Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

malware help.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

malware help.

Unread postby jeff1962 » March 22nd, 2008, 11:34 am

My computer has a blue screen with yellow letters stating" Warning spyware threat has been detected on your pc" can anyone help me with this annoying problem..thank you. Jeff..attached is the hijack logfile.. thanks again
Scan saved at 7:30:36 AM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\fupwjopo.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\antiviirus.exe
C:\WINDOWS\system32\ajbwfehf.exe
C:\Program Files\tmp0.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alpha Clock\aclock.exe
C:\Program Files\tmp1.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\tmp2.exe
C:\Program Files\tmp3.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Documents and Settings\Jeff\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm ... Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: GNX Rolex - {2899EA9F-F4E4-4B4B-8ECB-6AB7B33679CB} - C:\WINDOWS\drnpfdxwso.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKLM\..\Run: [ajbwfehf] C:\WINDOWS\system32\ajbwfehf.exe
O4 - HKLM\..\Run: [bezqyosq] C:\WINDOWS\system32\bezqyosq.exe
O4 - HKLM\..\Run: [ujfyfsmi] C:\WINDOWS\system32\ujfyfsmi.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Download] "C:\Program Files\Support.com\bin\DDGet.exe" 120 "http://media2.comcast.net/anon.comcastonline2/support/comcastsupport/DesktopDoctor1.0.exe" "DesktopDoctor1.0.exe"
O4 - HKCU\..\Run: [Alpha Clock] C:\Program Files\Alpha Clock\aclock.exe
O4 - HKLM\..\Policies\Explorer\Run: [kPb0x3dZRN] C:\WINDOWS\fupwjopo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ComcastHSI - {07CA94A8-5316-48A3-93AA-9DB4D383249F} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {12848A7B-53D0-47AD-BDBB-E21BBBFCACCE} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {D8623F39-2610-41FD-A2CA-BCC8B8E549C3} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O21 - SSODL: PrxVolume - {08b1a78c-61a6-4ff7-a4c4-273475d6cb73} - C:\WINDOWS\Installer\{08b1a78c-61a6-4ff7-a4c4-273475d6cb73}\PrxVolume.dll
O21 - SSODL: zip - {03a054a3-99ce-458c-a79a-14a0b81b4c0e} - C:\WINDOWS\Installer\{03a054a3-99ce-458c-a79a-14a0b81b4c0e}\zip.dll
O21 - SSODL: bokpkov - {AA4AE110-AA0B-4BDE-9849-4BF971A78341} - C:\WINDOWS\bokpkov.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8692 bytes
jeff1962
Active Member
 
Posts: 11
Joined: March 22nd, 2008, 10:57 am
Advertisement
Register to Remove

Re: malware help.

Unread postby mjq424 » March 24th, 2008, 2:28 pm

Hello, and welcome to Malware Removal Forums.
My name is Matt and I will be assisting you with your malware issues.
Please be patient as I need some time to review your HijackThis log and I will post back recommendations for repairs.
As I am still on training, everything that I post to you, must be checked by a Teacher. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long.

  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any questions or you're stuck in there please reply it to me. I will try my best to help you! Not having symptoms of malware doesn't mean that you are clean!
  • Please do not carry out tasks on your own before I reply as this will only complicate things and may mean that my instructions are useless or dangerous!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
User avatar
mjq424
Regular Member
 
Posts: 1502
Joined: April 14th, 2007, 10:20 am
Location: UK

Re: malware help.

Unread postby mjq424 » March 24th, 2008, 5:01 pm

Hi

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
User avatar
mjq424
Regular Member
 
Posts: 1502
Joined: April 14th, 2007, 10:20 am
Location: UK

Re: malware help.

