Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log, Please Help


  • This topic is locked This topic is locked
6 replies to this topic

#1 hjtneub

hjtneub

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 29 June 2006 - 02:58 PM

Hi,
I'm getting "Your computer is infected" web page popping up trying to download a program like "computer doctor" or something like that.
Could you please see what causes this and what I should delete.
Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 3:05:54 PM, on 6/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\brss01a.exe
D:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
D:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\PROGRAM FILES\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\PROGRAM FILES\Maxtor\OneTouch\Utils\SyncServices.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SKDAEMON.EXE
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRAM FILES\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRAM FILES\Maxtor\OneTouch\utils\Onetouch.exe
C:\PROGRAM FILES\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\SYSTEM32\SKSMAILD.EXE
C:\PROGRAM FILES\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRAM FILES\APC\APC POWERCHUTE PERSONAL EDITION\apcsystray.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\USERINIT.EXE,C:\WINDOWS\SYSTEM32\USERINIT.EXE,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {cc326051-7857-41bd-bbb1-8e0746a38620} - C:\WINDOWS\system32\lprror.dll
O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [ATICCC] "C:\PROGRAM FILES\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRAM FILES\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\PROGRAM FILES\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O8 - Extra context menu item: &AOL Toolbar search - RES://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_04\BIN\NPJPI150_04.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_04\BIN\NPJPI150_04.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120893539500
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - Winlogon Notify: ComPlusSetup - D:\WINDOWS\System32\catsrvut.dll
O20 - Winlogon Notify: lprror - C:\WINDOWS\SYSTEM32\lprror.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - D:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - D:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - D:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - D:\WINDOWS\System32\brsvc01a.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - D:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\PROGRAM FILES\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) - - C:\PROGRAM FILES\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: Retrospect Helper - Unknown owner - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe (file missing)
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:44 PM

Posted 29 June 2006 - 03:02 PM

Hello there,

It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above. It is important that you complete the following instructions in the correct order, and also that you don't miss anything out!

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens,Click Scan for Vundo button.
  • Once the scan is complete,Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the 2 entries below into the top 2 boxes
    • C:\WINDOWS\SYSTEM32\lprror.dll
    • C:\WINDOWS\SYSTEM32\rorrpl.*
  • Click Add Files and Click Close Window
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
David

#3 hjtneub

hjtneub
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 29 June 2006 - 04:58 PM

David,
VundoFix would not re-open after the "run as a task" was checked-off.
Waited 10 mins. then re-booted the computer and tried again. Still it would not re-open after closing.
Now what?
Thanks

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:44 PM

Posted 30 June 2006 - 12:23 PM

Hi there hjtneub,

Please download VirtumundoBeGone from:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

* Save it to your Desktop
* Reboot your System
* Close all running programs (including your Internet Browser)
* Double-click VirtumundoBeGone.exe on the desktop
* Follow the directions as indicated

Please be advised that this program will generate a "BLUE SCREEN OF DEATH"... this is an expected/necessary part of the process, so don't be surprised when it happens.

VirtumundoBeGone generates a "log" file of its own, which it should have placed on your Desktop... please REPLY to this thread, and copy/paste the VirtumundoBeGone log back here together with a new hijackthislog.

David

Edited by D-Trojanator, 07 July 2006 - 03:01 PM.


#5 hjtneub

hjtneub
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 30 June 2006 - 02:33 PM

Hi David,
Run the above as per your instructions. Here are the logs for VirtumundoBeGone and Hijackthis.
Please let me know what you see and if anything else I need to do.
Thank you.


