Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Again! Trojan Well Hidden? Winfixer?


  • This topic is locked This topic is locked
5 replies to this topic

#1 Melanee

Melanee

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:41 AM

Posted 08 March 2007 - 10:15 PM

I've been infected again. Trend Housecall found the most recent Troj_Juan.AL.
Earlier in the day I was infected with Trojan Downloader Winfixer.O.
I've run BitDefender, AVG but nothing seems to work to get rid of it or delete it.
I'm getting pop-up windows of annoying anti-spyware ads, once today I heard music on my speakers...wtf! How did that happen?

Sifu Mike was so helpful last time I had a virus (last month), so I'm back!
I don't know how this keeps happening. I have a firewall, I keep my virus programs up to date, I don't open e-mail from people I don't know.
Please help.


Logfile of HijackThis v1.99.1
Scan saved at 9:01:32 PM, on 3/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
c:\progra~1\alwils~1\avast4\ashdisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SEC\MagicTune3.6\GammaTray.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS13
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [avast!] "c:\documents and settings\all users\_qbothome\_qbotinj.exe" "c:\documents and settings\all users\_qbothome\_qbot.dll" /c c:\progra~1\alwils~1\avast4\ashdisp.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: MagicTune 3.6.lnk = ?
O4 - Global Startup: NCProTray.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.alpineaccess.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.webshots.com/html/atx/wsaxcontrol.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe



Ran VBG for the winfixer when Vundo Fix did not work:
[03/08/2007, 17:15:01] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XXJS2MLZ\VirtumundoBeGone[1].exe" )
[03/08/2007, 17:15:10] - Detected System Information:
[03/08/2007, 17:15:10] - Windows Version: 5.1.2600, Service Pack 2
[03/08/2007, 17:15:10] - Current Username: Owner (Admin)
[03/08/2007, 17:15:10] - Windows is in NORMAL mode.
[03/08/2007, 17:15:10] - Searching for Browser Helper Objects:
[03/08/2007, 17:15:10] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/08/2007, 17:15:10] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/08/2007, 17:15:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 17:15:10] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/08/2007, 17:15:10] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/08/2007, 17:15:10] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/08/2007, 17:15:10] - BHO 4: {ab613a37-80b2-4bee-b0ee-b028e680ca43} ()
[03/08/2007, 17:15:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 17:15:11] - Checking for HKLM\...\Winlogon\Notify\ascgX7
[03/08/2007, 17:15:11] - Found: HKLM\...\Winlogon\Notify\ascgX7 - This is probably Virtumundo.
[03/08/2007, 17:15:11] - Assigning {ab613a37-80b2-4bee-b0ee-b028e680ca43} MSEvents Object
[03/08/2007, 17:15:11] - BHO list has been changed! Starting over...
[03/08/2007, 17:15:11] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/08/2007, 17:15:11] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/08/2007, 17:15:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 17:15:11] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/08/2007, 17:15:11] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/08/2007, 17:15:11] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/08/2007, 17:15:11] - BHO 4: {ab613a37-80b2-4bee-b0ee-b028e680ca43} (MSEvents Object)
[03/08/2007, 17:15:11] - ALERT: Found MSEvents Object!
[03/08/2007, 17:15:11] - Finished Searching Browser Helper Objects
[03/08/2007, 17:15:11] - *** Detected MSEvents Object
[03/08/2007, 17:15:11] - Trying to remove MSEvents Object...
[03/08/2007, 17:15:12] - Terminating Process: IEXPLORE.EXE
[03/08/2007, 17:15:13] - Terminating Process: RUNDLL32.EXE
[03/08/2007, 17:15:13] - Disabling Automatic Shell Restart
[03/08/2007, 17:15:13] - Terminating Process: EXPLORER.EXE
[03/08/2007, 17:15:13] - Suspending the NT Session Manager System Service
[03/08/2007, 17:15:13] - Terminating Windows NT Logon/Logoff Manager
[03/08/2007, 17:15:14] - Re-enabling Automatic Shell Restart
[03/08/2007, 17:15:14] - File to disable: C:\WINDOWS\system32\ascgX7.dll
[03/08/2007, 17:15:14] - Renaming C:\WINDOWS\system32\ascgX7.dll -> C:\WINDOWS\system32\ascgX7.dll.vir
[03/08/2007, 17:15:14] - File successfully renamed!
[03/08/2007, 17:15:14] - Removing HKLM\...\Browser Helper Objects\{ab613a37-80b2-4bee-b0ee-b028e680ca43}
[03/08/2007, 17:15:14] - Removing HKCR\CLSID\{ab613a37-80b2-4bee-b0ee-b028e680ca43}
[03/08/2007, 17:15:14] - Adding Kill Bit for ActiveX for GUID: {ab613a37-80b2-4bee-b0ee-b028e680ca43}
[03/08/2007, 17:15:14] - Deleting ATLEvents/MSEvents Registry entries
[03/08/2007, 17:15:14] - Removing HKLM\...\Winlogon\Notify\ascgX7
[03/08/2007, 17:15:14] - Searching for Browser Helper Objects:
[03/08/2007, 17:15:14] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/08/2007, 17:15:14] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/08/2007, 17:15:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 17:15:14] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/08/2007, 17:15:14] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/08/2007, 17:15:14] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/08/2007, 17:15:14] - Finished Searching Browser Helper Objects
[03/08/2007, 17:15:14] - Finishing up...
[03/08/2007, 17:15:14] - A restart is needed.
[03/08/2007, 17:15:23] - Attempting to Restart via STOP error (Blue Screen!)

