Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problems


  • This topic is locked This topic is locked
68 replies to this topic

#1 swalker25

swalker25

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 16 February 2007 - 06:30 PM

I recently got infected with a trojan virus and a bleep ton of spyware. I seem to have gotten rid of most of it, with the help of Spyware Doctor, but I'm still having some problems. My hijackthis log will be below. There is an entry that I'm pretty sure is spyware, O17 - HKLM\System\CCS\Services\Tcpip\.., but if I remove it using hijackthis, my internet will not work anymore. If I restore it using hijackthis, my internet works again.
Also, I can clean my computer of any infections using Spyware Doctor, but as soon as I open an internet connection, all the bad items get reinstalled. Also, when my computer first got infected, any time I opened a Microsoft Office document, the app. would freeze and I could never open any office doc.



Logfile of HijackThis v1.99.1
Scan saved at 5:24:01 PM, on 2/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJA.EXE
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\movie\My Documents\MGI Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,,,,,,,,,,,,,,,,,,,,
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R340 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJA.EXE /P30 "EPSON Stylus Photo R340 Series" /O6 "USB002" /M "Stylus Photo R340"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\tchdhovu.dll",setvm
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EF55EEF-060E-4DD4-927A-DC476428F78F}: NameServer = 209.242.0.2,209.242.0.5
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Updater (mmupdate) - Unknown owner - C:\WINDOWS\TEMP\19D.tmp".exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:55 PM

Posted 17 February 2007 - 08:57 AM

Hello,

The O17 entry is ok as far as I can see... It's not malware related anyway:
http://www.dls.net/support/guides/dialup-generic.phtml

Go to start > run and copy and paste next command in the field:

sc delete mmupdate Hit enter.

Some entries are hidden in your log here, so do next:

Can you rename Hijackthis.exe to Analyse.exe
Then scan with Analyse.exe and post the log in your next reply (which will be a hijackthislog ofcourse)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 swalker25

swalker25
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 19 February 2007 - 10:21 AM

I'm not sure what that dial-up link is talking about. If it matters, this is a computer at my work and we have a T-1 line. I turned my computer on this morning and it was again over run with spyware. I deleted some a bunch of stuff with spyware doctor, so I can at least get is some what functional. But if there are a bunch of different enteries, that is why.


Logfile of HijackThis v1.99.1
Scan saved at 9:14:44 AM, on 2/19/2015
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJA.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\windows\system32\uvnx.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Shelldaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\TEMP\svchast.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\TEMP\svchost.exe
C:\WINDOWS\TEMP\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Documents and Settings\movie\My Documents\MGI Files\hijackthis\analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,,,,,,,,,,,,,,,,,,,,
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {5D3F931C-C524-4731-9C94-11B44D4B7BD9} - C:\WINDOWS\system32\mllmm.dll
O2 - BHO: (no name) - {8A5849C4-93F3-429D-FF34-660A2068897C} - (no file)
O2 - BHO: (no name) - {8AAB9925-CC78-4BF5-B014-A089DD64D237} - C:\WINDOWS\system32\wvuvvwx.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R340 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJA.EXE /P30 "EPSON Stylus Photo R340 Series" /O6 "USB002" /M "Stylus Photo R340"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\tchdhovu.dll",setvm
O4 - HKLM\..\Run: [uvnx] c:\windows\system32\uvnx.exe
O4 - HKLM\..\Run: [Shelldaemon] C:\WINDOWS\Shelldaemon.exe
O4 - HKLM\..\Run: [dns.exe] C:\WINDOWS\system32\dns.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Recoveru systems] C:\WINDOWS\TEMP\svchast.exe
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EF55EEF-060E-4DD4-927A-DC476428F78F}: NameServer = 209.242.0.2,209.242.0.5
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Client IP-IPX - Unknown owner - -e,te-110-12-0000271, (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:55 PM

Posted 19 February 2007 - 11:00 AM

Hi,

Yikes, So this is the computer from work? I see more malware got installed in a meanwhile.. Including some very nasty ones :thumbsup:

Your system is terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

You have more than one backdoor trojan on your system as well as at least one very dangerous keylogger.

These allow hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojans may be identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Especially since this is a computer used at work, it would be irresponsible from me to help you cleaning this manually, because I don't want to be responsible for the fact that malware may still be present afterwards although it looks like we solved it. Because as I said, you can NEVER trust this system anymore if you clean this up manually. And as a computer that's used for work, you cannot afford that.

So the decision is yours what to do. If you really want to clean this up manually, then I recommend you don't use this computer anymore for Internet Access or saving important documents.