Unread postby jeff1962 » March 24th, 2008, 11:19 pm

Thank you for all your help..Here is what you asked for..Jeff
SDFix: Version 1.160

Run by Jeff on Mon 03/24/2008 at 06:43 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\Installer\{08b1a78c-61a6-4ff7-a4c4-273475d6cb73}\PrxVolume.dll - Deleted
C:\WINDOWS\Installer\{03a054a3-99ce-458c-a79a-14a0b81b4c0e}\zip.dll - Deleted
C:\WINDOWS\drnpfdxwso.dll - Deleted
C:\Program Files\antiviirus.exe - Deleted
C:\Program Files\tmp0.exe - Deleted
C:\Program Files\tmp1.exe - Deleted
C:\Program Files\tmp2.exe - Deleted
C:\Program Files\tmp3.exe - Deleted
C:\WINDOWS\altvxvm.dll - Deleted
C:\WINDOWS\bokpkov.dll - Deleted
C:\WINDOWS\etlrlws.dll - Deleted
C:\WINDOWS\fmsxwqs.exe - Deleted
C:\WINDOWS\iTunesMusic.exe - Deleted
C:\WINDOWS\rs.txt - Deleted



Folder C:\WINDOWS\Installer\{08b1a78c-61a6-4ff7-a4c4-273475d6cb73} - Removed
Folder C:\WINDOWS\Installer\{03a054a3-99ce-458c-a79a-14a0b81b4c0e} - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-24 18:51:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\Program Files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080222.001\full-webauth.sql.bin 7587403 bytes
C:\Program Files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080222.001\Identifiers.xml.bin 929700 bytes
C:\Program Files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080222.001\Indicators.xml.bin 74555 bytes
C:\Program Files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080222.001\PopularSites.xml.bin 8177 bytes
C:\Program Files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080222.001\Redirectors.xml.bin 47431 bytes
C:\Program Files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080222.001\Resources.xml.bin 556 bytes
C:\Program Files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080222.001\SafeList.xml.bin 588388 bytes
C:\Program Files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080222.001\SearchServices.xml.bin 20719 bytes
C:\Program Files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080222.001\Throttle.xml.bin 454 bytes
C:\Program Files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080222.001\TrustedDomains.xml.bin 262047 bytes
C:\Program Files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080222.001\URLAnalysis.xml.bin 568756 bytes
C:\Program Files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080222.001\WebHostingSites.xml.bin 29070 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 12


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Return to Castle Wolfenstein\\WolfMP.exe"="C:\\Program Files\\Return to Castle Wolfenstein\\WolfMP.exe:*:Enabled:WolfMP"
"C:\\Program Files\\K1RFD\\EchoLink\\EchoLink.exe"="C:\\Program Files\\K1RFD\\EchoLink\\EchoLink.exe:*:Enabled:EchoLink"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\Program Files\\Netscape\\Netscape Browser\\netscape.exe"="C:\\Program Files\\Netscape\\Netscape Browser\\netscape.exe:*:Enabled:Netscape"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 23 Mar 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 19 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 3 Feb 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sat 9 Feb 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp"
Thu 23 Mar 2006 488 A.SH. --- "C:\Documents and Settings\Jeff\My Documents\My Music\License Backup\drmv2key.bak"

Finished!


Scan saved at 7:17:59 PM, on 3/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ajbwfehf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alpha Clock\aclock.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Documents and Settings\Jeff\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ajbwfehf] C:\WINDOWS\system32\ajbwfehf.exe
O4 - HKLM\..\Run: [bezqyosq] C:\WINDOWS\system32\bezqyosq.exe
O4 - HKLM\..\Run: [ujfyfsmi] C:\WINDOWS\system32\ujfyfsmi.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Download] "C:\Program Files\Support.com\bin\DDGet.exe" 120 "http://media2.comcast.net/anon.comcastonline2/support/comcastsupport/DesktopDoctor1.0.exe" "DesktopDoctor1.0.exe"
O4 - HKCU\..\Run: [Alpha Clock] C:\Program Files\Alpha Clock\aclock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ComcastHSI - {07CA94A8-5316-48A3-93AA-9DB4D383249F} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {12848A7B-53D0-47AD-BDBB-E21BBBFCACCE} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {D8623F39-2610-41FD-A2CA-BCC8B8E549C3} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 7563 bytes
jeff1962
Active Member
 
Posts: 11
Joined: March 22nd, 2008, 10:57 am

Re: malware help.

