229502134067
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229503153312
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O22 - SharedTaskScheduler: lkjf9873jhifjnsfi8w3fe - {D5BF49A0-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\zfgh83jg3.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5488 bytes

DDS Log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by thomas at 2:38:13.32 on Sun 04/19/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2491 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
svchost.exe C:\WINDOWS\TEMP\VRT5.tmp
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\System32\reader_s.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\thomas\LOCALS~1\Temp\1942339752.exe
C:\Documents and Settings\thomas\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: c:\windows\system32\zfgh83jg3.dll: {d5bf49a0-94f3-42bd-f434-3604812c8955} - c:\windows\system32\zfgh83jg3.dll
TB: ImageShack Toolbar: {6932d140-abc4-4073-a44c-d4a541665e35} - c:\program files\imageshacktoolbar\ImageShackToolbar.dll
uRun: [Diagnostic Manager] c:\docume~1\thomas\locals~1\temp\1942339752.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [reader_s] c:\windows\system32\reader_s.exe
dRun: [Diagnostic Manager] c:\windows\temp\1092339752.exe
dRun: [reader_s] c:\documents and settings\thomas\reader_s.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Post Image to Blog - c:\program files\imageshacktoolbar\ImageShackToolbar.dll/5003
IE: Tag This Image - c:\program files\imageshacktoolbar\ImageShackToolbar.dll/5002
IE: Transload Image to ImageShack - c:\program files\imageshacktoolbar\ImageShackToolbar.dll/5004
IE: Upload All Images to ImageShack - c:\program files\imageshacktoolbar\ImageShackToolbar.dll/5000
IE: Upload Image to ImageShack - c:\program files\imageshacktoolbar\ImageShackToolbar.dll/5001
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229502134067
DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} - hxxp://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229503153312
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\zfgh83jg3.dll: {d5bf49a0-94f3-42bd-f434-3604812c8955} - c:\windows\system32\zfgh83jg3.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\thomas\applic~1\mozilla\firefox\profiles\8sdo9fy5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.neogaf.com/forum/

============= SERVICES / DRIVERS ===============

R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2008-6-13 968064]
S3 {a10ood;{a10ood; [x]
S3 ALLOW-IO;ALLOW-IO;\??\d:\allow-io.sys --> d:\ALLOW-IO.sys [?]
S3 restore;restore;\??\c:\windows\system32\drivers\restore.sys --> c:\windows\system32\drivers\restore.sys [?]

=============== Created Last 30 ================

2009-04-19 02:30 36,352 a------- c:\windows\system32\reader_s.exe
2009-04-19 02:30 36,352 a------- c:\documents and settings\thomas\reader_s.exe
2009-04-19 02:30 0 a------- c:\windows\system32\7.tmp
2009-04-19 02:29 84 a------- c:\windows\system32\6.tmp
2009-04-19 02:29 0 a------- C:\4.tmp
2009-04-19 02:29 0 a------- C:\3.tmp
2009-04-19 02:05 <DIR> --d----- c:\windows\system32\xircom
2009-04-19 00:58 <DIR> a-dshr-- C:\cmdcons
2009-04-19 00:57 182,784 a------- c:\windows\SWREG.exe
2009-04-19 00:57 119,296 a------- c:\windows\sed.exe
2009-04-18 22:55 15,000 a------- c:\windows\system32\zfgh83jg3.dll
2009-04-18 22:45 58,368 a------- c:\windows\system32\ak1.exe
2009-04-18 22:04 578,560 a------- c:\windows\system32\user32.dll
2009-04-18 22:02 0 a------- c:\windows\mqcd.dbt
2009-04-18 21:56 410,984 a------- c:\windows\system32\REN466.tmp
2009-04-10 16:34 <DIR> --d----- c:\windows\Downloaded Installations
2009-04-09 20:00 87,040 a------- c:\windows\system32\wiafbdrv.dll
2009-03-27 16:55 76 a------- c:\windows\dellstat.ini
2009-03-27 16:55 100 a------- c:\windows\lexstat.ini
2009-03-27 16:54 320,000 a------- c:\windows\uninst.exe
2009-03-27 16:54 <DIR> --d----- c:\documents and settings\thomas\WINDOWS
2009-03-27 16:54 <DIR> --d----- C:\Lexmark
2009-03-22 19:24 <DIR> --d----- c:\program files\Trend Micro

==================== Find3M ====================

2009-04-19 02:38 101,870 a------- c:\windows\system32\drivers\f2b130a8.sys
2009-04-18 22:01 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-04-18 22:01 262,144 a------- c:\windows\system32\nvrsk.dll
2009-04-18 22:00 75,776 a--sh--- c:\windows\system32\howezito.exe
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 66,048 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2008-05-09 21:46 990,208 a------- c:\windows\inf\syssbck.dll
2006-05-03 06:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 07:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-03-16 09:30 216,064 ---shr-- c:\windows\system32\nbDX.dll

============= FINISH: 2:38:21.70 ===============

Attached Files


Edited by frosti, 19 April 2009 - 01:45 AM.


BC AdBot (Login to Remove)

 


#2 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 19 April 2009 - 07:30 AM

Hi,

I have bad news for you :thumbup2:

I see you're dealing with Virut on top of the other nasty malware you are dealing with. In that case, it's unfortunately a lost case - Game over situation and a format and reinstall is the fastest and especially the safest solution.

You may want to read this why: Virut and other File infectors - Throwing in the Towel?

So, I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

Read here for instructions how to format and reinstall Windows: http://web.mit.edu/ist/products/winxp/adva...all-format.html

#3 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 24 April 2009 - 07:38 AM

This Topic is now closed.

If you need this topic reopened, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users