Let me know what you decide.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 swalker25

swalker25
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 19 February 2007 - 11:12 AM

I have a couple of other computers I use, so I can always use the internet on those computers and not this one. Right now, lets get this one cleaned up and then when I have time on my hands, I will re-format and re-install everything.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:55 PM

Posted 19 February 2007 - 11:34 AM

Hi

If you decide to do this manually, that's fine for me ofcourse, but you cannot expect that we will be able to repair all damage this malware already caused. Keep in mind, you're not only dealing with Spyware here, but with Trojans, Keyloggers and backdoors. So Spywarescanners won't be able to deal with that anyway.
I even suspect a rootkit here (may be more than one), but we'll have to find out later...

Right now, lets get this one cleaned up and then when I have time on my hands, I will re-format and re-install everything.

But you do have the time to clean this up manually? You'll be suprised how long a manual cleanup will take.. because it's important you follow every step I post, otherwise we won't be able to deal with it properly.

We'll have to do this step by step since you are dealing with many several different infections.
So I can't stress enough how important it is that you perform every step in the right order without missing any step.
It is also really important that you perform this asap, because the longer you wait, the more malware that will get installed and the more damage that will be present.

* Please download VundoFix.exe to your C:\.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • In case it says that nothing was found, Right click the list box (white box) in the main VundoFix window.
  • Select “Add More Files?” from the menu that comes up. This will open a new VundoFix window.
  • In the Window: copy and paste next in the first field: C:\WINDOWS\system32\mllmm.dll
  • Copy and paste next in the second field: C:\WINDOWS\system32\wvuvvwx.dll
  • Click the “Add Files” button.
  • Click the "Close Window" button.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

After reboot,

Please download LSPfix and save it to the Desktop and unzip it.
* Run LSPfix and place a check against the I know what I am doing checkbox.

Highlight every instance of the following name: msnetax.dll and move it from the Keep to the Remove panel.
Be sure to move nothing else or you will loose your internet connection!!!

When done, click on Finish to exit the program; do not use the X in the top right-hand corner as nothing will happen!

Then reboot once again.

After reboot,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,,,,,,,,,,,,,,,,,,,,
O2 - BHO: (no name) - {5D3F931C-C524-4731-9C94-11B44D4B7BD9} - C:\WINDOWS\system32\mllmm.dll
O2 - BHO: (no name) - {8A5849C4-93F3-429D-FF34-660A2068897C} - (no file)
O2 - BHO: (no name) - {8AAB9925-CC78-4BF5-B014-A089DD64D237} - C:\WINDOWS\system32\wvuvvwx.dll
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\tchdhovu.dll",setvm
O4 - HKLM\..\Run: [uvnx] c:\windows\system32\uvnx.exe
O4 - HKLM\..\Run: [Shelldaemon] C:\WINDOWS\Shelldaemon.exe
O4 - HKLM\..\Run: [dns.exe] C:\WINDOWS\system32\dns.exe
O4 - HKCU\..\Run: [Recoveru systems] C:\WINDOWS\TEMP\svchast.exe
O4 - Startup: PowerReg Scheduler.exe
O23 - Service: Client IP-IPX - Unknown owner - -e,te-110-12-0000271, (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following bold part into the Suspicious File Packer window:

C:\windows\system32\uvnx.exe
C:\WINDOWS\Shelldaemon.exe
C:\WINDOWS\TEMP\svchast.exe
C:\WINDOWS\TEMP\svchost.exe
C:\WINDOWS\TEMP\wuauclt.exe
C:\WINDOWS\system32\dns.exe


Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.

* Download SDFix and save it to your Desktop.

* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.


Delete next files:

C:\windows\system32\uvnx.exe
C:\WINDOWS\Shelldaemon.exe
C:\WINDOWS\TEMP <== delete the entire contents of this folder, do not delete the folder itself.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum). I need that log later.
Now you're back into Windows normal mode..

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
Post the following logs in your next reply:

* New Hijackthislog
* Log from Vundofix
* Log from SDfix (will be in the SDFix folder)
* Log from DrWeb CureIt

You may need more than one reply to post the logs.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:55 PM

Posted 19 February 2007 - 12:30 PM

I received the samples... so this is what they are:

Kaspersky Anti-Virus Results: uvnx.exe Packed PE_Patch.UPX
uvnx.exe Packed UPX
svchast.exe Packed PE_Patch.PECompact
svchast.exe Packed PecBundle
svchast.exe Packed PECompact
svchost.exe INFECTED Trojan-Downloader.Win32.Small.ego
wuauclt.exe INFECTED Trojan-Downloader.Win32.Small.ego
dns.exe Packed PE_Patch
dns.exe Packed UPack

BitDefender Antivirus Results: /home/www.bleepingcomputer.com/malware/submit/5/requested-files[2015-02-19_11_22].cab-5943=>C:\WINDOWS\Shelldaemon.exe infected: BehavesLike:Win32.IRC-Backdoor
/home/www.bleepingcomputer.com/malware/submit/5/requested-files[2015-02-19_11_22].cab-5943=>C:\WINDOWS\TEMP\svchast.exe infected: Generic.Malware.Sdld!.E253216F
/home/www.bleepingcomputer.com/malware/submit/5/requested-files[2015-02-19_11_22].cab-5943=>C:\WINDOWS\TEMP\svchost.exe infected: Dropped:Trojan.Rootkit.AW
/home/www.bleepingcomputer.com/malware/submit/5/requested-files[2015-02-19_11_22].cab-5943=>C:\WINDOWS\TEMP\wuauclt.exe infected: Trojan.Downloader.Small.EGO