[03/08/2007, 17:17:57] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.exe" )
[03/08/2007, 17:18:00] - Detected System Information:
[03/08/2007, 17:18:00] - Windows Version: 5.1.2600, Service Pack 2
[03/08/2007, 17:18:00] - Current Username: Owner (Admin)
[03/08/2007, 17:18:00] - Windows is in NORMAL mode.
[03/08/2007, 17:18:00] - Searching for Browser Helper Objects:
[03/08/2007, 17:18:00] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/08/2007, 17:18:00] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/08/2007, 17:18:00] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 17:18:00] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/08/2007, 17:18:00] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/08/2007, 17:18:00] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/08/2007, 17:18:00] - Finished Searching Browser Helper Objects
[03/08/2007, 17:18:00] - Finishing up...
[03/08/2007, 17:18:00] - Nothing found! Exiting...

[03/08/2007, 20:48:25] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.exe" )
[03/08/2007, 20:48:27] - Detected System Information:
[03/08/2007, 20:48:27] - Windows Version: 5.1.2600, Service Pack 2
[03/08/2007, 20:48:27] - Current Username: Owner (Admin)
[03/08/2007, 20:48:27] - Windows is in SAFE mode with Networking.
[03/08/2007, 20:48:27] - Searching for Browser Helper Objects:
[03/08/2007, 20:48:27] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/08/2007, 20:48:27] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/08/2007, 20:48:27] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/08/2007, 20:48:27] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/08/2007, 20:48:27] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/08/2007, 20:48:28] - Finished Searching Browser Helper Objects
[03/08/2007, 20:48:28] - Finishing up...
[03/08/2007, 20:48:28] - Nothing found! Exiting...


Bit Defender Log today:
BitDefender Online Scanner



Scan report generated at: Thu, Mar 08, 2007 - 10:12:28





Scan path: A:\;C:\;D:\;E:\;F:\;







Statistics

Time
02:06:56

Files
506810

Folders
11489

Boot Sectors
4

Archives
11408

Packed Files
24122




Results

Identified Viruses
3

Infected Files
24

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
22




Engines Info

Virus Definitions
403384

Engine build
AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\All Users\Start Menu\Programs\Creative\Creative WebCam\Creative Cam Detector.lnk=>C:\Program Files\Creative\Shared Files\CamTray.exe
Infected with: DeepScan:Generic.Malware.SP!Pk!.294178FA

C:\Documents and Settings\All Users\Start Menu\Programs\Creative\Creative WebCam\Creative Cam Detector.lnk=>C:\Program Files\Creative\Shared Files\CamTray.exe
Disinfection failed

C:\Documents and Settings\All Users\Start Menu\Programs\Creative\Creative WebCam\Creative Cam Detector.lnk=>C:\Program Files\Creative\Shared Files\CamTray.exe
Deleted

C:\Documents and Settings\All Users\Start Menu\Programs\Creative\Creative WebCam\Creative Cam Detector.lnk
Update failed

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\20BD9BUT\WinAntiVirusPro2007FreeInstall[1].cab=>UWA7P_0001_N91M0809NetInstaller.exe
Infected with: Trojan.Downloader.Winfixer.O

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\20BD9BUT\WinAntiVirusPro2007FreeInstall[1].cab=>UWA7P_0001_N91M0809NetInstaller.exe
Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\20BD9BUT\WinAntiVirusPro2007FreeInstall[1].cab=>UWA7P_0001_N91M0809NetInstaller.exe
Deleted

