Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by trojans: Need Help. LOHLA (hdn54.exe), fsa.exe, scvhost.exe, anti.exe and WEXPLORER


  • This topic is locked This topic is locked
2 replies to this topic

#1 Katylar

Katylar

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 16 December 2009 - 12:20 AM

Hi. I'm a semi-savvy tech person, who unfortunately in a moment of weakness, decided to forgo my installed Internet Security Suite for a few days while I was

trying to make the most out of my system. What I didn't know was that my roommate decided to download some software off torrents using my laptop. He reports

that ever since he tried to install something (that didn't open an application, leading me to believe that this was a trojan), my internet has slowed down

tremendously. Also, I've noticed some generally weirdness (sometimes th computer becomes really, really slow. Ping is ok, but websites say page can't be

displayed).

So I booted my Kaspersky Internet Security Suite 2010 and did a full scan. It was able to detect some trojans, and then delete them... but it didn't seem to

fix the problem entirely.

So I've decided to install Malwarebytes' Anti-Malware 1.42, but it's taking a while... so far, it's pretty much scanned a lot of things (42 mins, and my PC

is fairly good in terms of speed), and zero detections - although it did give a popup about the Lohla or hdn54, and I quarantined it. I'll edit this post

once the scan has been completed.

UPDATE: After a long, long scan, malwarebytes was able to detect 2 malware (and block one instance of scvhost.exe). After disinfection, it requested a

reboot. Here's the Malwarebytes Anti-Malware Log:

Malwarebytes' Anti-Malware 1.42
Database version: 3365
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865

12/16/2009 5:22:45 AM
mbam-log-2009-12-16 (05-22-45).txt

Scan type: Full Scan (C:\|)
Objects scanned: 329194
Time elapsed: 4 hour(s), 12 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\microsoftcorp (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\pxysdb.dat (Trojan.Goldun) -> Quarantined and deleted successfully.


SYMPTOMS SO FAR:

Windows Defender keeps reporting a backdoor in my win32 directory every time I boot. I click delete.

In my C:\, I once found 3 applications that I had no recollection of downloading: Posted Image
I've since deleted them.

In my MSConfig Startups, I have two new programs that added themselves to my startup list (i've since unchecked them, but it doesn't seem to be doing any

good):
cftmon.exe, from Unknown Manufacturer, and with command: "scvhost.exe" not SVChost
LOLHA, from Unknown Manufacturer, and with command: "C:\Windows\hdn54.exe"

might be unrelated, but my Alcohol52% is dead (it no longer loads on startup, when I load it manually, it tells me that it's device drivers can't load, thus

no emulated disk drives, and when I tried to uninstall it, it told me that It can't find install info - in fact, it's no longer on the add/remove program

list).

My Task Manager reports some weirdness as well. The following programs seem suspicious to me, since I haven't seen them before. There might be some others

but these are the ones that pop out. I've tried Ending Process, but they just restart after a few seconds:

Anti.exe, username:SYSTEM, Description: ANTI
fsa.exe, username:SYSTEM, Description: fsa
svchost.exe, username:SYSTEM, Description: svchost -not HOST PROCESS for WINDOWS SERVICES like the other instances of svchost.exe

Finally, malwarebytes keeps telling me that it's blocking something trying to contact the malicious IP addy: 82.146.49.158, as well as 212.117.174.etc

DDS Log:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Justin Abello xito at 2:20:00.45 on Wed 12/16/2009
Internet Explorer: 8.0.6001.18865 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.1527.527 [GMT 8:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\ATK Hotkey\ASLDRSrv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Extensis\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Wallpaper Master\Wallpaper.exe
C:\Windows\System32\TUProgSt.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Users\Justin Abello Éxito\Files\Tools\CoreTemp32\Core Temp.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Users\Justin Abello Éxito\Files\Tools\ToggleFileExt.exe
C:\Users\Justin Abello Éxito\Files\Tools\ToggleHiddenFiles.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\UI0Detect.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Users\Justin Abello Éxito\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Justin Abello Éxito\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskmgr.exe
C:\Users\Justin Abello Éxito\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uRun: [WallpaperChanger] c:\program files\wallpaper master\Wallpaper.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRunServices: [cftmon.exe] scvhost.exe
dRun: [sysdiag64.exe] c:\windows\hdn54.exe
mExplorerRun: [MicrosoftCorp] c:\windows\hdn54.exe
StartupFolder: c:\users\justin~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\corete~1.lnk - c:\users\justin abello

éxito\files\tools\coretemp32\Core Temp.exe
StartupFolder: c:\users\justin~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\stardo~1.lnk - c:\program

files\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\users\justin~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\toggle~2.lnk - c:\users\justin abello

éxito\files\tools\ToggleFileExt.exe
StartupFolder: c:\users\justin~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\toggle~1.lnk - c:\users\justin abello