[06/30/2006, 15:16:24] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Administrator\Desktop\VirtumundoBeGone.exe" )
[06/30/2006, 15:16:40] - Detected System Information:
[06/30/2006, 15:16:40] - Windows Version: 5.1.2600, Service Pack 2
[06/30/2006, 15:16:40] - Current Username: Administrator (Admin)
[06/30/2006, 15:16:40] - Windows is in NORMAL mode.
[06/30/2006, 15:16:40] - Searching for Browser Helper Objects:
[06/30/2006, 15:16:40] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[06/30/2006, 15:16:40] - BHO 2: {cc326051-7857-41bd-bbb1-8e0746a38620} ()
[06/30/2006, 15:16:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/30/2006, 15:16:40] - Checking for HKLM\...\Winlogon\Notify\lprror
[06/30/2006, 15:16:40] - Found: HKLM\...\Winlogon\Notify\lprror - This is probably Virtumundo.
[06/30/2006, 15:16:40] - Assigning {cc326051-7857-41bd-bbb1-8e0746a38620} MSEvents Object
[06/30/2006, 15:16:40] - BHO list has been changed! Starting over...
[06/30/2006, 15:16:40] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[06/30/2006, 15:16:40] - BHO 2: {cc326051-7857-41bd-bbb1-8e0746a38620} (MSEvents Object)
[06/30/2006, 15:16:40] - ALERT: Found MSEvents Object!
[06/30/2006, 15:16:40] - Finished Searching Browser Helper Objects
[06/30/2006, 15:16:40] - *** Detected MSEvents Object
[06/30/2006, 15:16:40] - Trying to remove MSEvents Object...
[06/30/2006, 15:16:41] - Terminating Process: IEXPLORE.EXE
[06/30/2006, 15:16:41] - Terminating Process: RUNDLL32.EXE
[06/30/2006, 15:16:41] - Disabling Automatic Shell Restart
[06/30/2006, 15:16:41] - Terminating Process: EXPLORER.EXE
[06/30/2006, 15:16:41] - Suspending the NT Session Manager System Service
[06/30/2006, 15:16:41] - Terminating Windows NT Logon/Logoff Manager
[06/30/2006, 15:16:41] - Re-enabling Automatic Shell Restart
[06/30/2006, 15:16:41] - File to disable: C:\WINDOWS\system32\lprror.dll
[06/30/2006, 15:16:41] - Renaming C:\WINDOWS\system32\lprror.dll -> C:\WINDOWS\system32\lprror.dll.vir
[06/30/2006, 15:16:41] - File successfully renamed!
[06/30/2006, 15:16:41] - Removing HKLM\...\Browser Helper Objects\{cc326051-7857-41bd-bbb1-8e0746a38620}
[06/30/2006, 15:16:41] - Removing HKCR\CLSID\{cc326051-7857-41bd-bbb1-8e0746a38620}
[06/30/2006, 15:16:41] - Adding Kill Bit for ActiveX for GUID: {cc326051-7857-41bd-bbb1-8e0746a38620}
[06/30/2006, 15:16:41] - Deleting ATLEvents/MSEvents Registry entries
[06/30/2006, 15:16:41] - Removing HKLM\...\Winlogon\Notify\lprror
[06/30/2006, 15:16:41] - Searching for Browser Helper Objects:
[06/30/2006, 15:16:41] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[06/30/2006, 15:16:41] - Finished Searching Browser Helper Objects
[06/30/2006, 15:16:41] - Finishing up...
[06/30/2006, 15:16:42] - A restart is needed.
[06/30/2006, 15:16:58] - Attempting to Restart via STOP error (Blue Screen!)


Logfile of HijackThis v1.99.1
Scan saved at 3:25:30 PM, on 6/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\brss01a.exe
D:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
D:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\PROGRAM FILES\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\PROGRAM FILES\Maxtor\OneTouch\Utils\SyncServices.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SKDAEMON.EXE
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRAM FILES\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRAM FILES\Maxtor\OneTouch\utils\Onetouch.exe
C:\PROGRAM FILES\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\SYSTEM32\SKSMAILD.EXE
C:\PROGRAM FILES\APC\APC POWERCHUTE PERSONAL EDITION\apcsystray.exe
C:\PROGRAM FILES\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini:

UserInit=C:\WINDOWS\SYSTEM32\USERINIT.EXE,C:\WINDOWS\SYSTEM32\USERINIT.EXE,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [ATICCC] "C:\PROGRAM FILES\ATI Technologies\ATI.ACE\cli.exe" runtime

-Delay
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRAM FILES\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\PROGRAM FILES\Maxtor\OneTouch

Status\maxmenumgr.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal

Edition\Display.exe
O8 - Extra context menu item: &AOL Toolbar search - RES://C:\PROGRAM FILES\AOL

TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM

FILES\JAVA\JRE1.5.0_04\BIN\NPJPI150_04.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\PROGRAM FILES\JAVA\JRE1.5.0_04\BIN\NPJPI150_04.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRAM

FILES\MESSENGER\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}

- C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/...te.cab?11208935

39500
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) -

http://chat.yahoo.com/cab/yvwrctl.cab
O20 - Winlogon Notify: ComPlusSetup - D:\WINDOWS\System32\catsrvut.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. -

D:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - D:\Program

Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - D:\Program

Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd -

D:\WINDOWS\System32\brsvc01a.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - D:\Program Files\Intel\Intel Application

Accelerator\iaantmon.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\PROGRAM FILES\Maxtor\Maxtor

Backup\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) - - C:\PROGRAM

FILES\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: Retrospect Helper - Unknown owner - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe

(file missing)
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation -

C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:44 PM

Posted 01 July 2006 - 03:56 AM

Hey hjtneub,

Excellent! The log is looking clean, and the Vundo infection has gone. Your Java is out of date and the older versions are being exploited by malware. It is the likely cause of your infection, so we need to get it patched up as soon as possible.
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:http://www.java.com/en/download/manual.jsp
As with all malware like this, it never comes alone and there are probably infected files left on your computer. Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report in your next reply by using Add Reply.

David

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:44 PM

Posted 09 July 2006 - 07:39 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending me
a PM with the address of the thread using the link here. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users