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\20BD9BUT\WinAntiVirusPro2007FreeInstall[1].cab
Update failed

C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Infected with: DeepScan:Generic.Malware.SP!Pk!.294178FA

C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Disinfection failed

C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Deleted

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
Infected with: DeepScan:Generic.Malware.SP!Pk!.294178FA

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
Disinfection failed

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
Deleted

C:\Program Files\Analog Devices\Core\smax4pnp.exe
Infected with: DeepScan:Generic.Malware.SP!Pk!.294178FA

C:\Program Files\Analog Devices\Core\smax4pnp.exe
Disinfection failed

C:\Program Files\Analog Devices\Core\smax4pnp.exe
Deleted

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
Infected with: DeepScan:Generic.Malware.SP!Pk!.294178FA

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
Disinfection failed

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
Deleted

C:\Program Files\QuickTime\qttask.exe
Infected with: DeepScan:Generic.Malware.SP!Pk!.294178FA

C:\Program Files\QuickTime\qttask.exe
Disinfection failed

C:\Program Files\QuickTime\qttask.exe
Deleted

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP10\A0010288.exe
Infected with: DeepScan:Generic.Malware.SP!Pk!.294178FA

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP10\A0010288.exe
Disinfection failed

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP10\A0010288.exe
Deleted

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP10\A0010321.rbf
Infected with: DeepScan:Generic.Malware.SP!Pk!.294178FA

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP10\A0010321.rbf
Disinfection failed

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP10\A0010321.rbf
Deleted

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP10\A0010322.rbf
Infected with: DeepScan:Generic.Malware.SP!Pk!.294178FA

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP10\A0010322.rbf
Disinfection failed

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP10\A0010322.rbf
Deleted

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP10\A0010560.exe
Infected with: DeepScan:Generic.Malware.SP!Pk!.294178FA

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP10\A0010560.exe
Disinfection failed

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP10\A0010560.exe
Deleted

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP11\A0012696.dll
Infected with: MemScan:Trojan.Juan.Q

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP11\A0012696.dll
Disinfection failed

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP11\A0012696.dll
Deleted

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP11\A0012709.exe
Infected with: DeepScan:Generic.Malware.SP!Pk!.294178FA

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP11\A0012709.exe
Disinfection failed

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP11\A0012709.exe
Deleted

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP11\A0012710.exe
Infected with: DeepScan:Generic.Malware.SP!Pk!.294178FA

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP11\A0012710.exe
Disinfection failed

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP11\A0012710.exe
Deleted

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP11\A0012711.exe
Infected with: DeepScan:Generic.Malware.SP!Pk!.294178FA

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP11\A0012711.exe
Disinfection failed

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP11\A0012711.exe
Deleted

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP11\A0012712.exe
Infected with: DeepScan:Generic.Malware.SP!Pk!.294178FA

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP11\A0012712.exe
Disinfection failed

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP11\A0012712.exe
Deleted

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP11\A0012713.exe
Infected with: DeepScan:Generic.Malware.SP!Pk!.294178FA

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP11\A0012713.exe
Disinfection failed

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP11\A0012713.exe
Deleted

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP11\A0012714.exe
Infected with: DeepScan:Generic.Malware.SP!Pk!.294178FA

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP11\A0012714.exe
Disinfection failed

C:\System Volume Information\_restore{A5B69997-C62C-41F3-A28B-FC536F72E2E3}\RP11\A0012714.exe
Deleted

C:\WINDOWS\system32\igfxpers.exe
Infected with: DeepScan:Generic.Malware.SP!Pk!.294178FA

C:\WINDOWS\system32\igfxpers.exe
Disinfection failed

C:\WINDOWS\system32\igfxpers.exe
Deleted

C:\WINDOWS\system32\igfxtray.exe
Infected with: DeepScan:Generic.Malware.SP!Pk!.294178FA

C:\WINDOWS\system32\igfxtray.exe
Disinfection failed

C:\WINDOWS\system32\igfxtray.exe
Delete failed

C:\WINDOWS\system32\lsasss.exe
Infected with: DeepScan:Generic.Malware.SP!Pk!.294178FA

C:\WINDOWS\system32\lsasss.exe
Disinfection failed

C:\WINDOWS\system32\lsasss.exe
Deleted

C:\WINDOWS\system32\NeroCheck.exe
Infected with: DeepScan:Generic.Malware.SP!Pk!.294178FA