Unread postby mjq424 » March 25th, 2008, 8:52 am

Hi
Well that has cleaned some of the infection still some bits left to deal with though.

Now we need to stop some running processes which i have in quote below, using HJT.
C:\WINDOWS\system32\ajbwfehf.exe

HOW TO STOP RUNNING PROCESSES USING HJT
  • Open HijackThis.
  • Click on the Config button and then click on the Misc Tools button. You should now see a new screen with one of the buttons being Open Process Manager.
  • Click on Process Managerbutton. Now you are able to view all running processes on your computer.
  • Click once on a process to select it, and then click on the Kill Process button. This will attempt to end the process running on your computer.
  • If you would like to terminate multiple processes at the same time, press and hold down the control key on your keyboard. While that key is pressed, click once on each process that you want to be terminated. As long as you hold down the control button while selecting the additional processes, you will be able to select multiple processes at one time. When you have selected all the processes you would like to terminate you would then press the Kill Process button.
  • To exit the process manager you need to click on the back button twice which will place you at the main screen.
  • Close Hijackthis now.

Upload a File to Virustotal
Please visit Virustotal
  • Copy and Paste the following quotebox into the submit a file box:
    C:\WINDOWS\system32\ajbwfehf.exe
  • Click the Send button
  • Repeat this for the following files as well:
    C:\WINDOWS\system32\bezqyosq.exe
    C:\WINDOWS\system32\ujfyfsmi.exe
  • Copy and paste the results back here please.

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: Select all
    C:\WINDOWS\system32\ajbwfehf.exe
    C:\WINDOWS\system32\bezqyosq.exe
    C:\WINDOWS\system32\ujfyfsmi.exe

  • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: Select all
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ajbwfehf
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\bezqyosq
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ujfyfsmi
    

  • Return to OTMoveIt2, right click in the "Paste Custom List Of Files/Patterns To Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java(TM) SE Runtime Environment 6u5.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
User avatar
mjq424
Regular Member
 
Posts: 1502
Joined: April 14th, 2007, 10:20 am
Location: UK

Re: malware help.

Unread postby jeff1962 » March 25th, 2008, 10:13 pm

C:\WINDOWS\system32\ajbwfehf.exe moved successfully.
C:\WINDOWS\system32\bezqyosq.exe moved successfully.
C:\WINDOWS\system32\ujfyfsmi.exe moved successfully.
[Custom Input]
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ajbwfehf >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ajbwfehf deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\bezqyosq >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\bezqyosq deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ujfyfsmi >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ujfyfsmi deleted successfully.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03252008_180900

File ajbwfehf.exe received on 03.26.2008 02:03:24 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 15/32 (46.88%)
Loading server information...
Your file is queued in position: 7.
Estimated start time is between 61 and 88 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.3.26.0 2008.03.25 -
AntiVir 7.6.0.75 2008.03.25 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2008.03.26 -
Avast 4.7.1098.0 2008.03.25 -
AVG 7.5.0.516 2008.03.25 Downloader.Zlob.VKB
BitDefender 7.2 2008.03.26 Trojan.Agent.AHNG
CAT-QuickHeal 9.50 2008.03.24 Backdoor.Agent.fxo
ClamAV 0.92.1 2008.03.25 -
DrWeb 4.44.0.09170 2008.03.25 -
eSafe 7.0.15.0 2008.03.18 -
eTrust-Vet 31.3.5643 2008.03.25 -
Ewido 4.0 2008.03.25 -
F-Prot 4.4.2.54 2008.03.25 -
F-Secure 6.70.13260.0 2008.03.25 Backdoor.Win32.Agent.fxo
FileAdvisor 1 2008.03.26 -
Fortinet 3.14.0.0 2008.03.26 W32/Agent.FXO!tr.bdr
Ikarus T3.1.1.20 2008.03.26 Backdoor.Win32.Agent.fxo
Kaspersky 7.0.0.125 2008.03.26 Backdoor.Win32.Agent.fxo
McAfee 5259 2008.03.25 Puper
Microsoft 1.3301 2008.03.26 Trojan:Win32/Agent.AEA
NOD32v2 2972 2008.03.26 -
Norman 5.80.02 2008.03.25 W32/Smalltroj.DNGD
Panda 9.0.0.4 2008.03.25 -
Prevx1 V2 2008.03.26 Covert.Sys.Exec
Rising 20.37.02.00 2008.03.24 -
Sophos 4.27.0 2008.03.25 Mal/Generic-A
Sunbelt 3.0.978.0 2008.03.18 -
Symantec 10 2008.03.26 Trojan.LinkOptimizer
TheHacker 6.2.92.254 2008.03.25 -
VBA32 3.12.6.3 2008.03.25 -
VirusBuster 4.3.26:9 2008.03.25 -
Webwasher-Gateway 6.6.2 2008.03.25 Trojan.Crypt.XPACK.Gen
Additional information
File size: 90112 bytes
MD5: 215259fa2ac7118ecda3c8282cbdfc2a
SHA1: 1dee0590df135ea0992c4f97997183a512faf32d
PEiD: -
Prevx info: http://info.prevx.com/aboutprogramtext. ... 00063BC41B