éxito\files\tools\ToggleHiddenFiles.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: ʹÓÃѸÀ×ÏÂÔØ - c:\users\justin abello éxito\desktop\thunder\program\geturl.htm
IE: ʹÓÃѸÀ×ÏÂÔØÈ«²¿Á´½Ó - c:\users\justin abello éxito\desktop\thunder\program\getallurl.htm
TCP: {CB38DDFF-C364-4210-B1DE-CBC68F004090} = 202.138.128.54 202.138.128.50
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
mASetup: {7070D8E0-650A-46b3-B03C-9497582E6A74} - %SystemRoot%\system32\soundschemes.exe /AddRegistration
mASetup: {B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24} - %SystemRoot%\system32\soundschemes2.exe /AddRegistration

================= FIREFOX ===================

FF - ProfilePath - c:\users\justin~1\appdata\roaming\mozilla\firefox\profiles\mexzgkyy.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/?shva=1#inbox|http://ph.mg60.mail.yahoo.com/dc/launch?

rand=487834842|http://wikipedia.org/|http://www.demonoid.com/?rel=1229878098|http://www.fanfiction.net/
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - component: c:\users\justin abello éxito\appdata\roaming\mozilla\firefox\profiles\mexzgkyy.default\extensions\{3502a070-ea2f-11dd-ba2f-0800200c9a66}

\components\mintray-9178506d-2005072516-trunk.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\justin abello ã‰xito\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows

presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-12-15 33808]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2009-5-15 21008]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-7-3 303376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-12-15 276816]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2009-11-15 100736]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-5-16 19472]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-12-15 19160]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-15 38224]
S2 explore;explore;C:\Anti.exe [2009-12-14 50688]
S2 swxplore;swxplore;C:\fsa.exe [2009-12-14 50688]
S2 Wexplorer;Wexplorer;"c:\windows\temp\himv.tmp\svchost.exe" [2009-12-10 50688]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-10-1 26624]

=============== Created Last 30 ================

2009-12-15 16:55:50 19944 ----a-w- c:\windows\system32\drivers\kav_atapi.sys
2009-12-15 16:19:57 0 d-----w- c:\program files\Trend Micro
2009-12-15 15:36:37 0 d-----w- c:\users\justin~1\appdata\roaming\Malwarebytes
2009-12-15 15:36:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-15 15:36:29 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-15 15:36:29 0 d-----w- c:\programdata\Malwarebytes
2009-12-15 15:36:29 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-15 03:03:43 8 ----a-w- c:\windows\system32\DROPPEDFILEOK.tmp
2009-12-15 03:03:20 167936 --sh--r- c:\windows\hdn54.exe
2009-12-14 04:20:12 50688 --sh--r- C:\Anti.exe
2009-12-14 04:16:40 50688 --sh--r- C:\fsa.exe
2009-12-13 05:55:35 50688 --sh--r- C:\fa.exe
2009-12-11 19:00:43 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-11 19:00:42 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-11 19:00:41 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-10 20:04:21 16 ----a-w- c:\windows\pxysdb.dat
2009-12-10 05:30:39 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-10 05:24:39 377344 ----a-w- c:\windows\system32\winhttp.dll
2009-12-09 18:03:10 0 d-----w- c:\program files\Machinarium
2009-12-08 07:06:51 0 d-----w- c:\program files\OpenSource DTSAC3DD+ Source Filter
2009-12-08 07:02:47 0 d-----w- c:\program files\DScaler5
2009-12-08 07:02:29 497664 ----a-w- c:\windows\system32\ac3filter.acm
2009-12-08 07:02:29 0 d-----w- c:\program files\AC3Filter
2009-12-08 06:57:44 0 d-----w- c:\program files\OpenSource Flash Video Splitter
2009-12-08 06:57:01 0 d-----w- c:\program files\Haali
2009-12-08 06:56:13 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-12-08 06:56:10 0 d-----w- c:\program files\ffdshow
2009-12-08 01:21:41 0 d--h--w- c:\programdata\CanonBJ
2009-12-07 18:46:14 0 d-----w- c:\program files\Zoom Player
2009-12-07 16:53:45 0 d-----w- c:\program files\Total Video Converter
2009-12-07 10:23:54 9308858 ----a-w- c:\users\justin~1\appdata\roaming\Zoom Player MAX v7.00 FINAL + Patch-Key By ChattChitto.exe
2009-12-07 10:08:38 608448 ----a-w- c:\windows\system32\comctl32.ocx
2009-12-07 09:27:28 0 ----a-w- c:\windows\system32\all.flv
2009-12-07 09:24:05 40960 ----a-w- c:\windows\system32\FlvBind.exe
2009-12-07 09:24:05 188416 ----a-w- c:\windows\system32\FLVLib.dll
2009-11-25 19:02:57 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-24 21:57:03 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-11-24 21:57:03 1248768 ----a-w- c:\windows\system32\msxml3.dll
2009-11-24 21:55:38 714240 ----a-w- c:\windows\system32\timedate.cpl
2009-11-22 08:37:07 294 ----a-w- c:\windows\SIERRA.INI
2009-11-22 08:34:51 0 d-----w- c:\program files\Sierra On-Line
2009-11-22 08:34:51 0 d-----w- c:\program files\Homeworld
2009-11-21 08:41:00 0 d-----w- c:\program files\FFMPEG Core Files
2009-11-17 23:45:40 0 d-----w- c:\program files\Windows Portable Devices
2009-11-17 23:44:06 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-17 19:07:34 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-11-17 19:07:33 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-11-17 19:07:33 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-11-17 19:04:38 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-11-17 19:01:27 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-11-17 19:01:26 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-11-17 19:01:26 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-11-15 21:32:42 0 d-----w- c:\program files\UltraVPN