Antivir Results: ALERT: [TR/Dldr.Agent.11264.A trojan] /home/www.bleepingcomputer.com/malware/submit/5/requested-files[2015-02-19_11_22].cab-5943 --> C:\windows\system32\uvnx.exe <<< Is the Trojan horse TR/Dldr.Agent.11264.A
ALERT: [WORM/IRCBot.73728.10 worm] /home/www.bleepingcomputer.com/malware/submit/5/requested-files[2015-02-19_11_22].cab-5943 --> C:\WINDOWS\Shelldaemon.exe <<< Contains signature of the worm WORM/IRCBot.73728.10

Yuck. :thumbsup:
This is what I call a malware cocktail present.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 swalker25

swalker25
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 19 February 2007 - 12:38 PM

I am currently at this step:

Delete next files:

C:\windows\system32\uvnx.exe
C:\WINDOWS\Shelldaemon.exe
C:\WINDOWS\TEMP <== delete the entire contents of this folder, do not delete the folder itself.

There are some files in the temp directory that will not delete:

wuauclt.exe
svchost.exe
kernel.sys

I am still continuing on until you tell me to stop, though.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:55 PM

Posted 19 February 2007 - 12:45 PM

There are some files in the temp directory that will not delete:


I assume you're trying this from safe mode? I don't like the fact that it's active in safe mode as well from that Temp-folder. The legit ones are in the Windows\system32-folder. Whatever is present in that temp-folder is malware related. Actually anything present in the C:\Windows\temp-folder may get deleted anyway.

Ok, do next, in case you cannot delete them in Windows Safe mode..

* Download Killbox.
Click killbox.exe.
Select the option "Delete on reboot".
Click the button: All Files (!important!)
Now it should flash green.

Now copy the next bold part:

C:\WINDOWS\TEMP\kernel.sys
C:\WINDOWS\TEMP\svchost.exe
C:\WINDOWS\TEMP\wuauclt.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer should reboot now.

This will create a C:\!Killbox-folder with above files present in it (they were moved to that folder, so we have a backup).

Then, can you also upload the C:\!Killbox\kernel.sys to the same link I posted previously.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:55 PM

Posted 19 February 2007 - 12:57 PM

I see I didn't add this one to delete:

C:\WINDOWS\system32\dns.exe

So delete that one as well, since it's related.
You are dealing with something very nasty there :thumbsup:
I hope your other computers are not affected....

Edited by miekiemoes, 19 February 2007 - 12:57 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:55 PM

Posted 19 February 2007 - 01:17 PM

More info:

Kaspersky Anti-Virus Results: kernel.sys-5945 Packed PE_Patch
kernel.sys-5945 INFECTED Rootkit.Win32.Agent.dp

BitDefender Antivirus Results: infected: Trojan.Rootkit.AW

Antivir Results: ALERT: [TR/RKit.Agent.DP.2 trojan] <<< Is the Trojan horse TR/RKit.Agent.DP.2
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 swalker25

swalker25
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 19 February 2007 - 01:18 PM

FYI, my computer keeps freezing up right after I logon to my desktop. I have to keep manually rebooting it, pushing the physical reset button, I don't know if that is going to cause any problems.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:55 PM

Posted 19 February 2007 - 01:23 PM

Hi,

Yes, that doesn't suprise me at all that you are having these problems. As I already said, you are dealing with some very nasty infections including Trojans, backdoors and rootkits. They damage a lot and totally compromise your system. Also, all your passwords are known. That's why I posted previously that cleaning this manually won't always work, since the damage it already caused may be huge when we try to remove it manually and you can never trust this system anymore.

Can you boot into safe mode without problems? I guess there will be problems there as well since this malware is also loaded in safe mode.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 swalker25

swalker25
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 19 February 2007 - 01:25 PM

I can boot to safemode with no problems. I usually do get an svchost.exe error. But I figuered I would have to run all the cleaning programs in regular mode and not safe mode.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:55 PM

Posted 19 February 2007 - 01:31 PM

Hi,

There was a part I posted in my previous instructions that had to be done in Windows Safe mode (SDFix).
But it would be a good idea to run DrWeb CureIt in Safe mode as well;

Also, from safe mode, look if the entries I asked you to fix in Hijackthis is still present and fix them again. Especially this one:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,,,,,,,,,,,,,,,,,,,,

It could be possible that above entry may show filenames where the comma's are (when you look at it in safe mode). So in case it does show more in that entry, let me know (or it may be better to post a HIjackthislog made from Windows Safe mode)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users