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Scan another file
VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.cominfo@virustotal.com File bezqyosq.exe received on 03.26.2008 02:17:27 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 15/32 (46.88%)
Loading server information...
Your file is queued in position: 8.
Estimated start time is between 66 and 94 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.3.26.0 2008.03.25 -
AntiVir 7.6.0.75 2008.03.25 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2008.03.26 -
Avast 4.7.1098.0 2008.03.25 -
AVG 7.5.0.516 2008.03.25 Downloader.Zlob.VKB
BitDefender 7.2 2008.03.26 Trojan.Agent.AHNG
CAT-QuickHeal 9.50 2008.03.24 Backdoor.Agent.fxo
ClamAV 0.92.1 2008.03.25 -
DrWeb 4.44.0.09170 2008.03.25 -
eSafe 7.0.15.0 2008.03.18 -
eTrust-Vet 31.3.5643 2008.03.25 -
Ewido 4.0 2008.03.25 -
F-Prot 4.4.2.54 2008.03.25 -
F-Secure 6.70.13260.0 2008.03.26 Backdoor.Win32.Agent.fxo
FileAdvisor 1 2008.03.26 -
Fortinet 3.14.0.0 2008.03.26 W32/Agent.FXO!tr.bdr
Ikarus T3.1.1.20 2008.03.26 Backdoor.Win32.Agent.fxo
Kaspersky 7.0.0.125 2008.03.26 Backdoor.Win32.Agent.fxo
McAfee 5259 2008.03.25 Puper
Microsoft 1.3301 2008.03.26 Trojan:Win32/Agent.AEA
NOD32v2 2972 2008.03.26 -
Norman 5.80.02 2008.03.25 W32/Smalltroj.DNGD
Panda 9.0.0.4 2008.03.25 -
Prevx1 V2 2008.03.26 Covert.Sys.Exec
Rising 20.37.02.00 2008.03.24 -
Sophos 4.27.0 2008.03.25 Mal/Generic-A
Sunbelt 3.0.978.0 2008.03.18 -
Symantec 10 2008.03.26 Trojan.LinkOptimizer
TheHacker 6.2.92.255 2008.03.26 -
VBA32 3.12.6.3 2008.03.25 -
VirusBuster 4.3.26:9 2008.03.25 -
Webwasher-Gateway 6.6.2 2008.03.25 Trojan.Crypt.XPACK.Gen
Additional information
File size: 90112 bytes
MD5: 215259fa2ac7118ecda3c8282cbdfc2a
SHA1: 1dee0590df135ea0992c4f97997183a512faf32d
PEiD: -
Prevx info: http://info.prevx.com/aboutprogramtext. ... 00063BC41B File ujfyfsmi.exe received on 03.26.2008 02:36:39 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 15/32 (46.88%)
Loading server information...
Your file is queued in position: 6.
Estimated start time is between 58 and 83 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.3.26.0 2008.03.25 -
AntiVir 7.6.0.75 2008.03.25 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2008.03.26 -
Avast 4.7.1098.0 2008.03.25 -
AVG 7.5.0.516 2008.03.25 Downloader.Zlob.VKB
BitDefender 7.2 2008.03.26 Trojan.Agent.AHNG
CAT-QuickHeal 9.50 2008.03.24 Backdoor.Agent.fxo
ClamAV 0.92.1 2008.03.25 -
DrWeb 4.44.0.09170 2008.03.25 -
eSafe 7.0.15.0 2008.03.18 -
eTrust-Vet 31.3.5643 2008.03.25 -
Ewido 4.0 2008.03.25 -
F-Prot 4.4.2.54 2008.03.25 -
F-Secure 6.70.13260.0 2008.03.26 Backdoor.Win32.Agent.fxo
FileAdvisor 1 2008.03.26 -
Fortinet 3.14.0.0 2008.03.26 W32/Agent.FXO!tr.bdr
Ikarus T3.1.1.20 2008.03.26 Backdoor.Win32.Agent.fxo
Kaspersky 7.0.0.125 2008.03.26 Backdoor.Win32.Agent.fxo
McAfee 5259 2008.03.25 Puper
Microsoft 1.3301 2008.03.26 Trojan:Win32/Agent.AEA
NOD32v2 2972 2008.03.26 -
Norman 5.80.02 2008.03.25 W32/Smalltroj.DNGD
Panda 9.0.0.4 2008.03.25 -
Prevx1 V2 2008.03.26 Covert.Sys.Exec
Rising 20.37.02.00 2008.03.24 -
Sophos 4.27.0 2008.03.25 Mal/Generic-A
Sunbelt 3.0.978.0 2008.03.18 -
Symantec 10 2008.03.26 Trojan.LinkOptimizer
TheHacker 6.2.92.255 2008.03.26 -
VBA32 3.12.6.3 2008.03.25 -
VirusBuster 4.3.26:9 2008.03.25 -
Webwasher-Gateway 6.6.2 2008.03.25 Trojan.Crypt.XPACK.Gen
Additional information
File size: 90112 bytes
MD5: 215259fa2ac7118ecda3c8282cbdfc2a
SHA1: 1dee0590df135ea0992c4f97997183a512faf32d
PEiD: -
Prevx info: http://info.prevx.com/aboutprogramtext. ... 00063BC41B
jeff1962
Active Member
 
