Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pc Reboots, Can't Get To Mcafee Site, Zonealarm Won't Complete Install


  • Please log in to reply
4 replies to this topic

#1 ape

ape

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 19 November 2006 - 09:56 PM

Sorry, but I don't know what type of infection I have except that it's malecious...

The PC will reboot on it's own. Has a matrix like screen flash when booting up... If trying to go to a mcafee site get redirected to microsoft site. The zonealarm install would not complete.. when it came to the screen to click Finish, it went away just before I could click on finish. I have tried to follow the steps in Grinler's post to clean things off. That found and removed a lot, but it seems that when I reboot more stuff comes back. Obviously I'm in over my head with this, and any help is appreciated.

My hjt log is pasted below. By the way I couldn't log into this site from that computer either. I had to e-mail the log to so I could connect on another pc to post this. Is the best way to post an HJT log to paste it, or can it be attached?

Again thanks for any and all help.
AP


Logfile of HijackThis v1.99.1
Scan saved at 9:26:30 PM, on 11/19/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WIN_NEW\System32\smss.exe
C:\WIN_NEW\system32\csrss.exe
C:\WIN_NEW\system32\services.exe
C:\WIN_NEW\system32\lsass.exe
C:\WIN_NEW\system32\svchost.exe
C:\WIN_NEW\System32\svchost.exe
C:\WIN_NEW\System32\svchost.exe
C:\WIN_NEW\System32\svchost.exe
C:\WIN_NEW\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\NeroCheck.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\WIN_NEW\System32\adwofaaa.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\WIN_NEW\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WIN_NEW\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WIN_NEW\System32\wuauclt.exe
C:\Temp\Downloads\stng260.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdlite.exe
C:\Temp\Downloads\zlsSetup_65_737_000_en.exe
C:\WIN_NEW\System32\wuauclt.exe
C:\WIN_NEW\System32\wuauclt.exe
C:\WIN_NEW\SoftwareDistribution\Download\e9b0377463edd4b6480f6148a1f88bac\update\update.exe
C:\Program Files\highjackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {73364D99-1240-4dff-B11A-67E448373048} - C:\WIN_NEW\System32\ipv6monl.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Restart system 32] C:\WIN_NEW\System32\xEnsot32.exe
O4 - HKLM\..\Run: [xp_system] C:\WIN_NEW\inet20004\winlogon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WIN_NEW\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [adwofaaa] C:\WIN_NEW\System32\adwofaaa.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [adwofaaa] C:\WIN_NEW\System32\adwofaaa.exe
O4 - HKCU\..\Run: [Restart system 32] C:\WIN_NEW\System32\xEnsot32.exe
O4 - Startup: Check for ContinuumClient Updates.lnk = C:\Program Files\Quote.com\ContinuumClient\WiseUpdt.exe
O4 - Startup: Check for QCharts Updates.lnk = C:\Program Files\Quote.com\QCharts 5.1\WiseUpdt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161571272218
O20 - Winlogon Notify: GoToMyPC - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll
O20 - Winlogon Notify: ppts16 - C:\WIN_NEW\SYSTEM32\ppts16.dll
O21 - SSODL: IEFilter - {5C1B3DE4-58E0-46DB-BCB3-92184ED2D9D1} - C:\WIN_NEW\system32\IEFilter.dll (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WIN_NEW\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WIN_NEW\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:35 AM

Posted 20 November 2006 - 09:09 AM

Hi ape, :thumbsup:

We're studying your log right now and will be back to you a.s.a.p.

Thanks for your patience. :flowers:

#3 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:35 AM

Posted 21 November 2006 - 06:19 AM

Hi ape, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

My hjt log is pasted below. By the way I couldn't log into this site from that computer either. I had to e-mail the log to so I could connect on another pc to post this. Is the best way to post an HJT log to paste it, or can it be attached?


You did well; this is the best way to do it.

1. To begin with I have a question: you are running Windows from two locations (c:\Windows and C:\Win_New), have you upgraded your version? Or is there any other reason for that?

