Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hit with 3 malwares/viruses


  • This topic is locked This topic is locked
2 replies to this topic

#1 rsaritzky

rsaritzky

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:24 AM

Posted 27 July 2011 - 01:04 AM

Hi,

Don't know how it happened, but I seem to have been hit with 3 malwares - the XP Home Security 2012 malware, the Google search redirector and winlogon.exe taking 50% of my CPU.

I've tried Malwarebytes, Avira, Vipre along with my (existing) McAfee. All experience the same problem - they will start and run for a few seconds, then disappear.

I've tried Killbox to try to replace winlogon.exe, but I've been unable to figure out how to make it "do" what I've set it up to do - replace winlogon.exe with a copy from the i386 directory. I did have it force a reboot, but don't know if it did anything. I've also removed manually as many of the registry entries related to the XP Home security 2012 as I could find. This malware doesn't seem to be popping up anymore. Now, I just need to get an antivirus scan run somehow and get the google redirector problem solved.

I've tried getting a HijackThis log to generate, but the same thing happens - When I click on "Scan and create log", it looks like it is doing something but then it disappears.

Vipre's service won't start. Avira's main screen will load, but when you click "scan", nothing happens.

The best I've been able to do is to get a startup log from Hijackthis. Here it is. I recognize most of the loaded programs and they appear to be legitimate. But if anyone has any suggestions, I'm happy to uninstall almost anything.


StartupList report, 7/26/2011, 10:07:20 PM
StartupList version: 1.52.2
Started from : F:\HiJackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v8.00 (8.00.6001.18702)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
\.\globalroot\Device\svchost.exe\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Documents and Settings\ron.CORP\Application Data\U3\00001853E471ADF5\LaunchPad.exe
F:\HiJackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\ron.CORP\Start Menu\Programs\Startup]
Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

igfxtray = C:\WINDOWS\system32\igfxtray.exe
igfxhkcmd = C:\WINDOWS\system32\hkcmd.exe
igfxpers = C:\WINDOWS\system32\igfxpers.exe
SigmatelSysTrayApp = stsystra.exe
pdfFactory Dispatcher v2 = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
Apoint = C:\Program Files\Apoint\Apoint.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /installquiet
DLA = C:\WINDOWS\System32\DLA\DLACTRLW.EXE
Broadcom Wireless Manager UI = C:\WINDOWS\system32\WLTRAY.exe
LVCOMSX = C:\WINDOWS\system32\LVCOMSX.EXE
LogitechCameraAssistant = C:\Program Files\Logitech\Video\CameraAssistant.exe
LogitechVideo[inspector] = C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
LogitechCameraService(E) = C:\WINDOWS\system32\ElkCtrl.exe /automation
SunJavaUpdateSched = "C:\Program Files\Java\jre6\bin\jusched.exe"
LogMeIn GUI = "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
SBAMTray = "C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

Malwarebytes' Anti-Malware = c:\mal\mal\mbamgui.exe /install /silent

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

swg = "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} = "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
Gadwin PrintScreen = C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
WMPNSCFG = C:\Program Files\Windows Media Player\WMPNSCFG.exe
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
\\tracyxp\EPSON Artisan 50 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFFA.EXE /FU "C:\DOCUME~1\RON~1.COR\LOCALS~1\Temp\E_S5F.tmp" /EF "HKCU"

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\FlashDownloader\IntQd.dll (file missing) - {0682E46A-7040-4049-A6FD-0BCFBC673AD8}
(no name) - C:\WINDOWS\System32\DLA\DLASHX_W.DLL - {5CA3D70E-1895-11CF-8E15-001234567890}

--------------------------------------------------

Enumerating Task Scheduler jobs:

GoogleUpdateTaskMachineCore.job
GoogleUpdateTaskMachineUA.job

--------------------------------------------------

Enumerating Download Program Files:

[SysProWmi Class]
InProcServer32 = C:\WINDOWS\system32\Dell\SystemProfiler\SysPro.ocx
CODEBASE = http://support.dell.com/systemprofiler/SysPro.CAB

[CHListFactory Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MBFWebBehaviors.dll
CODEBASE = http://sp.cbhinc.com/BusinessPortal/UI/ResultViewer/Scripts/MBFWebBehaviors.cab

[XTSAC Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xTSAC.ocx
CODEBASE = https://vpn.directed.com/XTSAC.cab

[Aventail Installer ]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\epi.dll
CODEBASE = https://connectpbg.mcgplc.com/postauthI/epi.cab

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155861334269

[CMMHost Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\AppExchangeMailMerge.dll
CODEBASE = https://na1.salesforce.com/dwnld/mailmerge/AXMailMerge.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash10t.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Performance Viewer Activex Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RACtrl.dll
CODEBASE = https://secure.logmein.com/activex/ractrl.cab?lmi=100

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 8,605 bytes


Thanks in advance.

Ron

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:24 PM

Posted 29 July 2011 - 09:17 PM

Hi,

Please do the following:

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:24 PM

Posted 02 August 2011 - 07:37 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users