Posts: 11
Joined: March 22nd, 2008, 10:57 am

Re: malware help.

Unread postby mjq424 » March 26th, 2008, 9:27 am

Hi
How is your PC behaving now?

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\<User name>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Post a New HJT Log
Reboot your computer. Start HijackThis. Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply.
User avatar
mjq424
Regular Member
 
Posts: 1502
Joined: April 14th, 2007, 10:20 am
Location: UK

Re: malware help.

Unread postby jeff1962 » March 27th, 2008, 8:07 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:05:26 AM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alpha Clock\aclock.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Documents and Settings\Jeff\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Download] "C:\Program Files\Support.com\bin\DDGet.exe" 120 "http://media2.comcast.net/anon.comcastonline2/support/comcastsupport/DesktopDoctor1.0.exe" "DesktopDoctor1.0.exe"
O4 - HKCU\..\Run: [Alpha Clock] C:\Program Files\Alpha Clock\aclock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ComcastHSI - {07CA94A8-5316-48A3-93AA-9DB4D383249F} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {12848A7B-53D0-47AD-BDBB-E21BBBFCACCE} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {D8623F39-2610-41FD-A2CA-BCC8B8E549C3} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 7662 bytes
jeff1962
Active Member
 
Posts: 11
Joined: March 22nd, 2008, 10:57 am

Re: malware help.

