Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infostealer, System Docor & Trojan.vundo


  • This topic is locked This topic is locked
1 reply to this topic

#1 Alwin666

Alwin666

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 25 May 2007 - 05:28 AM

Hi There

I recently downloaded some shareware as a rar file witch instantly launched several viruses on my Windows XP machine.
At the time there were all picked up by Norton but not deleted, I now have the problem of pop-ups and my machine has
Dramatically slowed down. The sites the pop-ups relate to are WINANTIVIRUS, SYSSTEM DOCTOR and several debt Sites.
Norton continually picks up such viruses as INFOSTEALER, TROJAN.VUNDO & WINFIXER and says they have been
blocked but keep getting the pop-ups even though iexplorer isnít even open!

I have Tried AD-Ware, AVG Free, SpyBot, CCleaner, Rouge Remover & I have even tried to remove it with Norton in SafeMode.

I have downloaded Hijack this and produced a log Could someone please have a look at it for me.

Many Thanks in Advance


Please see below Hijack this log

StartupList report, 25/05/2007, 09:43:18
StartupList version: 1.52.2
Started from : C:\Hijack this\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Hornet\MntrHrnt.exe
C:\Program Files\Canon\GAROStatusMonitor\cnwida.exe
C:\Program Files\SoftiFTP\Softiftp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Apps\EZHome\EZStatus.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Hijack this\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[D:\Documents and Settings\SCI\Start Menu\Programs\Startup]
Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

Shell folders Common Startup:
[D:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Acrobat Speed Launcher.lnk = ?
Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
GARO Status Monitor.lnk = C:\Program Files\Canon\GAROStatusMonitor\cnwism.exe
OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
PHIME2002ASync = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
ehTray = C:\WINDOWS\ehome\ehtray.exe
High Definition Audio Property Page Shortcut = HDAShCut.exe
AzMixerSel = C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
RTHDCPL = RTHDCPL.EXE
Alcmtr = ALCMTR.EXE
ATIPTA = "C:\ATI Technologies\ATI Control Panel\atiptaxx.exe"
Ulead AutoDetector v2 = C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched = "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
DataLayer = C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
PCSuiteTrayApplication = C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Adobe Version Cue CS2 = "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
Acrobat Assistant 7.0 = "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
(Default) =
ISUSPM Startup = "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
ISUSScheduler = "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
HornetMonitor = C:\Program Files\Common Files\Hornet\MntrHrnt.exe
CnwiDeviceAgent = C:\Program Files\Canon\GAROStatusMonitor\cnwida.exe
Softi FTP Server = C:\Program Files\SoftiFTP\Softiftp.exe
PWRISOVM.EXE = C:\Program Files\PowerISO\PWRISOVM.EXE
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
osCheck = "C:\Program Files\Norton Internet Security\osCheck.exe"
Symantec PIF AlertEng = "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
setup = rundll32.exe "C:\WINDOWS\system32\cpyaqvqk.dll",realset

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

EzStatus = C:\Apps\EZHome\EZStatus.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Data Secure = C:\APPS\DATASEC\PBBckupUI.exe /HIDDEN
MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
PcSync = C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
updateMgr = C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_0
swg = C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
Veoh = "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
(Default) =

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

[AdobeUpdater]
=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Task Scheduler jobs:

Norton Internet Security - Run Full System Scan - SCI.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\macromed\Shockwave 10\Download.dll
CODEBASE = http://fpdownload.macromedia.com/get/shock...director/sw.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc3.cab

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn.com/download/MsnMesse...pDownloader.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #4: C:\Program Files\Bonjour\mdnsNSP.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll

--------------------------------------------------
End of report, 9,403 bytes
Report generated in 0.094 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:30 AM

Posted 25 May 2007 - 06:15 AM

Already replied here: http://www.bleepingcomputer.com/forums/t/93464/help-with-hijack-this-infostealer-amongst-others/
Not sure why you started a new thread while you already had one open.
This thread is closed.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users