C:\WINDOWS\system32\NeroCheck.exe
Disinfection failed

C:\WINDOWS\system32\NeroCheck.exe
Deleted

C:\WINDOWS\system32\tmp25.tmp.dll
Infected with: MemScan:Trojan.Juan.Q

C:\WINDOWS\system32\tmp25.tmp.dll
Disinfection failed

C:\WINDOWS\system32\tmp25.tmp.dll
Delete failed

C:\WINDOWS\system32\tmp4.tmp.dll
Infected with: MemScan:Trojan.Juan.Q

C:\WINDOWS\system32\tmp4.tmp.dll
Disinfection failed

C:\WINDOWS\system32\tmp4.tmp.dll
Deleted

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:41 AM

Posted 09 March 2007 - 01:40 PM

Hi Melanee,

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


I need you to rename Hijackthis because I believe that you may have an infection that can hide some entries in your log.
  • Please go to the folder where you saved Hijackthis.exe:
    C:\Program Files\HijackThis\HijackThis.exe
  • Right-click on it, then select Rename.
  • Name it something like: AnalyzeThis.exe (or whatever you want)
  • Then double-click AnalyzeThis.exe to scan and then post the new logfile.

Edited by SifuMike, 09 March 2007 - 05:15 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Melanee

Melanee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:41 AM

Posted 09 March 2007 - 07:00 PM

Hi Mike,
Oh, where to begin. Thanks for responding. Last night after my post I ran Trends Housecall and it found a Trojan and deleted it.
After finding the Trojan-winfixer yesterday...this morning after reading another post I ran Smithfraud (I know, I'm not suppose to do anything without someone like you telling me) but, I did and the result was this.
SmitFraudFix v2.148

Scan done at 9:44:19.56, Fri 03/09/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Owner


C:\Documents and Settings\Owner\Application Data


Start Menu


C:\DOCUME~1\Owner\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


pe386-msguard-lzx32-huy32


Scanning wininet.dll infection


End

I chose delete. Yikes, I hope I didn't screw anything up further.
I ran it again now and it found nothing.

I really think all my problems began when I removed Zone Alarm from my system thinking it was slowing it down and that Windows Firewall was enough, really it most likely wasn't and it left me vunerable. I've got it back now.

Here is my new Hijack this after following your suggestion above.

Logfile of HijackThis v1.99.1
Scan saved at 5:50:12 PM, on 3/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
c:\progra~1\alwils~1\avast4\ashdisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Analyze This\AnalyzeThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS13
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [avast!] "c:\documents and settings\all users\_qbothome\_qbotinj.exe" "c:\documents and settings\all users\_qbothome\_qbot.dll" /c c:\progra~1\alwils~1\avast4\ashdisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: MagicTune 3.6.lnk = ?
O4 - Global Startup: NCProTray.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.alpineaccess.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.webshots.com/html/atx/wsaxcontrol.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173445927953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173445922500
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Everything appears to be running fine today, I've run all the virus software and nothing is found. I'm getting no more pop-ups. I feel really insecure about everything though. This stuff is exhausting!

Oh, and I've tried to do updates on Windows, mostly the security updates and they don't go through. Do I have to turn off the firewall or virus software to do the updates?

Thanks so much for being there and saving my butt once again.
Looking forward to hearing back from you...I think ;)

God, I wish I married a Computer Tech instead of an Auto Tech!

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:41 AM

Posted 09 March 2007 - 07:13 PM

Hi Melanee,

Your log looks clean! :thumbsup: You cleaned up whatever malware was there.

Oh, and I've tried to do updates on Windows, mostly the security updates and they don't go through. Do I have to turn off the firewall or virus software to do the updates?



Your firewall and virus software should not block the Windows updates. To make sure it is not the firewall causing a problem, turn if off while you try to do the Windows update, then turn it back on.
It may be the MS update site is busy, so you might try later.


God, I wish I married a Computer Tech instead of an Auto Tech!



Auto Techs make far more money. LOL :flowers:

To help prevent further infection, please download
SpywareBlaster

SpywareBlaster Tutorial

SpywareBlaster helps to:
Prevent the installation of Active X-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially unwanted sites in Internet Explorer.

Edited by SifuMike, 09 March 2007 - 07:21 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Melanee

Melanee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:41 AM

Posted 09 March 2007 - 07:42 PM

Thanks again! I feel much better.

I'll try and run the Windows updates at night, maybe there won't be so much traffic. Windows said I need 67 of them, when I ran it earlier it got to 50 something before I cancelled it because it was taking so long. The log said only 6 were successful the rest failed.

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:41 AM

Posted 19 March 2007 - 11:43 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users