Unread postby mjq424 » March 27th, 2008, 8:47 am

Hi
Can I see the Malwarebytes' log please? It is located here:
C:\Documents and Settings\<User name>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
User avatar
mjq424
Regular Member
 
Posts: 1502
Joined: April 14th, 2007, 10:20 am
Location: UK

Re: malware help.

Unread postby jeff1962 » March 27th, 2008, 7:37 pm

Sorry...Malwarebytes' Anti-Malware 1.09
Database version: 552

Scan type: Full Scan (C:\|)
Objects scanned: 85615
Time elapsed: 26 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c4ee31f3-4768-11d2-be5c-00a0c9a83da1} (Rogue.WinFixer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{c4ee31f3-4768-11d2-be5c-00a0c9a83da1} (Rogue.WinFixer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\mwc (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\The Weather Channel FW (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\WINDOWS\system32smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\1UF0772Q\2676hpizgyyc[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\fupwjopo.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Web\def.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\03252008_180900\WINDOWS\system32\ajbwfehf.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\03252008_180900\WINDOWS\system32\bezqyosq.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\03252008_180900\WINDOWS\system32\ujfyfsmi.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Favorites\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.
jeff1962
Active Member
 
Posts: 11
Joined: March 22nd, 2008, 10:57 am

Re: malware help.

Unread postby mjq424 » March 29th, 2008, 6:20 am

Hi
Thanks. That cleaned up some stuff!

Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
  • Double click OTMoveIt2.exe to launch it.
  • Click on the CleanUp! button.
  • OTMoveIt will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
  • You will be prompted to allow the clean up procedure, click Yes
  • When finished exit out of OTMoveIt2
  • Now delete OTMoveIt2.exe (if still present)

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

  1. Disable and Enable System Restore. - If you are using Windows ME/XP/Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    Reset System Restore.
    Now you should disable System restore to purge any infected files and then re-enable it,

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.
    Restart your computer

    Turn ON System Restore

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Un-Check Turn off System Restore.
    Click Apply, and then click OK.
  2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      1. Change the Download signed ActiveX controls to Prompt
      2. Change the Download unsigned ActiveX controls to Disable
      3. Change the Initialise and script ActiveX controls not marked as safe to Disable
      4. Change the Installation of desktop items to Prompt
      5. Change the Launching programs and files in an IFRAME to Prompt
      6. Change the Navigate sub-frames across different domains to Prompt
      7. When all these settings have been made, click on the OK button.
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  3. Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
  4. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
    Computer Safety On line - Software Firewalls
  5. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  6. Install WinPatrol - Download and install Winpatrol by BillP Studios.
    This program can monitor what software start with Windows. You can delay startup for some programs and stop malicious programs from starting up. It can also view some hidden files.
    Download it from here
  7. Install Spybot - Search and Destroy - Download and install Spybot - Search and Destroy with its TeaTimer option.
    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D
  8. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line - Anti-Malware
  9. Install ThreatFire - Download and install ThreatFire. This program defends against malware by detecting certain malicious behaviours. It is configured "out-of-the-box" and acts as a complement to your Antivirus software. It can be downloaded here:
    PC Tools ThreatFire
  10. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
User avatar
mjq424
Regular Member
 
Posts: 1502
Joined: April 14th, 2007, 10:20 am
Location: UK

Re: malware help.

Unread postby jeff1962 » March 31st, 2008, 6:54 pm

Thank you Matt for all your help.. Jeff
jeff1962
Active Member
 
Posts: 11
Joined: March 22nd, 2008, 10:57 am

Re: malware help.

Unread postby mjq424 » April 1st, 2008, 5:17 am

No problem, glad I could help :)
User avatar
mjq424
Regular Member
 
Posts: 1502
Joined: April 14th, 2007, 10:20 am
Location: UK

Re: malware help.

Unread postby Simon V. » April 4th, 2008, 8:55 am

This topic is now closed.

If you are the originator of this topic, and you need it re-opened please send an email to 'admin at malwareremoval.com', including a link to this topic.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the username used. If the username does not match the one in the thread linked, the email will be deleted.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 332 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware