Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Trojans And Spyware Problems :(


  • This topic is locked This topic is locked
2 replies to this topic

#1 DaveIs.

DaveIs.

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 14 April 2007 - 10:20 PM

Hi,
I'm in need of some help. I'm usually pretty good at repairing an infected computer, but this one is not cooperating. My Boss asked if I could repair his PC, so I'm giving it a go. He had no removal software and no Virus protection and 3 kids. I'm sure you can imagine the damage. :thumbsup:

I've run several different removal softwares, and they find and remove plenty, but not the big boys.

Currently, I've got BraveSentry and ie-updater.exe. It's also got a strange problem in Device manager that lists the Primary and Secondary IDE chains under "Unknown Device". There's also a window that continues to pop up saying "Program has encountered a problem and had to be shut down." Not The program, but "Program". Odd. Another window pops up saying "C:\Program already exists. Would you like to rename it to Program2".

I've tried running all the removal software in Safe mode. The computer has 5 different User Accounts and takes 3-4 hours to run scans. I am allowed to remove the extra users if I want. I tried, but the program stops responding during removal. Sigh...

Here's my HiJackThis log. Hope someone can work some magic. :flowers:

Logfile of HijackThis v1.99.1
Scan saved at 11:13:45 PM, on 4/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\msnprcss.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\srvnst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\{345856F7-0BFA-1033-0331-050823200001}\Update.exe
C:\WINDOWS\1903cr.exe
C:\WINDOWS\updater.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Dad\MYDOCU~1\CROSOF~1.NET\ntvdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DWL-G520M Wireless 108G MIMO PCI Adapter\AIRPLUS.exe
C:\Documents and Settings\Dad\My Documents\?racle\?srss.exe
C:\Documents and Settings\Dad\Desktop\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: Shell Event Object Class - {00534B55-3155-CA4F-B41D-0E922121D03C} - C:\WINDOWS\system32\cscentfy.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: Web Assistant - {04DCB78C-AB45-83AD-A86A-6DFB90277939} - C:\Program Files\psquery\psquery.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1DEAFF37-6280-6C73-A348-1CE348E8AD9C} - C:\WINDOWS\system32\bqjg.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\tmp2BD.tmp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {91c9ef11-395d-4b5c-9b50-c48ce8fb3f32} - C:\WINDOWS\system32\dss949.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LexPPS.exe] C:\WINDOWS\system32\lexpps.exe
O4 - HKLM\..\Run: [{345856F7-0BFA-1033-0331-050823200001}] "C:\Program Files\Common Files\{345856F7-0BFA-1033-0331-050823200001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [{345856F7-0BF9-1033-0331-050823200001}] "C:\Program Files\Common Files\{345856F7-0BF9-1033-0331-050823200001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [RegistryMonitor] C:\WINDOWS\1903cr.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\updater.exe 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\system32\rpcc.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\hggggd.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Srro] "C:\DOCUME~1\Dad\MYDOCU~1\CROSOF~1.NET\ntvdm.exe" -vt yazr
O4 - HKCU\..\Run: [Faviw] C:\Program Files\Common Files\?icrosoft.NET\w?auboot.exe
O4 - HKCU\..\Run: [Xudloyd] "C:\Documents and Settings\Dad\My Documents\?racle\?srss.exe"
O4 - Global Startup: D-Link REG Utility.lnk = C:\Program Files\DWL-G520M Wireless 108G MIMO PCI Adapter\Reg.exe
O4 - Global Startup: DWL-G520M Wireless 108G MIMO PCI Adapter Utility.lnk = ?
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar4.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar4.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar4.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar4.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar4.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar4.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ggt.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176350418109
O20 - AppInit_DLLs:
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O20 - Winlogon Notify: dss949 - C:\WINDOWS\SYSTEM32\dss949.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\system32\kjcbnid.dll (file missing)
O21 - SSODL: CUbyytXxq - {345856F8-9EF2-FC52-4E75-477063C22E4E} - C:\WINDOWS\system32\isdihe.dll
O21 - SSODL: CDRecorder036 - {A3BC5E20-0235-1ABF-9CE1-00AA00512036} - C:\WINDOWS\system32\uvbyc32.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\HP_Owner\ie_updater.exe
O23 - Service: System Process Monitor (sysprcm) - - C:\WINDOWS\System32\msnprcss.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Asynchronous Load Balance (ySvcHst) - - C:\WINDOWS\System32\srvnst.exe

BC AdBot (Login to Remove)

 


#2 DaveIs.

DaveIs.
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 15 April 2007 - 02:07 AM

Update.... I phoned my boss asking if there was anything he needed on the PC. He said not really, so I just wiped it. It had the usual build up of crap in it anyway.

Thanks anyway,
Dave

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:12:00 PM

Posted 15 April 2007 - 08:29 AM

Hi Dave,
Sorry to hear you had to wipe system, but it's probably for the best.
Thanks for telling us what you did do.

This topic is closed.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users