==================== Find3M ====================

2009-12-15 18:19:39 3145728 --sha-w- c:\users\justin abello éxito\NTUSER.DAT
2009-12-15 15:09:06 898528 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-11-21 06:40:20 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-17 23:45:26 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-17 23:45:26 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-17 23:45:26 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-17 23:45:26 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-09 15:37:23 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-11-02 12:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-01 01:02:17 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02:05 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02:04 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02:00 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01:59 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01:59 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01:56 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01:56 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01:56 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01:56 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-09-25 02:10:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07:08 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04:32 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49:22 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48:08 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38:29 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36:13 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35:31 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33:25 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33:15 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33:01 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32:59 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31:53 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31:26 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31:21 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31:19 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31:16 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31:15 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30:23 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30:23 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27:04 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27:04 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27:04 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54:55 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54:53 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54:52 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2008-01-21 02:41:56 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-11-13 12:27:25 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 2:21:58.85 ===============



PS: Does MalwareBytes block Utorrent connections? (I mean, I'm pretty okay with discerning which torrent is good, and I only download from reputable sources,

so aside from the argument that Malwarebytes recommends that all p2p should be removed, is there any way to make MalwareBytes and uTorrent get along - I can't tell right now if the blocked IPs are torrents or by whatever is making my system go iffy)

PPS: how should I go about reinstalling my Alcohol52%?

PPPS: I have Windows Vista 32bit Ultimate, SP2

Thanks aplenty, sirs and madams.

RootRepeal attached.

UPDATE: after posting, my Kaspersky reported that it detected 2 rootkits (and did an autorestart after disinfecting)... which actually was crappy, since it

crashed my computer, and deleted the settings for my StarDock. Upon reboot, there was a popup saying something to the effect that LOHLA couldn't launch

because of some reason or the other (After a second reboot, it didn't show up again).

Another note: I checked Task Manager again, and was gladdened to note that after ending the processes of both the Anti.exe and fsa.exe, they no longer

restarted themselves. However, the svchost.exe (that was arguably just disguised, since it had a different description from the true SVCHOST.exe) was still

there... I checked which service was using it, and it came up as WEXPLORER. I tried stopping it, but it gave me an error. I close Task Manager, then reopened

- lo and behold, svchost.exe (fake) was no longer running, and WEXPLORER couldn't be found. After rebooting, all three were up again, but fsa.exe and

anti.exe ended and stayed dead with no trouble. svchost.exe (fake) and WEXPLORER can't be killed.

Updated HJT LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:02:21 PM, on 12/16/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Wallpaper Master\Wallpaper.exe
C:\Users\Justin Abello Éxito\Files\Tools\CoreTemp32\Core Temp.exe
C:\Users\Justin Abello Éxito\Files\Tools\ToggleFileExt.exe
C:\Users\Justin Abello Éxito\Files\Tools\ToggleHiddenFiles.exe
C:\Users\Justin Abello Éxito\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Justin Abello Éxito\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Justin Abello Éxito\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Justin Abello Éxito\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Justin Abello Éxito\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Users\Justin Abello Éxito\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Justin Abello Éxito\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Justin Abello Éxito\AppData\Local\Google\Chrome\Application\chrome.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\RunServices: [cftmon.exe] scvhost.exe
O4 - HKCU\..\Run: [WallpaperChanger] C:\Program Files\Wallpaper Master\Wallpaper.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [sysdiag64.exe] C:\Windows\hdn54.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [sysdiag64.exe] C:\Windows\hdn54.exe (User 'Default user')
O4 - Startup: Core Temp.lnk = ?
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: ToggleFileExt.lnk = ?
O4 - Startup: ToggleHiddenFiles.lnk = ?
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: ʹÓÃѸÀ×ÏÂÔØ - C:\Users\Justin Abello Éxito\Desktop\Thunder\Program\geturl.htm
O8 - Extra context menu item: ʹÓÃѸÀ×ÏÂÔØÈ«²¿Á´½Ó - C:\Users\Justin Abello Éxito\Desktop\Thunder\Program\getallurl.htm
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB38DDFF-C364-4210-B1DE-CBC68F004090}: NameServer = 202.138.128.54 202.138.128.50
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Extensis\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: explore - Unknown owner - C:\Anti.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: swxplore - Unknown owner - C:\fsa.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe
O23 - Service: Wexplorer - Unknown owner - C:\Windows\TEMP\himv.tmp\svchost.exe

--
End of file - 5851 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:53 AM

Posted 27 December 2009 - 10:34 AM

Hello and welcome to Bleeping Computer! :(

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 SpySentinel

SpySentinel

  • Staff Emeritus
  • 2,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The United States
  • Local time:11:53 PM

Posted 31 December 2009 - 07:59 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, then contact me or another staff member.

Everyone else please start a new topic.
Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users