Free Malware Removal Forum

[btw9052]

Please help with this trend micro log. I have been getting alot of unresponsive programs, and internet explorer pops open for no reason. Scans by spybot cannot complete. Thanks for your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:16 AM, on 3/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\W32MKDE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.23.128:8181
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {810238db-0ad4-4123-962a-14d8c803c961} - C:\WINDOWS\system32\satukivu.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [809d5726] rundll32.exe "C:\WINDOWS\system32\yubiwojo.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [jsf8j34rgfght] C:\DOCUME~1\Blaine\LOCALS~1\Temp\winloggn.exe
O4 - HKCU\..\Run: [ranejubiva] Rundll32.exe "C:\WINDOWS\system32\ripagupa.dll",s
O4 - HKCU\..\Run: [MS Juan] rundll32 "C:\DOCUME~1\Blaine\LOCALS~1\Temp\fymvah.dll",run
O4 - HKCU\..\Run: [CPM83ae64ba] Rundll32.exe "C:\WINDOWS\system32\mizuyoha.dll",a
O4 - Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/ ... leId=21871
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BGI.net
O17 - HKLM\Software\..\Telephony: DomainName = BGI.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{99FE86B7-DD98-4EA3-831F-70CAEA8716E4}: NameServer = 192.168.23.123
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BGI.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BGI.net
O23 - Service: Primavera Background Agent (PrmBackAgent) - Unknown owner - C:\Program Files\Common Files\Primavera Common\BackgroundAgent\PrmBackgroundAgent.exe
O23 - Service: Xerox® scanner service (Slave) - Xerox® - C:\WINDOWS\Slave.exe
O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe

--
End of file - 4007 bytes

[MikeSwim07]

Hello, and to the Malware Removal forums.
My name is Michael I'll be glad to help you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happen.

Please be patient and I'd be grateful if you would note the following:

• I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• If after 5 days you have not responded to this topic, it will be closed, and you will need to start a new one.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.
• All of my posts need to be checked by a teacher, so please be patient while I attempt to remove your malware.

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

• Start HijackThis
• Click on the Config button
• Click on the Misc Tools button
• Click on the Open Uninstall Manager button.
• Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop.

Please post this log on your next reply.

Thanks, Michael

[MikeSwim07]

Hello btw9052,

Is this a business computer? Do you know what the domain BGI.net is?

Heavily Infected

Your computer is heavily infected. Although we have many tools available to help clean computers of infections, your computer is so heavily infected that it is impossible for me to be sure that there are not any infections left lurking around at the end of the cleaning process. Even if we get all of the infections off of your computer, it may never run as well as it did before. Malware can sometimes mess up many windows settings and can cause some programs to not work properly.

You also have signs of some very dangerous backdoor infections which can steal personal information. If indeed this is a business computer, your whole network could be infected. I am not offering you the choice to clean this computer because there are some very serious infections on this computer.

Therefor, you need to reformat and reinstall your computer. You may be thinking about how your files will be lost. This is not necessarily the case. Free backup software is available so that you can burn your files to disks so that you can restore them once you reinstall your operating system. You can also buy a backup hard-drive or a portable hard-drive to store your backups.

I recommend that you read the following website,

When Should I Format, How Should I Reinstall

You can also read this link about free backup software. Even if you don't want to reformat, it is always important that you keep backups.

Best Free Backup Software

It is also very important that you install an Anti-Virus once you reformat and reinstall your computer (or the entire network). I notice that in your previous log, you did not have an Anti-Virus installed. This is very dangerous. Without this protection you may not know if you are infected.

Here are some free Anti-Virus software.

Avast
Avira
AVG Free

Please note: Most of these free Anti-Virus programs are for personal use only. So if you are on a network, this would be illegal to use them.

[MikeSwim07]

Do you still need help?

[NonSuch]

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.