2. Your log shows some very dangerous troajans are active on your computer like: Troj/Cimuz-AV and Trojan.Bookmarker.J

This worm also has backdoor functionalities. It is possible that the remote attacker has added multiple backdoors and/or accounts or even rooted the computer.

You already explained that the infected computer is disconnected from the internet which appears to be good because otherwise I would have advised you to do that. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Visit the following sites for more information on internet theftand when to reformat!

If you have any questions before to come to a final decision, please feel free to ask.

Should you choose not to reformat, please follow my instructions below!

3. Download haxfix.exe and save it to your desktop.
  • Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
  • Checkmark "Create a desktop icon"
  • Click "Next"
  • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
  • Click "Finish"
A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix
  • Select option 1. Make logfile by typing 1 and then pressing Enter
  • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt
  • Copy the contents of that logfile and paste it into this thread. (c:\haxfix.txt)
4. Your log shows that you are running more than one different Anti-Virus programs with Auto-protect enabled.
Rather than giving you extra protection, this can actually give problems because of incompatibility issues, can even cause BSODs and decrease the reliability of it seriously!

I would strongly advise you to only have one Anti-Virus with the Auto-Protect feature running at any one time!
If you decide to only keep one Anti-Virus installed, you should uninstall the other(s) through the Add or Remove Programs option in Control Panel.

Please post the c:\haxfix.txt along with a fresh HijackThis log.

#4 ape

ape
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 21 November 2006 - 11:12 PM

Thanks for your response. Following is information based on your response...

1. I installed a quad video card and had issues and ended up installing a 2nd version of the operating system.

2. It sounds like the only way to be safe is reformat and reinstall... I don't really look forward to this but...
If I have to... there are some files that I would like to save from that PC. Some MS application documents and some other application files. Is there any risk that putting any of these files on a newly reformatted and reinstalled system will infect it? What tools would you recommend so I don't end up with this issue again?


4. do you have a recommendation of one anti-virus vs the other?


It will probably be sunday before I start reformating due to being out of town the next several days.

Thanks for all of your help.

#5 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:35 AM

Posted 24 November 2006 - 08:06 AM

Hi ape, :thumbsup:

It sounds like the only way to be safe is reformat and reinstall... I don't really look forward to this but...
If I have to...


You don't have to but it is very unlikely that with these kind of infections we will be able to clean up your computer completely. So what I am really saying is that in my opinion it is a wise decision if you reformat.
In my first post I allready referred to here for tips on reformatting/re-installing. Before doing anything read the information presented.
Do you have an external harddisk or an alternative storage system (USB stick, CD's) large enough to copy your entire disk so you can be sure that you don't lose anything (bookmarks, e-mail, passwords, IP dadresses, usernames etc.)? There are some free programmes to help you do the job like: WinBackup 1.86 and Acronis True Image 7.0. If you need additional help or advice feel free to ask for it in this thread.

there are some files that I would like to save from that PC. Some MS application documents and some other application files. Is there any risk that putting any of these files on a newly reformatted and reinstalled system will infect it?


Before installing the files on your reformatted computer scan the files with an antivirus.

do you have a recommendation of one anti-virus vs the other?


The choice for one or the other AV is a very personal one. Personally I use AVG free and I love it. (see next item as well)

What tools would you recommend so I don't end up with this issue again?


In order to prevent future infections follow these recommendations:

a. Visit Windows Update on a regular basis to stay current with critical updates.

b. Use a Firewall. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones click: Understanding and Using Firewalls!

c. It is very important that your computer has an anti-virus software running. For your information see this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources!

d. Install and run the following free programs:

* Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here!

* Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found
here! Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

* SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here!

* SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here!

* IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Keep all these programs (including your anti-virus) up-to-date and run them regularly.
If you do not update regularly they will not be able to catch any of the new variants that may come out.

e. I recommend you to read Tony Klein's excellent article: So how did I get infected in the first place?

f. If you want to fight back the Malware Writers, please take a look here!

Glad I was able to help and if there are any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BleepingComputer Forums, we also help people with other computer problems! Do not forget to tell your friends about us!

Good luck! :flowers:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users